added few ctfs
This commit is contained in:
@@ -1,15 +1,15 @@
|
||||
from pwn import *
|
||||
from pwn import process, remote
|
||||
from base64 import b64encode, b64decode
|
||||
|
||||
import hlextend
|
||||
|
||||
KEY_LENGTH_BYTES = 16
|
||||
LOCAL = True
|
||||
LOCAL = True
|
||||
|
||||
if LOCAL:
|
||||
p = process(["python", "main.py"])# Define functions for convenience
|
||||
else:
|
||||
p = remote("965850e570d3b775de1709a2-1024-intro-crypto-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
||||
p = remote("2b571e00edfb5dd61b8f7f30-1024-intro-crypto-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
||||
|
||||
menu_string = b"\n 1. Register\n 2. Show animal videos\n 3. Show flag\n 4. Exit\n \nEnter your choice:"
|
||||
|
||||
@@ -31,12 +31,11 @@ def register() -> bytes:
|
||||
p.sendline(b"Cat")
|
||||
return p.recvuntil(b'\n').replace(b"\n", b"").split(b" ")[-1]
|
||||
|
||||
def show_flag(token: bytes):
|
||||
def show_flag(token: str):
|
||||
p.recvuntil(menu_string)
|
||||
p.sendline(b"3")
|
||||
p.recvuntil(b": ")
|
||||
p.sendline(token)
|
||||
interact()
|
||||
|
||||
token = register()
|
||||
|
||||
@@ -48,14 +47,19 @@ print(f"{token} : {string_token}")
|
||||
print(f"{claims}")
|
||||
print(f"{mac}")
|
||||
|
||||
|
||||
injection = "|admin=true".encode("latin1")
|
||||
|
||||
sha_forge = hlextend.new('sha1')
|
||||
forged_msg = sha_forge.extend(injection, claims, KEY_LENGTH_BYTES, mac.decode("latin1"))
|
||||
print(forged_msg)
|
||||
forged_mac = sha_forge.hexdigest()
|
||||
|
||||
secure_token = forged_msg + f"|mac={forged_mac}".encode("latin1")
|
||||
print(secure_token)
|
||||
secure_token = b64encode(secure_token).decode("latin1")
|
||||
|
||||
print("------------ attacked system ---------")
|
||||
show_flag(secure_token)
|
||||
p.interactive()
|
||||
print(p.recvuntil(b":").decode())
|
||||
p.close()
|
||||
|
||||
@@ -144,7 +144,6 @@ class Hash(object):
|
||||
for hv in [a for a in dir(self) if match('^_h\d+$', a)]:
|
||||
self.__setattr__(hv, hashVals[c])
|
||||
c += 1
|
||||
print(hashVals)
|
||||
|
||||
def __checkInput(self, secretLength, startHash):
|
||||
if not isinstance(secretLength, int):
|
||||
@@ -183,7 +182,7 @@ class Hash(object):
|
||||
self._b2) % self._b2) + originalHashLength
|
||||
|
||||
return self.__binToByte(padData) + appendData
|
||||
|
||||
|
||||
def __hashBinaryPad(self, message, length):
|
||||
'''Pads the final blockSize block with \x80, zeros, and the length, converts to binary'''
|
||||
out_msg = ''
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
from hashlib import sha1
|
||||
from base64 import b64encode, b64decode
|
||||
from secrets import token_hex
|
||||
@@ -7,8 +9,6 @@ from secret import FLAG
|
||||
|
||||
KEY = token_hex(16)
|
||||
|
||||
print(KEY)
|
||||
|
||||
|
||||
def get_mac(data: bytes) -> str:
|
||||
return sha1(KEY.encode("latin1") + data).hexdigest()
|
||||
@@ -21,8 +21,7 @@ def parse_token(token: str) -> dict:
|
||||
|
||||
# Check the MAC
|
||||
token, mac = token.split(b"|mac=")
|
||||
print(token, mac)
|
||||
print(f"Calculated mac = {get_mac(token)}")
|
||||
print(mac)
|
||||
if get_mac(token) != mac.decode("latin1"):
|
||||
return None
|
||||
|
||||
|
||||
Reference in New Issue
Block a user