auscompgeek/blank2.py

## blank2.py
#!/usr/bin/env python3
# solution for this image is blank [2/3]

from PIL import Image
from PIL.ImagePalette import ImagePalette

im = Image.open('blank.png')  # <PIL.PngImagePlugin.PngImageFile image mode=P size=800x600 at 0xf00>
im.putpalette(ImagePalette('RGB', [0, 0, 0, 0xff, 0xff, 0xff], 6).getdata()[1])
im.save('blank2.png')

# other useful tricks:
# turn image into run length encoding - to try to work out what sort of steg we have
[(k, len(list(v))) for k, v in itertools.groupby(im.getdata())]

## flag-pics.md

      
    Raw
  

              flag-pics.md
            
          
    AtesComp/Vinetto#1

  
## qswt-breaker.py
#!/usr/bin/env python3

import subprocess
import requests

BASE_URI = 'https://qswt.atlassian-ctf.unswsecurity.com/dashboard?qswt='

ORIGINAL_HASH = '705e3a2514538646413b9a810709fefd26104980'
ORIGINAL_QS = b'username=user&nonce=e41867cf'
ORIGINAL_QS_HEX = ORIGINAL_QS.hex()
LEN_START = len(ORIGINAL_QS)
BLOCKSIZE = 512 // 8

EXTEND = '&username=admin'

def get_extension(length: int):
    # https://blog.mmmonk.net/2012/09/sha-1-length-extension-attack-example.html
    out = subprocess.check_output(["python2", "./sha1_len_ext_attack.py", ORIGINAL_HASH, str(length), EXTEND], text=True).splitlines(keepends=False)
    assert out[0].startswith("msg: ")
    return out[0][len("msg: "):], out[1]

sesh = requests.session()

for i in range(LEN_START, LEN_START + BLOCKSIZE):
    append, h = get_extension(i)
    text = ORIGINAL_QS_HEX + append

    uri = f"{BASE_URI}{text}.{h}"
    r = sesh.head(uri)
    print(i, uri, "got", r.status_code)
    if r.status_code == 200:
        print("woohoo")
        quit()
	#!/usr/bin/env python3
	# solution for this image is blank [2/3]

	from PIL import Image
	from PIL.ImagePalette import ImagePalette

	im = Image.open('blank.png') # <PIL.PngImagePlugin.PngImageFile image mode=P size=800x600 at 0xf00>
	im.putpalette(ImagePalette('RGB', [0, 0, 0, 0xff, 0xff, 0xff], 6).getdata()[1])
	im.save('blank2.png')

	# other useful tricks:
	# turn image into run length encoding - to try to work out what sort of steg we have
	[(k, len(list(v))) for k, v in itertools.groupby(im.getdata())]
	#!/usr/bin/env python3

	import subprocess
	import requests

	BASE_URI = 'https://qswt.atlassian-ctf.unswsecurity.com/dashboard?qswt='

	ORIGINAL_HASH = '705e3a2514538646413b9a810709fefd26104980'
	ORIGINAL_QS = b'username=user&nonce=e41867cf'
	ORIGINAL_QS_HEX = ORIGINAL_QS.hex()
	LEN_START = len(ORIGINAL_QS)
	BLOCKSIZE = 512 // 8

	EXTEND = '&username=admin'

	def get_extension(length: int):
	# https://blog.mmmonk.net/2012/09/sha-1-length-extension-attack-example.html
	out = subprocess.check_output(["python2", "./sha1_len_ext_attack.py", ORIGINAL_HASH, str(length), EXTEND], text=True).splitlines(keepends=False)
	assert out[0].startswith("msg: ")
	return out[0][len("msg: "):], out[1]

	sesh = requests.session()

	for i in range(LEN_START, LEN_START + BLOCKSIZE):
	append, h = get_extension(i)
	text = ORIGINAL_QS_HEX + append

	uri = f"{BASE_URI}{text}.{h}"
	r = sesh.head(uri)
	print(i, uri, "got", r.status_code)
	if r.status_code == 200:
	print("woohoo")
	quit()