Skip to content

Instantly share code, notes, and snippets.

@minhtt159

minhtt159/server.py

Last active December 18, 2017 02:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save minhtt159/08565568627dcaf7761200c5242ca65d to your computer and use it in GitHub Desktop.
Save minhtt159/08565568627dcaf7761200c5242ca65d to your computer and use it in GitHub Desktop.
Download ZIP
WhiteHat 2017 - Secure Token
Raw
server.py
import socket
import time
import threading
import SocketServer
import random
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.number import *
from secret import key, seed
host, port = '0.0.0.0', 3333
iv = hashlib.md5(seed).digest()
key = hashlib.md5(key).hexdigest()
# def block(s):
# return [s[x:x+AES.block_size] for x in range(0, len(s), AES.block_size)]
query = '{{\"a\": \"{}\", \"flag\": \"{}\"}}'
def create_query(s):
return query.format(s,key)
def pad(s):
pad_len = 16 - len(s)%AES.block_size
return s+chr(pad_len)*pad_len
def encrypt(msg):
# print msg
aes = AES.new(key, AES.MODE_CBC, iv)
return aes.encrypt(pad(msg))
class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
allow_reuse_address = True
class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler):
def handle(self):
while True:
self.request.sendall("Give me a string and i'll search it for you:\n")
self.request.sendall("Hex string:\n")
msg = self.request.recv(1024).strip()
msg = msg.decode('hex')
msg = create_query(msg)
print msg
cipher = encrypt(msg).encode('hex')
print cipher
self.request.sendall("Your query: "+ cipher+ '\n')
self.request.sendall("Continue? \n")
con = self.request.recv(1024)
if con.strip().lower() != "y":
self.request.sendall("Bye+\n")
self.request.close()
break
# pass
while True:
server = ThreadedTCPServer((host, port), ThreadedTCPRequestHandler)
# Start a thread with the server -- that thread will then start one
# more thread for each request
server_thread = threading.Thread(target=server.serve_forever)
# Exit the server thread when the main thread terminates
server_thread.daemon = True
server_thread.start()
print "Server loop running in thread:", server_thread.name
server_thread.join()
Raw
solve.py
import socket
host = 'secure-token.grandprix.whitehatvn.com'
port = 3333
# {"a": "aaaaaaaaa|aaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaa|aaa", "flag": "c|73664568e17cd0e3|d5b084da07c3f5f"|}
# {"a": "aaaaaaaaa|aaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaa|aaa", "flag": "k|aaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaa"|flag": "|c73664568e17cd0e3d5b084da07c3f5f"}
# *******--------------------------------------------- controlled ------------------------------------*********************************************
def get_payload(payload):
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect((host,port))
rep = soc.recv(1024)
rep = soc.recv(1024)
# print rep
soc.send(payload.encode('hex')+'\n')
rep = soc.recv(1024)
# print rep
res = rep.split()[-1]
soc.close()
return res
flag_length = 32
big_a = 12+32
flag = ''
query = '{{\"a\": \"{}\", \"flag\": \"{}\"}}'
key = 'c73664568e17cd0e3d5b084da07c3f5f'
def create_query(s):
return query.format(s,key)
for index in range(33):
if len(flag) == 32:
break
payload_0 = '0'*(big_a-index)
print create_query(payload_0)
c0 = get_payload(payload_0).decode('hex')
for k in '0123456789abcdef':
payload_1 = '0'*(big_a-index) + '", "flag": "' + flag + k
print create_query(payload_1)
c1 = get_payload(payload_1).decode('hex')
if c0[:64] == c1[:64]:
# print c0
# print c1
# print
flag += k
break
print flag
# c73664568e17cd0e3d5b084da07c3f5f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment