Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import os
- from pwn import *
- # context.log_level = 'debug'
- # copy and paste
- def sha(my_string):
- m = hashlib.new('sha')
- m.update(my_string)
- return m.digest()
- def sha1(my_string):
- m = hashlib.new('sha1')
- m.update(my_string)
- return m.digest()
- def sha256(my_string):
- m = hashlib.new('sha256')
- m.update(my_string)
- return m.digest()
- def ripemd160(my_string):
- m = hashlib.new('ripemd160')
- m.update(my_string)
- return m.digest()
- def xor(s1,s2):
- return ''.join([chr(ord(s1[i]) ^ ord(s2[i % len(s2)])) for i in range(len(s1))])
- h_list = [sha, sha1, ripemd160, sha256]
- def combo_hash(salt, password, h_list, no_rounds):
- salted_pass = password + salt + password
- l_pass = salted_pass[:32]
- r_pass = salted_pass[32:]
- for i in range(no_rounds):
- l_index = ord(l_pass[31]) % len(h_list)
- r_index = ord(r_pass[0]) % len(h_list)
- l_hash = h_list[l_index](l_pass)
- r_hash = h_list[r_index](r_pass)
- l_pass = xor(l_pass,r_hash)
- r_pass = xor(r_pass,l_hash)
- return l_pass + r_pass
- # functions for exploit
- def solve(m, h):
- a0, a1, a2, a3 = m[0:8], m[8:12], m[12:16], m[16:24]
- v0, v1, v2, v3, v4 = h[0:8], h[8:12], h[12:20], h[20:28], h[28:32]
- v5, v6, v7, v8, v9 = h[32:36], h[36:44], h[44:52], h[52:56], h[56:64]
- x0 = xor(xor(v0, v3), a0)
- x1 = xor(xor(v1, v4), a1)
- _x1 = xor(xor(v5, v8), a2)
- x2 = xor(xor(v6, v9), a3)
- if x1 != _x1: return None
- return x0 + x1 + x2
- while True:
- r = remote('52.142.217.130', 13374)
- # r = process(['python', 'ph.py'])
- r.recvline()
- ms = []
- for i in range(1023):
- m = os.urandom(11) + '\x00\x00' + os.urandom(11)
- ms.append(m)
- r.sendline(m.encode('hex'))
- for m in ms:
- h = r.recvline().strip().decode('hex')
- p = solve(m, h)
- if p != None: break
- if p == None:
- r.close()
- continue
- r.sendline('')
- r.recvuntil('Here is the challenge salt:\n')
- s = r.recvline().strip().decode('hex')
- h = combo_hash(s, p, h_list, 16)
- r.sendline(h.encode('hex'))
- r.interactive()
- break
- '''
- Congrats. Here's a flag for you:
- PTBCTF{420199e572e685af8e1782fde58fd0e9}
- '''
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement