Last active
May 7, 2016 04:54
-
-
Save sonickun/b451bf903e1e9662474d250247b851a4 to your computer and use it in GitHub Desktop.
Google CTF 2016 Wolf Spider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
def make_blocks(s): | |
return [s[i:i+16] for i in xrange(0, len(s), 16)] | |
def xor(a, b): | |
return "".join([chr(ord(a[i]) ^ ord(b[i % len(b)])) for i in xrange(len(a))]) | |
def decrypt(target): | |
prefix = "578ae51334b467aa99092c00e57ff977168f922a.4f3a3680afa88ae056e5c56fb67544ff03e5b64f4174f1752ab93ac24a78257fc173ab2f339436453e9163265fd23707" | |
url = "https://wolf-spider.ctfcompetition.com/admin" | |
target = target.encode("hex") | |
after_enc = "" | |
for k in range(16): | |
s = "" | |
for i in xrange(k): | |
c = after_enc[::-1][i] | |
n = ord(c) ^ (k + 1) | |
s = "%02x%s" % (n, s) | |
for i in xrange(0,256): | |
print "i:%d after_enc:%s" % (i, after_enc.encode("hex")) | |
mid = "%02x%s" % (i, s) | |
mid = mid.rjust(32, "0") | |
uid = prefix + mid + target | |
res = requests.get(url, verify=False, cookies={"UID": uid}) | |
rescode = res.status_code | |
if rescode != 500: | |
after_enc = chr(i ^ (k + 1)) + after_enc | |
print after_enc.encode("hex") | |
break | |
return after_enc | |
def main(): | |
# username=hoge\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01h&username=admin | |
sig = "757365726e616d653d686f67658000000000000000000000000000000000016826757365726e616d653d61646d696e01" | |
sig_hash = "b78ca576701807fc18e64db090aa4f6939232416" | |
target_block = make_blocks(sig.decode("hex")) | |
target_block.reverse() | |
# login as "aaaaaaa" | |
# 578ae51334b467aa99092c00e57ff977168f922a.4f3a3680afa88ae056e5c56fb67544ff03e5b64f4174f1752ab93ac24a78257fc173ab2f339436453e9163265fd23707 | |
ct = "4f3a3680afa88ae056e5c56fb67544ff03e5b64f4174f1752ab93ac24a78257fc173ab2f339436453e9163265fd23707".decode("hex") | |
IV = ct[:16] | |
ciphertext = ct[16:32] | |
ciphertext = xor(xor(IV, "username=aaaaaaa"), target_block[0]) + ciphertext | |
for i in range(1,3): | |
after_enc = decrypt(ciphertext[:16]) | |
ciphertext = xor(after_enc, target_block[i]) + ciphertext | |
uid = "%s.%s" % (sig_hash, ciphertext.encode("hex")) | |
print "UID:", uid | |
if __name__ == '__main__': | |
main() | |
# Result | |
# UID: b78ca576701807fc18e64db090aa4f6939232416.dc3cd1cc0697b720cd117bb4f59b7b71ccb94738c7f771ba5af213666f00f9a21c3c2097b3a786e80eb9c56aba7d4b9f03e5b64f4174f1752ab93ac24a78257f |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment