Skip to content

Instantly share code, notes, and snippets.

@pawlos
Created April 9, 2021 05:21
Show Gist options
  • Save pawlos/9e94a863d089c0d6687d48d0e43cb9e5 to your computer and use it in GitHub Desktop.
Save pawlos/9e94a863d089c0d6687d48d0e43cb9e5 to your computer and use it in GitHub Desktop.
pwn_thunderbolt.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host crypto.2021.chall.actf.co --port 21603
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'crypto.2021.chall.actf.co'
port = int(args.PORT or 21603)
context.log_level = 'warn'
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
io = start()
io.readuntil(b'Enter a string to encrypt: ')
io.sendline(b'aaaaaa')
io.sendline()
o = io.readline().replace(b'\n',b'')
output = bytearray.fromhex(o)
io.close()
freq_table = [None]*len(output)
for i in range(len(freq_table)):
freq_table[i] = {}
n = 500
for i in range(n):
io = start()
io.readuntil(b'Enter a string to encrypt: ')
io.sendline(b'aaaaaa')
io.sendline()
o = io.readline().replace(b'\n',b'')
output = bytearray.fromhex(o)
for i in range(len(output)):
l = freq_table[i]
if l is None:
freq_table[i] = {}
l = freq_table[i]
c = chr(output[i])
if c not in l:
l[c] = 1
else:
l[c] += 1
io.close()
print(freq_table)
output = []
for i in range(len(freq_table)):
l = freq_table[i]
maxK = max(l, key=l.get)
output.append(maxK)
print("".join(output))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment