Skip to content

Instantly share code, notes, and snippets.

@ymgve
Created Apr 2, 2017
Embed
What would you like to do?
import socket, struct, os, binascii, base64, hashlib, random
import telnetlib
from task import *
def readline(sc, show = True):
res = ""
while len(res) == 0 or res[-1] != "\n":
data = sc.recv(1)
if len(data) == 0:
print repr(res)
raise Exception("Server disconnected")
res += data
if show:
print repr(res[:-1])
return res[:-1]
def read_until(sc, s):
res = ""
while not res.endswith(s):
data = sc.recv(1)
if len(data) == 0:
print repr(res)
raise Exception("Server disconnected")
res += data
return res[:-(len(s))]
def read_all(sc, n):
data = ""
while len(data) < n:
block = sc.recv(n - len(data))
if len(block) == 0:
print repr(data)
raise Exception("Server disconnected")
data += block
return data
def to_hexdigits(number):
res = ""
while number > 0:
res = chr(number & 0xff) + res
number = number >> 8
return res
def register(n, name):
e = 65537
d = modinv(e, n-1)
ntext = "\x00" * 0x38 + to_hexdigits(n)
sc = socket.create_connection(("pki.hackable.software", 1337))
msg = "register:%s,%s" % (base64.b64encode(name), base64.b64encode(ntext))
sc.send(msg)
m = int(readline(sc, False))
temp = pow(m, d, n)
assert verify(name, ntext, temp)
r = temp / Q
s = temp % Q
print "r, s", r, s
return r, s
def login(n, name, K, X, r):
ntext = "\x00" * 0x38 + to_hexdigits(n)
s = (modinv(K, Q) * (h(makeMsg(name, ntext)) + X * r)) % Q
sig = to_hexdigits(r*Q+s)
sc = socket.create_connection(("pki.hackable.software", 1337))
msg = "login:%s,%s,%s" % (base64.b64encode(name), base64.b64encode(ntext), base64.b64encode(sig))
sc.send(msg)
print readline(sc, False)
def main():
prefix = open("block1.bin", "rb").read()[:64]
n1 = 0x5e5606d3dbd5580d9fd0a7070f39d5f5ac96d84685b25953242280c2b14d3ba4820a06d0fe815135ebe36afbd6f9bf199502aa5b8c93ed3c4c5e607195115288d7180e703812996a5b10001a705d425ffd1627403fbcfb6e761b845f4f5c2f41f4fcb08a84aaa27fe69aeb587b0af82a06bf625f14865864ba0c7daab4e1c17e0005366b
n2 = 0x5e5606d3dbd5580d9fd0a7070f39d5f5ac96d8c685b25953242280c2b14d3ba4820a06d0fe815135ebe36afbd679c0199502aa5b8c93ed3c4c5e60f195115288d7180e703812996a5b10001a705d425ffd1627c03fbcfb6e761b845f4f5c2f41f4fcb08a84aaa27fe69aeb587b8af72a06bf625f14865864ba0c7d2ab4e1c17e0005366b
name = "test2"
m1 = h(makeMsg(name, "\x00" * 0x38 + to_hexdigits(n1)))
m2 = h(makeMsg(name, "\x00" * 0x38 + to_hexdigits(n2)))
r1, s1 = register(n1, name)
r2, s2 = register(n2, name)
assert r1 == r2
r = r1
t1 = (m1 - m2) % Q
t2 = (s1 - s2) % Q
t3 = modinv(t2, Q)
K = (t1 * t3) % Q
assert (s1*K-m1) % Q == (s2*K-m2) % Q
assert pow(G, K, P) % Q == r
t = (s1 * K - m1) % Q
r_inv = modinv(r, Q)
X = (t * r_inv) % Q
assert (modinv(K, Q) * (m1 + X * r)) % Q == s1
assert (modinv(K, Q) * (m2 + X * r)) % Q == s2
login(n1, "admin", K, X, r)
main()
# https://natmchugh.blogspot.no/2014/10/how-i-made-two-php-files-with-same-md5.html
# DrgnS{ThisFlagIsNotInterestingJustPasteItIntoTheScoreboard}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment