rctf-cpushop-solve.py

#!/usr/bin/python

import pwn
import sys
from base64 import b16encode, b16decode
from hashpumpy import hashpump
from urlparse import parse_qsl

# for some easy last points on RCTF

def perform_hlext(tag, orig_msg, append_msg, keylen):
  """take the tag and the orig_msg, perform hash length extension
  for the given key length.
  returns [tag][message]"""
  newdgst, newmsg = hashpump(tag,
                 orig_msg,
                 append_msg,
                 keylen)
  return newdgst,newmsg

# p = pwn.process("./cpushop.py")
p = pwn.remote("cpushop.2018.teamrois.cn",43000)
# originaltag = p.recvline().rstrip()
print p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil(": ")
p.sendline("1")
print p.recvuntil("Your order:\n")
data = p.recvline().rstrip()
(orig_msg,signature) = data.split("&sign=")
print orig_msg

for i in range(8,32):
  print "Trying length extension of %d" % i
  newhash,newdata = perform_hlext(signature,orig_msg,"&product=Flag&price=4",i)
  p.recvuntil("Command: ")
  p.sendline("3")
  p.recvuntil("Your order:")
  print newdata + "&sign=" + signature
  p.sendline(newdata + "&sign=" + newhash)
  x = p.recvuntil(": ")
  if "Invalid" in x:
    print "NOPE"
    continue
  else:
    print x
    sys.exit(0)

# for (k,v) in parse_qsl(data):
#   print k, v