66 lines
1.6 KiB
Python
66 lines
1.6 KiB
Python
from pwn import process, remote
|
|
from base64 import b64encode, b64decode
|
|
|
|
import hlextend
|
|
|
|
KEY_LENGTH_BYTES = 16
|
|
LOCAL = True
|
|
|
|
if LOCAL:
|
|
p = process(["python", "main.py"])# Define functions for convenience
|
|
else:
|
|
p = remote("2b571e00edfb5dd61b8f7f30-1024-intro-crypto-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
|
|
|
menu_string = b"\n 1. Register\n 2. Show animal videos\n 3. Show flag\n 4. Exit\n \nEnter your choice:"
|
|
|
|
def recv_until(delim):
|
|
return p.recvuntil(delim)
|
|
|
|
def interact():
|
|
p.interactive()
|
|
|
|
def send_payload(payload):
|
|
p.sendline(payload)
|
|
|
|
def register() -> bytes:
|
|
p.recvuntil(menu_string)
|
|
p.sendline(b"1")
|
|
p.recvuntil(b"? ")
|
|
p.sendline(b"Simon")
|
|
p.recvuntil(b"? ")
|
|
p.sendline(b"Cat")
|
|
return p.recvuntil(b'\n').replace(b"\n", b"").split(b" ")[-1]
|
|
|
|
def show_flag(token: str):
|
|
p.recvuntil(menu_string)
|
|
p.sendline(b"3")
|
|
p.recvuntil(b": ")
|
|
p.sendline(token)
|
|
|
|
token = register()
|
|
|
|
string_token = b64decode(token)
|
|
claims, mac = string_token.split(b"|mac=")
|
|
|
|
print(f"{token} : {string_token}")
|
|
|
|
print(f"{claims}")
|
|
print(f"{mac}")
|
|
|
|
|
|
injection = "|admin=true".encode("latin1")
|
|
|
|
sha_forge = hlextend.new('sha1')
|
|
forged_msg = sha_forge.extend(injection, claims, KEY_LENGTH_BYTES, mac.decode("latin1"))
|
|
print(forged_msg)
|
|
forged_mac = sha_forge.hexdigest()
|
|
|
|
secure_token = forged_msg + f"|mac={forged_mac}".encode("latin1")
|
|
print(secure_token)
|
|
secure_token = b64encode(secure_token).decode("latin1")
|
|
|
|
print("------------ attacked system ---------")
|
|
show_flag(secure_token)
|
|
print(p.recvuntil(b":").decode())
|
|
p.close()
|