Skip to content

Instantly share code, notes, and snippets.

@zrax-x

zrax-x/xnuca-2020-imposter-solve.py

Created November 12, 2020 11:31
Show Gist options
  • Save zrax-x/8d03e0aa7dcc2d0acb21370cdb4a8e39 to your computer and use it in GitHub Desktop.
Save zrax-x/8d03e0aa7dcc2d0acb21370cdb4a8e39 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
xnuca-2020-imposter-solve.py
import socket
import string
import itertools
import hashlib
HOST = '123.57.4.93'
PORT = 45216
# HOST = '127.0.0.1'
# PORT = 20009
class Mysocket():
def __init__(self, myhost, myport):
self.client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.client.connect((myhost, myport))
self.fd = self.client.makefile('rw', 0)
def recvuntil(self, delim = "\n"):
buf = ''
while not buf.endswith(delim):
buf += self.fd.read(1)
return buf.strip()
def send(self, data):
self.fd.write(data)
def sendline(self, data):
self.fd.write(data + '\n')
def sendlineafter(self, data, delim = "\n", debug = False):
buf = self.recvuntil(delim)
if debug:
print buf.strip()
self.fd.write(data + '\n')
def close(self):
self.client.close()
def proof_of_work(suffix, chal):
import string
for comb in itertools.product(string.ascii_letters + string.digits, repeat=4):
m = ''.join(comb)
if hashlib.sha256(m + suffix).hexdigest() == chal:
return m
raise Exception("Not found...")
p = Mysocket(HOST, PORT)
print p.recvuntil('XXXX+')
known = p.recvuntil(')')[:-1]
print p.recvuntil('== ')
target = p.recvuntil()
print known, target
s = proof_of_work(known.strip("'").strip("b'"), target.strip("'").strip("b'"))
print s
p.sendline(s)
def send_all(uid, uname, token, cmd, appendix):
print p.recvuntil("option:")
p.sendline('1')
print p.recvuntil("id:")
p.sendline(str(uid))
print p.recvuntil('username:')
p.sendline(uname)
print p.recvuntil('command:')
p.sendline(cmd)
print p.recvuntil('Appendix?')
p.sendline(appendix)
print p.recvuntil('ticket:')
ticket = p.recvuntil()
print p.recvuntil('Auth:')
auth = p.recvuntil()
return ticket, auth
def check(ticket, auth):
print p.recvuntil("option:")
p.sendline('2')
print p.recvuntil("Ticket:")
p.sendline(ticket)
print p.recvuntil('Auth:')
p.sendline(auth)
print p.recvuntil("}")
# print p.recvuntil()
'''
# ------- finaly --------
'Uid=10010\xffUserNa'
'me=Administrator' A
'\xffCmd=aaaaaaaaaaa'
'\xffCmd=Give_Me_Fla' B
'g\xff' C
# -------- 1 ----------
'Uid=10010\xffUserNa'
'me=Administrator' A
'aaa\xffT=fc5917d63a'
'\xffCmd=aaaaaaaaaaa' D
'g\xff' C
# -------- 2 ----------
'Uid=13\xffUserName='
'\xffT=aaaaaaaaaaaaa' F
'\xffCmd=aaaaaaaaaaa'
'\xffCmd=Give_Me_Fla' B
'gg'
# -------- 3 ----------
'Uid=10010\xffUserNa'
'me=Administrato'+'r'^'x'^'a' A
'aaa\xffT=fc5917d63a'
'\xffCmd=Give_Me_Flx' B
'g\xff'
Auth_fin = A^B^pad(C)
Auth3 = A^(x)^B^(x)^pad(C)
'''
from Crypto.Util.strxor import strxor
from binascii import unhexlify, hexlify
# ---------------- 1
uid = 10010
uname = 'Administratoraaa'
token = hashlib.sha256(uname).hexdigest()[:uid%16]
# print token
cmd = 'aaaaaaaaaaag'
appendix = ''
ticket1, auth1 = send_all(uid, uname, token, cmd, appendix)
print ticket1
print auth1
# ---------------- 2
uid = 13
uname = ''
token = hashlib.sha256(uname).hexdigest()[:uid%16]
cmd = 'aaaaaaaaaaa'
appendix = 'Cmd=Give_Me_Flag'
ticket2, auth2 = send_all(uid, uname, token, cmd, appendix)
print ticket2
print auth2
# ---------------- 3
uid = 10010
uname = 'Administrato'+chr(ord('r')^ord('a')^ord('x'))+'aaa'
token = hashlib.sha256(uname).hexdigest()[:uid%16]
cmd = 'Give_Me_Flxg'
appendix = ''
ticket3, auth3 = send_all(uid, uname, token, cmd, appendix)
print ticket3
print auth3
ticket = ticket1[:64] + ticket2[64:128] + ticket1[128:]
auth = auth3
check(ticket, auth)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment