Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
import sys
from base64 import b16encode, b16decode
from hashpumpy import hashpump
from urlparse import parse_qsl
# for some easy last points on RCTF
def perform_hlext(tag, orig_msg, append_msg, keylen):
"""take the tag and the orig_msg, perform hash length extension
for the given key length.
returns [tag][message]"""
newdgst, newmsg = hashpump(tag,
orig_msg,
append_msg,
keylen)
return newdgst,newmsg
# p = pwn.process("./cpushop.py")
p = pwn.remote("cpushop.2018.teamrois.cn",43000)
# originaltag = p.recvline().rstrip()
print p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil(": ")
p.sendline("1")
print p.recvuntil("Your order:\n")
data = p.recvline().rstrip()
(orig_msg,signature) = data.split("&sign=")
print orig_msg
for i in range(8,32):
print "Trying length extension of %d" % i
newhash,newdata = perform_hlext(signature,orig_msg,"&product=Flag&price=4",i)
p.recvuntil("Command: ")
p.sendline("3")
p.recvuntil("Your order:")
print newdata + "&sign=" + signature
p.sendline(newdata + "&sign=" + newhash)
x = p.recvuntil(": ")
if "Invalid" in x:
print "NOPE"
continue
else:
print x
sys.exit(0)
# for (k,v) in parse_qsl(data):
# print k, v
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment