Created
August 19, 2018 19:33
-
-
Save minhtt159/624ac96fbe1af83bedcd556e49644772 to your computer and use it in GitHub Desktop.
WhiteHat - Crypto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import sys, os | |
def strxor(a,b): | |
return ''.join([chr(ord(x)^ord(y)) for (x,y) in zip(a,b)]) | |
records = '''I do nothing. | |
I'm a chat bot. | |
I'm from Vietnam. | |
My name is ChatBot. | |
I'm good, how are you? | |
My language is English. | |
I'm from Bkav in Vietnam. | |
Of course! I'd be glad to. | |
I'm fine. Thank you. And you? | |
Hi. I am Mr. ChatBot. Who are you? | |
You know, computing. How about you? | |
I'm doing fine thanks, how about yourself? | |
Sitting here, being a computer. How about yourself? | |
I'm a bot, I don't feel much of anything, how about you?'''.split('\n') | |
rounds = 30 | |
# authenticate | |
host = "43.224.35.245" | |
port = 3425 | |
p = connect(host,port) | |
p.sendlineafter("Your id: ", "manh") | |
rep = p.recvuntil("mode!\n") | |
print rep | |
#get timestamp | |
p.send(p64(1)) | |
p.send(p64(1)) | |
p.send('\x00') | |
time = p.recv(8) | |
length = p.recv(8) | |
data = p.recv(u64(length)) | |
timestamp = u64(time) | |
#find noobkey | |
noobleak = "" | |
for i in range(rounds): | |
data = os.urandom(16) | |
p.send(p64(timestamp)) | |
p.send(p64(len(data))) | |
p.send(data) | |
time = p.recv(8) | |
length = p.recv(8) | |
data = p.recv(u64(length)) | |
timestamp = u64(time) | |
if len(data) > len(noobleak): | |
noobleak = data | |
if len(noobleak) >= 50: # message is good enough | |
break | |
record = "" | |
for r in records: | |
if len(r) == len(data): # found record that match | |
print 'Record ', r | |
record = r | |
break | |
if not len(record): | |
print 'Can not find message 1' | |
sys.exit(1) | |
#compute noobkey | |
noobkey = strxor(record, data) | |
print 'noobkey', noobkey.encode('hex') | |
#enter super mode | |
data = strxor('super', noobkey) | |
p.send(p64(timestamp)) | |
p.send(p64(len(data))) | |
p.send(data) | |
time = p.recv(8) | |
length = p.recv(8) | |
data = p.recv(u64(length)) | |
timestamp = u64(time) | |
#find realkey | |
realkey = "" | |
for i in range(rounds): | |
data = os.urandom(16) | |
p.send(p64(timestamp)) | |
p.send(p64(len(data))) | |
p.send(data) | |
time = p.recv(8) | |
length = p.recv(8) | |
data = p.recv(u64(length)) | |
timestamp = u64(time) | |
if len(data) > len(realkey): | |
realkey = data | |
if len(realkey) > 50: # message is good enough | |
break | |
record = "" | |
for r in records: | |
if len(r) == len(data): # found record that match | |
print 'Record ', r | |
record = r | |
break | |
if not len(record): | |
print 'Can not find message 2' | |
sys.exit(1) | |
#compute realkey | |
realkey = strxor(record, data) | |
print 'realkey', realkey.encode('hex') | |
#compute 'secret' | |
data = strxor('secret', realkey) | |
p.send(p64(timestamp)) | |
p.send(p64(len(data))) | |
p.send(data) | |
time = p.recv(8) | |
length = p.recv(8) | |
data = p.recv(u64(length)) | |
timestamp = u64(time) | |
print strxor(data,realkey) | |
sys.exit(1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment