CreateRemoteThread/tumctf-v2.py

## tumctf-v2.py
#!/usr/bin/env python3

import os, binascii, struct
import socket
from Crypto.Cipher import AES
import sys

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect( ("104.198.243.170",2501) )

target = binascii.unhexlify(s.recv(33).rstrip().decode())

# sys.exit(0)

pad = lambda m: m + bytes([16 - len(m) % 16] * (16 - len(m) % 16))
def haggis(m):
    crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
    # print(len(m).to_bytes(0x10, 'big') + pad(m))
    return crypt0r.encrypt(len(m).to_bytes(0x10, 'big') + pad(m))[-0x10:]

def haggis_without_padding(m,missing_len):
    crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
    return crypt0r.encrypt(int(len(m) + missing_len).to_bytes(0x10, 'big') + m)[-0x10:]

def dehaggis(mc):
    crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes([0] * 16))
    return crypt0r.decrypt(mc)

# target = os.urandom(0x10)
print("TARGET:" + binascii.hexlify(target).decode())

# okay, next block is 'ours'
msg = b'I solemnly swear that I am up to no good.\0' + (b'\x00' * 6)
pbase = haggis_without_padding(msg,16)
print("PBASE :" + binascii.hexlify(pbase).decode() + " (static text - no choice here)")

# [ PADDING ]
# [ MESSAGE ]
# [PREVCHUNK]
# [LASTCHUNK]

test_lastchunk_iv = bytes(dehaggis(target))
test_lastchunk_dt = b''
while len(test_lastchunk_iv) != 0x10:
  test_lastchunk_iv += bytes([0])
for i in range(0,0x10):
  test_lastchunk_dt += bytes([test_lastchunk_iv[i] ^ 0x10])

print("LASTCHUNK : " + binascii.hexlify(test_lastchunk_dt).decode() + " (second last chunk... almost there!)")

test_prevchunk_iv = bytes(dehaggis(test_lastchunk_dt))
test_prevchunk_dt = b''
while len(test_prevchunk_iv) != 0x10:
  test_prevchunk_iv += bytes([0])
for i in range(0,0x10):
  test_prevchunk_dt += bytes([test_prevchunk_iv[i] ^ pbase[i]])

print("GO! :" + binascii.hexlify(haggis(msg + test_prevchunk_dt)).decode())

s.send(binascii.hexlify(msg + test_prevchunk_dt) + b'\n')
print(s.recv(100))

sys.exit(0)
	#!/usr/bin/env python3

	import os, binascii, struct
	import socket
	from Crypto.Cipher import AES
	import sys

	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect( ("104.198.243.170",2501) )

	target = binascii.unhexlify(s.recv(33).rstrip().decode())

	# sys.exit(0)

	pad = lambda m: m + bytes([16 - len(m) % 16] * (16 - len(m) % 16))
	def haggis(m):
	crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
	# print(len(m).to_bytes(0x10, 'big') + pad(m))
	return crypt0r.encrypt(len(m).to_bytes(0x10, 'big') + pad(m))[-0x10:]

	def haggis_without_padding(m,missing_len):
	crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
	return crypt0r.encrypt(int(len(m) + missing_len).to_bytes(0x10, 'big') + m)[-0x10:]

	def dehaggis(mc):
	crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes([0] * 16))
	return crypt0r.decrypt(mc)

	# target = os.urandom(0x10)
	print("TARGET:" + binascii.hexlify(target).decode())

	# okay, next block is 'ours'
	msg = b'I solemnly swear that I am up to no good.\0' + (b'\x00' * 6)
	pbase = haggis_without_padding(msg,16)
	print("PBASE :" + binascii.hexlify(pbase).decode() + " (static text - no choice here)")

	# [ PADDING ]
	# [ MESSAGE ]
	# [PREVCHUNK]
	# [LASTCHUNK]

	test_lastchunk_iv = bytes(dehaggis(target))
	test_lastchunk_dt = b''
	while len(test_lastchunk_iv) != 0x10:
	test_lastchunk_iv += bytes([0])
	for i in range(0,0x10):
	test_lastchunk_dt += bytes([test_lastchunk_iv[i] ^ 0x10])

	print("LASTCHUNK : " + binascii.hexlify(test_lastchunk_dt).decode() + " (second last chunk... almost there!)")

	test_prevchunk_iv = bytes(dehaggis(test_lastchunk_dt))
	test_prevchunk_dt = b''
	while len(test_prevchunk_iv) != 0x10:
	test_prevchunk_iv += bytes([0])
	for i in range(0,0x10):
	test_prevchunk_dt += bytes([test_prevchunk_iv[i] ^ pbase[i]])

	print("GO! :" + binascii.hexlify(haggis(msg + test_prevchunk_dt)).decode())

	s.send(binascii.hexlify(msg + test_prevchunk_dt) + b'\n')
	print(s.recv(100))

	sys.exit(0)