daily pastebin goal
22%
SHARE
TWEET

OSCE fc4.me challenge solver

a guest Oct 12th, 2017 90 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python2
  2. # Auto solver for the OSCE challenge at fc4.me
  3. # If you couldn't solve the challenge without this script
  4. # You probably don't even want to try OSCE.
  5.  
  6. import hashlib
  7. import datetime
  8. import requests
  9. import base64
  10. import sys
  11. import binascii
  12.  
  13. def main():
  14.     # Get email address for registration.
  15.     # It has to be valid, and it has to be the same as
  16.     # the one you set during registration.
  17.     if len(sys.argv) < 2:
  18.         email=raw_input("[>] Please set an email address: ")
  19.     else:
  20.         email=sys.argv[1]
  21.  
  22.     # adding 'st', 'nd' or 'rd' when today date is 1st 2nd or 3rd
  23.     # Better solution? Please share!
  24.     today_day=int(datetime.datetime.now().strftime("%d"))
  25.     if today_day in [1, 21, 31]:
  26.         today=datetime.datetime.now().strftime("%A %dst of %B %Y")
  27.     elif today_day in [2, 22]:
  28.         today=datetime.datetime.now().strftime("%A %dnd of %B %Y")
  29.     elif today_day in [3, 23]:
  30.         today=datetime.datetime.now().strftime("%A %drd of %B %Y")
  31.     else:
  32.         today=datetime.datetime.now().strftime("%A %dth of %B %Y")
  33.    
  34.     print("[*] Today date is %s" % today)
  35.    
  36.     # hexdata = 'tryharder'
  37.     hexdata="\x74\x72\x79\x68\x61\x72\x64\x65\x72"
  38.     print("[*] Security string for today: %s%s" % (hexdata,today))
  39.     m=hashlib.md5()
  40.     m.update(("%s%s" % (hexdata,today)).encode('UTF-8'))
  41.     dig=m.hexdigest()
  42.     print("[*] MD5 digest: %s" % dig)
  43.  
  44.     # post request to validate the data...
  45.     print("[*] Solving first challenge...")
  46.     r=requests.post("http://fc4.me/fc4me.php", data={'email': email, 'securitystring': dig})
  47.  
  48.     try:
  49.         decy=base64.b64decode(r.content[r.content.index("<blockquote>"):r.content.index("</blockquote>")].replace("<blockquote>","").replace("<br/>",""))
  50.         print("[!] First challenge solved!")
  51.     except Exception as e:
  52.         print("[x] Error while solving first challenge...")
  53.         return
  54.  
  55.     chunks = decy.split(":")
  56.  
  57.     # Registration code acquired!
  58.     regcode = chunks[2].strip().split()[0]
  59.     shcode = chunks[3].strip()
  60.    
  61.     print("[*] Extracting encoded registration key from aquired shellcode...")
  62.     # the shellcode starts with a sequence of pushes with xor encoded values.
  63.     # the idea is at the end of the push sequence, you end up with the
  64.     # encoded registration key on the stack.
  65.     # the shellcode then ends with a loop to decode the encoded key.
  66.     # Instead of scraping that from memory, we can just parse the shellcode
  67.     # to get the encoded key, and then decode it using the same logic.
  68.     shcode_chunks=shcode.split("\\x68")[1:]
  69.     shcode_chunks[-1]=shcode_chunks[-1][:16]
  70.  
  71.     # shcode_chunks is an array of values like '\x32\x53\xf3\x71'
  72.     # It is little-endian now. We need to reverse each items. (eg. we want '\x71\xf3\x53\x32')
  73.     keyarray=list()
  74.     for c in reversed(shcode_chunks):
  75.         valarray = c.split("\\x")[1:]
  76.         for i in valarray:
  77.             keyarray.append(i)
  78.    
  79.     # Our array is sorted. Let's decode each values using a simple xor
  80.     print("[*] Encoded registration key extracted.")
  81.     print("[*] Decoding registration key using xor key: 0x%x" % 0x41) # XOR key is always the same
  82.     for i in range(len(keyarray)):
  83.         keyarray[i] = int(keyarray[i], 16)^0x41
  84.  
  85.     print("[!] Registration key decoded! All the challenges are solved!")
  86.     print("[+] Registration code: %s" % regcode)
  87.     print("[+] Registration key: "+(''.join(chr(e) for e in keyarray))) # BOOM.
  88.  
  89. main()
RAW Paste Data
Top