exploit_svattt2020

1. ## Crypto Nupakachi:
2. import requests
3. import re
4.  
5. def submit(chall, flag):
6.     s = requests.Session()
7.     cookies = {"x_polaris_sid":"bm1j3jftt49d35m7m3i86hm478fql6db947ad36na1lc40","polaris_sc":"blevvfs1vc0tbfu287jj0bp0rfme5f5v8c7o17ucofjts0", "x_polaris_cid": "bl605j2hsinoocvkhvi82ml71su4a03es7q2kov0bhuuo0", "session":"8e28e11b-b0e7-449d-9a4b-59f225386309.r564q6PtowG-aIiPdH8RR_pfBq0"}
8.  
9.     # r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon":"Pwn02","action": "submit-flag","flag":"abc"}, proxies={'http': 'http://192.168.169.133:8080/', 'https': 'https://192.168.169.133:8080/'}, cookies=cookies, verify=False)
10.     r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon": chall,"action": "submit-flag","flag": flag}, cookies=cookies)
11.     # print(r.text)
12.     print(re.search(r'alert(.*?)</script', r.text).group(1))
13.  
14. import os
15. import socket,json
16. from telnetlib import Telnet
17. from providers.token.aes256_cbc import Aes256CbcTP
18. from providers.token.aes256_gcm import Aes256GcmTP
19. from providers.token.complex_rsa import ComplexRsaTP
20. from providers.encryption.chacha import ChachaEP
21. from providers.randomness.mersenne import MersenneTwisterRP
22.  
23. # ip,port = '127.0.0.1',1337
24. sage_service = ('127.0.0.1',65535)
25. ip,port = '35.240.132.48',1337
26. # {"action":"import_key","key":"2020202020202020202020202020202020202020202020202020202020202020"}
27. def import_key(t,token):
28.     tmp = ("{"+f'"action":"import_key","key":"{token}"'+"}\n")
29.     t.write(tmp.encode())
30.     resp = t.read_until(b'\n');print(resp)
31.     data = json.loads(resp[:-1])
32.     return data["token"]
33.    
34. def generate_key(t):## leak output??
35.     t.write(b'{"action":"generate_key"}')
36.     resp = t.read_until(b'\n');print(resp)
37.     data = json.loads(resp[:-1])
38.     return data["token"]
39.  
40. def report_bug(t,token):
41.     tmp = ("{"+f'"action":"report_bug","token":"{token}"'+"}\n")
42.     t.write(tmp.encode())
43.     resp = t.read_until(b'\n');print(resp)
44.     if b"invalid action" in resp or b'error' in resp:return 0
45.     data = json.loads(resp[:-1])
46.     return int(data["bounty"])
47.  
48. class Hacker:
49.     def __init__(self):
50.         self.target = (ip,port)
51.         self.signature = b'                                ' ## lem == 32
52.        
53.     def reconnect(self):
54.         self.s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
55.         self.s.connect(self.target)
56.         self.t = Telnet()
57.         self.t.sock = self.s
58.    
59.     def close_connection(self):
60.         self.s.close()
61.    
62.     def attack(self):
63.         ## picking mod encryption
64.        
65.         '''## vector attack 1
66.         self.t.write(b'1\n')## cbc
67.         token_hex = (b'\0'+self.signature[1:]).hex()
68.         token = bytes.fromhex(import_key(self.t,token_hex))
69.         token = (bytes([token[0]^0x20])+token[1:]).hex()# token.hex()
70.         plain_int = report_bug(self.t,token)
71.         print(plain_int.to_bytes(64,'big'))
72.         '''
73.         ## vector attack 2
74.         t1,t2 = Telnet(ip,port),Telnet(ip,port)
75.        
76.         # self.t.write(b'2\n')
77.         t1.write(b'2\n')
78.         t2.write(b'2\n')
79.        
80.         plain_hex_1 = bytes(32).hex()
81.         plain_hex_2 = bytes(i for i in range(32)).hex()
82.        
83.         token_hex_1 = import_key(t1,plain_hex_1)
84.         token_hex_2 = import_key(t2,plain_hex_2)
85.         t1.sock.close(),t2.sock.close()
86.        
87.         nonce_1 = token_hex_1[:24]
88.         nonce_2 = token_hex_2[:24]
89.         if nonce_2!=nonce_1:return
90.        
91.         t3 = Telnet(*sage_service)
92.         nonce = nonce_1
93.         token_hex_3 = bytes(a^b for a,b in zip(self.signature,bytes.fromhex(token_hex_1)[12:-16])).hex()
94.        
95.         # test = import_key(self.t,token_hex_1)
96.         # print(test,token,token_hex_2)
97.         t3.write(f'{token_hex_1}\n'.encode())
98.         t3.write(f'{token_hex_2}\n'.encode())
99.         t3.write(f'{token_hex_3}\n'.encode())
100.         tmp = b''
101.         for _ in range(10):
102.             t0 = Telnet(ip,port)
103.             t0.write(b'2\n')
104.             resp = t3.read_until(b'\n');print(resp)
105.             T3 = resp[:-1].decode()
106.             token = nonce+token_hex_3+T3
107.             tmp = report_bug(t0,token)
108.             t0.close()
109.             if tmp:
110.                 tmp = tmp.to_bytes(39,'big')
111.                 if b'ASCIS{' in tmp:break
112.         t3.sock.close()
113.         tmp = tmp.decode()
114.         print(tmp)
115.         chall = "Crypto01"
116.         submit(chall, tmp)
117.        
118. import time
119. # fix_tag = 1606536000
120. fix_tag = 1606535990
121. minnute = 3
122. if __name__=='__main__':
123.     while True:
124.         tmp = int(time.time())
125.         print((tmp - fix_tag)%(60*minnute))
126.         if (tmp - fix_tag)%(60*minnute) < 200:
127.             hacker=Hacker()
128.             hacker.reconnect()
129.             hacker.attack()
130.             hacker.close_connection()
131.         time.sleep(.5)
132.     # hacker.close_connection()
133.  
134.