Skip to content

Instantly share code, notes, and snippets.

@eboda eboda/pwn.py

Last active Jun 11, 2017
Embed
What would you like to do?
SHA2017 crypto writeup
import requests
from PIL import Image
from StringIO import StringIO
def get_flag_rgb():
rgb = []
flag = requests.get("https://cryptoengine.stillhackinganyway.nl/flag").content
for i in range(20, 480, 40):
rgb.append(pixel(flag, i))
return rgb
def get(m, x=20):
img = requests.get("https://cryptoengine.stillhackinganyway.nl/encrypt?text=%s" % m).content
return pixel(img, x)
def pixel(img, x=20):
im = Image.open(StringIO(img))
pix = im.load()
return pix[x,7]
def brute(target, flag):
charset = "0123456789abcdef{}lg" # flag format is flag{hex}
for i in range(3): # iterate over R,G,B
for a in charset:
payload = flag + a + (2-i) * "0" # need to pad so that len(flag) %3 == 0
# len(payload)/3*40 - 20 is just the offset for the current square
if get(payload, (len(payload)/3 * 40)-20)[i] == target[i]:
flag += a
break
return flag
flag = ""
rgbs = get_flag_rgb() # the colors
rgbs.append((46,41,0)) # this is the displayed text 2e29, i.e. the last 2 characters of the ciphertext
for rgb in rgbs:
flag = brute(rgb, flag)
print flag
print "Here's your flag:", flag

Crypto Challenge from SHA2017

The challenge consisted of a web service that would encrypt any given string into an image of a bunch of differently colored squares.

After messing around with it a bit, it was apparent that groups of 3 characters would be used as RGB value for the corresponding square.

The flag was given as an image with 12 squares and 4 letters (2e29) printed on it. The letters get printed whenever the string to encrypt is not divisible by 3.

It turned out that you could bruteforce the color of one square after the other and for each square the RGB values could be bruteforced seperately as well. Solving the challenge consisted therefore of extracting the required RGB values from the flag and then bruteforcing one after the other:

> python pwn.py
fla
flag{d
flag{deaf
flag{deaf983
flag{deaf983eb3
flag{deaf983eb34e4
flag{deaf983eb34e485c
flag{deaf983eb34e485ce9d
flag{deaf983eb34e485ce9d2af
flag{deaf983eb34e485ce9d2aff0a
flag{deaf983eb34e485ce9d2aff0ae44
flag{deaf983eb34e485ce9d2aff0ae44f85
flag{deaf983eb34e485ce9d2aff0ae44f852}
Here's your flag: flag{deaf983eb34e485ce9d2aff0ae44f852}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.