eboda/pwn.py

## pwn.py
import requests
from PIL import Image
from StringIO import StringIO

def get_flag_rgb():
  rgb = []
  flag = requests.get("https://cryptoengine.stillhackinganyway.nl/flag").content

  for i in range(20, 480, 40):
    rgb.append(pixel(flag, i))
    return rgb

def get(m, x=20):
  img = requests.get("https://cryptoengine.stillhackinganyway.nl/encrypt?text=%s" % m).content
  return pixel(img, x)

def pixel(img, x=20):
  im = Image.open(StringIO(img))
  pix = im.load()
  return pix[x,7]

def brute(target, flag):
  charset = "0123456789abcdef{}lg" # flag format is flag{hex}

  for i in range(3):  # iterate over R,G,B
    for a in charset:
      payload = flag + a + (2-i) * "0"    # need to pad so that len(flag) %3 == 0

      # len(payload)/3*40 - 20 is just the offset for the current square
      if get(payload, (len(payload)/3 * 40)-20)[i] == target[i]:
        flag += a
        break
  return flag

flag = ""
rgbs = get_flag_rgb()       # the colors
rgbs.append((46,41,0)) # this is the displayed text 2e29, i.e. the last 2 characters of the ciphertext

for rgb in rgbs:
  flag = brute(rgb, flag)
  print flag

print "Here's your flag:", flag

## sha2017.md

      
    Raw
  

              sha2017.md
            
          
    Crypto Challenge from SHA2017

The challenge consisted of a web service that would encrypt any given string into an image of a bunch of differently colored squares.
After messing around with it a bit, it was apparent that groups of 3 characters would be used as RGB value for the corresponding square.
The flag was given as an image with 12 squares and 4 letters (2e29) printed on it. The letters get printed whenever the string to encrypt is not divisible by 3.
It turned out that you could bruteforce the color of one square after the other and for each square the RGB values could be bruteforced seperately as well. Solving the challenge consisted therefore of extracting the required RGB values from the flag and then bruteforcing one after the other:
> python pwn.py
fla
flag{d
flag{deaf
flag{deaf983
flag{deaf983eb3
flag{deaf983eb34e4
flag{deaf983eb34e485c
flag{deaf983eb34e485ce9d
flag{deaf983eb34e485ce9d2af
flag{deaf983eb34e485ce9d2aff0a
flag{deaf983eb34e485ce9d2aff0ae44
flag{deaf983eb34e485ce9d2aff0ae44f85
flag{deaf983eb34e485ce9d2aff0ae44f852}
Here's your flag: flag{deaf983eb34e485ce9d2aff0ae44f852}
	import requests
	from PIL import Image
	from StringIO import StringIO

	def get_flag_rgb():
	rgb = []
	flag = requests.get("https://cryptoengine.stillhackinganyway.nl/flag").content

	for i in range(20, 480, 40):
	rgb.append(pixel(flag, i))
	return rgb

	def get(m, x=20):
	img = requests.get("https://cryptoengine.stillhackinganyway.nl/encrypt?text=%s" % m).content
	return pixel(img, x)

	def pixel(img, x=20):
	im = Image.open(StringIO(img))
	pix = im.load()
	return pix[x,7]

	def brute(target, flag):
	charset = "0123456789abcdef{}lg" # flag format is flag{hex}

	for i in range(3): # iterate over R,G,B
	for a in charset:
	payload = flag + a + (2-i) * "0" # need to pad so that len(flag) %3 == 0

	# len(payload)/3*40 - 20 is just the offset for the current square
	if get(payload, (len(payload)/3 * 40)-20)[i] == target[i]:
	flag += a
	break
	return flag

	flag = ""
	rgbs = get_flag_rgb() # the colors
	rgbs.append((46,41,0)) # this is the displayed text 2e29, i.e. the last 2 characters of the ciphertext

	for rgb in rgbs:
	flag = brute(rgb, flag)
	print flag

	print "Here's your flag:", flag