ghost423543

exploit_svattt2020

Nov 28th, 2020 (edited)
5,840
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## Crypto Nupakachi:
  2. import requests
  3. import re
  4.  
  5. def submit(chall, flag):
  6.     s = requests.Session()
  7.     cookies = {"x_polaris_sid":"bm1j3jftt49d35m7m3i86hm478fql6db947ad36na1lc40","polaris_sc":"blevvfs1vc0tbfu287jj0bp0rfme5f5v8c7o17ucofjts0", "x_polaris_cid": "bl605j2hsinoocvkhvi82ml71su4a03es7q2kov0bhuuo0", "session":"8e28e11b-b0e7-449d-9a4b-59f225386309.r564q6PtowG-aIiPdH8RR_pfBq0"}
  8.  
  9.     # r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon":"Pwn02","action": "submit-flag","flag":"abc"}, proxies={'http': 'http://192.168.169.133:8080/', 'https': 'https://192.168.169.133:8080/'}, cookies=cookies, verify=False)
  10.     r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon": chall,"action": "submit-flag","flag": flag}, cookies=cookies)
  11.     # print(r.text)
  12.     print(re.search(r'alert(.*?)</script', r.text).group(1))
  13.  
  14. import os
  15. import socket,json
  16. from telnetlib import Telnet
  17. from providers.token.aes256_cbc import Aes256CbcTP
  18. from providers.token.aes256_gcm import Aes256GcmTP
  19. from providers.token.complex_rsa import ComplexRsaTP
  20. from providers.encryption.chacha import ChachaEP
  21. from providers.randomness.mersenne import MersenneTwisterRP
  22.  
  23. # ip,port = '127.0.0.1',1337
  24. sage_service = ('127.0.0.1',65535)
  25. ip,port = '35.240.132.48',1337
  26. # {"action":"import_key","key":"2020202020202020202020202020202020202020202020202020202020202020"}
  27. def import_key(t,token):
  28.     tmp = ("{"+f'"action":"import_key","key":"{token}"'+"}\n")
  29.     t.write(tmp.encode())
  30.     resp = t.read_until(b'\n');print(resp)
  31.     data = json.loads(resp[:-1])
  32.     return data["token"]
  33.    
  34. def generate_key(t):## leak output??
  35.     t.write(b'{"action":"generate_key"}')
  36.     resp = t.read_until(b'\n');print(resp)
  37.     data = json.loads(resp[:-1])
  38.     return data["token"]
  39.  
  40. def report_bug(t,token):
  41.     tmp = ("{"+f'"action":"report_bug","token":"{token}"'+"}\n")
  42.     t.write(tmp.encode())
  43.     resp = t.read_until(b'\n');print(resp)
  44.     if b"invalid action" in resp or b'error' in resp:return 0
  45.     data = json.loads(resp[:-1])
  46.     return int(data["bounty"])
  47.  
  48. class Hacker:
  49.     def __init__(self):
  50.         self.target = (ip,port)
  51.         self.signature = b'                                ' ## lem == 32
  52.        
  53.     def reconnect(self):
  54.         self.s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  55.         self.s.connect(self.target)
  56.         self.t = Telnet()
  57.         self.t.sock = self.s
  58.    
  59.     def close_connection(self):
  60.         self.s.close()
  61.    
  62.     def attack(self):
  63.         ## picking mod encryption
  64.        
  65.         '''## vector attack 1
  66.         self.t.write(b'1\n')## cbc
  67.         token_hex = (b'\0'+self.signature[1:]).hex()
  68.         token = bytes.fromhex(import_key(self.t,token_hex))
  69.         token = (bytes([token[0]^0x20])+token[1:]).hex()# token.hex()
  70.         plain_int = report_bug(self.t,token)
  71.         print(plain_int.to_bytes(64,'big'))
  72.         '''
  73.         ## vector attack 2
  74.         t1,t2 = Telnet(ip,port),Telnet(ip,port)
  75.        
  76.         # self.t.write(b'2\n')
  77.         t1.write(b'2\n')
  78.         t2.write(b'2\n')
  79.        
  80.         plain_hex_1 = bytes(32).hex()
  81.         plain_hex_2 = bytes(i for i in range(32)).hex()
  82.        
  83.         token_hex_1 = import_key(t1,plain_hex_1)
  84.         token_hex_2 = import_key(t2,plain_hex_2)
  85.         t1.sock.close(),t2.sock.close()
  86.        
  87.         nonce_1 = token_hex_1[:24]
  88.         nonce_2 = token_hex_2[:24]
  89.         if nonce_2!=nonce_1:return
  90.        
  91.         t3 = Telnet(*sage_service)
  92.         nonce = nonce_1
  93.         token_hex_3 = bytes(a^b for a,b in zip(self.signature,bytes.fromhex(token_hex_1)[12:-16])).hex()
  94.        
  95.         # test = import_key(self.t,token_hex_1)
  96.         # print(test,token,token_hex_2)
  97.         t3.write(f'{token_hex_1}\n'.encode())
  98.         t3.write(f'{token_hex_2}\n'.encode())
  99.         t3.write(f'{token_hex_3}\n'.encode())
  100.         tmp = b''
  101.         for _ in range(10):
  102.             t0 = Telnet(ip,port)
  103.             t0.write(b'2\n')
  104.             resp = t3.read_until(b'\n');print(resp)
  105.             T3 = resp[:-1].decode()
  106.             token = nonce+token_hex_3+T3
  107.             tmp = report_bug(t0,token)
  108.             t0.close()
  109.             if tmp:
  110.                 tmp = tmp.to_bytes(39,'big')
  111.                 if b'ASCIS{' in tmp:break
  112.         t3.sock.close()
  113.         tmp = tmp.decode()
  114.         print(tmp)
  115.         chall = "Crypto01"
  116.         submit(chall, tmp)
  117.        
  118. import time
  119. # fix_tag = 1606536000
  120. fix_tag = 1606535990
  121. minnute = 3
  122. if __name__=='__main__':
  123.     while True:
  124.         tmp = int(time.time())
  125.         print((tmp - fix_tag)%(60*minnute))
  126.         if (tmp - fix_tag)%(60*minnute) < 200:
  127.             hacker=Hacker()
  128.             hacker.reconnect()
  129.             hacker.attack()
  130.             hacker.close_connection()
  131.         time.sleep(.5)
  132.     # hacker.close_connection()
  133.  
  134.  
RAW Paste Data