pawlos/gist:9e94a863d089c0d6687d48d0e43cb9e5

## gistfile1.txt
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host crypto.2021.chall.actf.co --port 21603
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall')

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'crypto.2021.chall.actf.co'
port = int(args.PORT or 21603)
context.log_level = 'warn'
def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = connect(host, port)
    if args.GDB:
        gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

io = start()

io.readuntil(b'Enter a string to encrypt: ')

io.sendline(b'aaaaaa')
io.sendline()
o = io.readline().replace(b'\n',b'')
output = bytearray.fromhex(o)
io.close()

freq_table = [None]*len(output)

for i in range(len(freq_table)):
    freq_table[i] = {}

n = 500
for i in range(n):
    io = start()

    io.readuntil(b'Enter a string to encrypt: ')

    io.sendline(b'aaaaaa')
    io.sendline()
    o = io.readline().replace(b'\n',b'')
    output = bytearray.fromhex(o)

    for i in range(len(output)):
        l = freq_table[i]
        if l is None:
            freq_table[i] = {}
            l = freq_table[i]

        c = chr(output[i])
        if c not in l:
            l[c] = 1
        else:
            l[c] += 1
    io.close()

print(freq_table)

output = []
for i in range(len(freq_table)):
    l = freq_table[i]
    maxK = max(l, key=l.get)
    output.append(maxK)

print("".join(output))
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# This exploit template was generated via:
	# $ pwn template --host crypto.2021.chall.actf.co --port 21603
	from pwn import *

	# Set up pwntools for the correct architecture
	exe = context.binary = ELF('./chall')

	# Many built-in settings can be controlled on the command-line and show up
	# in "args". For example, to dump all data sent/received, and disable ASLR
	# for all created processes...
	# ./exploit.py DEBUG NOASLR
	# ./exploit.py GDB HOST=example.com PORT=4141
	host = args.HOST or 'crypto.2021.chall.actf.co'
	port = int(args.PORT or 21603)
	context.log_level = 'warn'
	def local(argv=[], a, *kw):
	'''Execute the target binary locally'''
	if args.GDB:
	return gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return process([exe.path] + argv, a, *kw)

	def remote(argv=[], a, *kw):
	'''Connect to the process on the remote host'''
	io = connect(host, port)
	if args.GDB:
	gdb.attach(io, gdbscript=gdbscript)
	return io

	def start(argv=[], a, *kw):
	'''Start the exploit against the target.'''
	if args.LOCAL:
	return local(argv, a, *kw)
	else:
	return remote(argv, a, *kw)

	# Specify your GDB script here for debugging
	# GDB will be launched if the exploit is run via e.g.
	# ./exploit.py GDB
	gdbscript = '''
	continue
	'''.format(**locals())

	#===========================================================
	# EXPLOIT GOES HERE
	#===========================================================

	io = start()

	io.readuntil(b'Enter a string to encrypt: ')

	io.sendline(b'aaaaaa')
	io.sendline()
	o = io.readline().replace(b'\n',b'')
	output = bytearray.fromhex(o)
	io.close()

	freq_table = [None]*len(output)

	for i in range(len(freq_table)):
	freq_table[i] = {}

	n = 500
	for i in range(n):
	io = start()

	io.readuntil(b'Enter a string to encrypt: ')

	io.sendline(b'aaaaaa')
	io.sendline()
	o = io.readline().replace(b'\n',b'')
	output = bytearray.fromhex(o)

	for i in range(len(output)):
	l = freq_table[i]
	if l is None:
	freq_table[i] = {}
	l = freq_table[i]

	c = chr(output[i])
	if c not in l:
	l[c] = 1
	else:
	l[c] += 1
	io.close()

	print(freq_table)

	output = []
	for i in range(len(freq_table)):
	l = freq_table[i]
	maxK = max(l, key=l.get)
	output.append(maxK)

	print("".join(output))