Created
November 12, 2020 11:31
-
-
Save zrax-x/8d03e0aa7dcc2d0acb21370cdb4a8e39 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
import string | |
import itertools | |
import hashlib | |
HOST = '123.57.4.93' | |
PORT = 45216 | |
# HOST = '127.0.0.1' | |
# PORT = 20009 | |
class Mysocket(): | |
def __init__(self, myhost, myport): | |
self.client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
self.client.connect((myhost, myport)) | |
self.fd = self.client.makefile('rw', 0) | |
def recvuntil(self, delim = "\n"): | |
buf = '' | |
while not buf.endswith(delim): | |
buf += self.fd.read(1) | |
return buf.strip() | |
def send(self, data): | |
self.fd.write(data) | |
def sendline(self, data): | |
self.fd.write(data + '\n') | |
def sendlineafter(self, data, delim = "\n", debug = False): | |
buf = self.recvuntil(delim) | |
if debug: | |
print buf.strip() | |
self.fd.write(data + '\n') | |
def close(self): | |
self.client.close() | |
def proof_of_work(suffix, chal): | |
import string | |
for comb in itertools.product(string.ascii_letters + string.digits, repeat=4): | |
m = ''.join(comb) | |
if hashlib.sha256(m + suffix).hexdigest() == chal: | |
return m | |
raise Exception("Not found...") | |
p = Mysocket(HOST, PORT) | |
print p.recvuntil('XXXX+') | |
known = p.recvuntil(')')[:-1] | |
print p.recvuntil('== ') | |
target = p.recvuntil() | |
print known, target | |
s = proof_of_work(known.strip("'").strip("b'"), target.strip("'").strip("b'")) | |
print s | |
p.sendline(s) | |
def send_all(uid, uname, token, cmd, appendix): | |
print p.recvuntil("option:") | |
p.sendline('1') | |
print p.recvuntil("id:") | |
p.sendline(str(uid)) | |
print p.recvuntil('username:') | |
p.sendline(uname) | |
print p.recvuntil('command:') | |
p.sendline(cmd) | |
print p.recvuntil('Appendix?') | |
p.sendline(appendix) | |
print p.recvuntil('ticket:') | |
ticket = p.recvuntil() | |
print p.recvuntil('Auth:') | |
auth = p.recvuntil() | |
return ticket, auth | |
def check(ticket, auth): | |
print p.recvuntil("option:") | |
p.sendline('2') | |
print p.recvuntil("Ticket:") | |
p.sendline(ticket) | |
print p.recvuntil('Auth:') | |
p.sendline(auth) | |
print p.recvuntil("}") | |
# print p.recvuntil() | |
''' | |
# ------- finaly -------- | |
'Uid=10010\xffUserNa' | |
'me=Administrator' A | |
'\xffCmd=aaaaaaaaaaa' | |
'\xffCmd=Give_Me_Fla' B | |
'g\xff' C | |
# -------- 1 ---------- | |
'Uid=10010\xffUserNa' | |
'me=Administrator' A | |
'aaa\xffT=fc5917d63a' | |
'\xffCmd=aaaaaaaaaaa' D | |
'g\xff' C | |
# -------- 2 ---------- | |
'Uid=13\xffUserName=' | |
'\xffT=aaaaaaaaaaaaa' F | |
'\xffCmd=aaaaaaaaaaa' | |
'\xffCmd=Give_Me_Fla' B | |
'gg' | |
# -------- 3 ---------- | |
'Uid=10010\xffUserNa' | |
'me=Administrato'+'r'^'x'^'a' A | |
'aaa\xffT=fc5917d63a' | |
'\xffCmd=Give_Me_Flx' B | |
'g\xff' | |
Auth_fin = A^B^pad(C) | |
Auth3 = A^(x)^B^(x)^pad(C) | |
''' | |
from Crypto.Util.strxor import strxor | |
from binascii import unhexlify, hexlify | |
# ---------------- 1 | |
uid = 10010 | |
uname = 'Administratoraaa' | |
token = hashlib.sha256(uname).hexdigest()[:uid%16] | |
# print token | |
cmd = 'aaaaaaaaaaag' | |
appendix = '' | |
ticket1, auth1 = send_all(uid, uname, token, cmd, appendix) | |
print ticket1 | |
print auth1 | |
# ---------------- 2 | |
uid = 13 | |
uname = '' | |
token = hashlib.sha256(uname).hexdigest()[:uid%16] | |
cmd = 'aaaaaaaaaaa' | |
appendix = 'Cmd=Give_Me_Flag' | |
ticket2, auth2 = send_all(uid, uname, token, cmd, appendix) | |
print ticket2 | |
print auth2 | |
# ---------------- 3 | |
uid = 10010 | |
uname = 'Administrato'+chr(ord('r')^ord('a')^ord('x'))+'aaa' | |
token = hashlib.sha256(uname).hexdigest()[:uid%16] | |
cmd = 'Give_Me_Flxg' | |
appendix = '' | |
ticket3, auth3 = send_all(uid, uname, token, cmd, appendix) | |
print ticket3 | |
print auth3 | |
ticket = ticket1[:64] + ticket2[64:128] + ticket1[128:] | |
auth = auth3 | |
check(ticket, auth) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment