Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Crypto Nupakachi:
- import requests
- import re
- def submit(chall, flag):
- s = requests.Session()
- cookies = {"x_polaris_sid":"bm1j3jftt49d35m7m3i86hm478fql6db947ad36na1lc40","polaris_sc":"blevvfs1vc0tbfu287jj0bp0rfme5f5v8c7o17ucofjts0", "x_polaris_cid": "bl605j2hsinoocvkhvi82ml71su4a03es7q2kov0bhuuo0", "session":"8e28e11b-b0e7-449d-9a4b-59f225386309.r564q6PtowG-aIiPdH8RR_pfBq0"}
- # r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon":"Pwn02","action": "submit-flag","flag":"abc"}, proxies={'http': 'http://192.168.169.133:8080/', 'https': 'https://192.168.169.133:8080/'}, cookies=cookies, verify=False)
- r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon": chall,"action": "submit-flag","flag": flag}, cookies=cookies)
- # print(r.text)
- print(re.search(r'alert(.*?)</script', r.text).group(1))
- import os
- import socket,json
- from telnetlib import Telnet
- from providers.token.aes256_cbc import Aes256CbcTP
- from providers.token.aes256_gcm import Aes256GcmTP
- from providers.token.complex_rsa import ComplexRsaTP
- from providers.encryption.chacha import ChachaEP
- from providers.randomness.mersenne import MersenneTwisterRP
- # ip,port = '127.0.0.1',1337
- sage_service = ('127.0.0.1',65535)
- ip,port = '35.240.132.48',1337
- # {"action":"import_key","key":"2020202020202020202020202020202020202020202020202020202020202020"}
- def import_key(t,token):
- tmp = ("{"+f'"action":"import_key","key":"{token}"'+"}\n")
- t.write(tmp.encode())
- resp = t.read_until(b'\n');print(resp)
- data = json.loads(resp[:-1])
- return data["token"]
- def generate_key(t):## leak output??
- t.write(b'{"action":"generate_key"}')
- resp = t.read_until(b'\n');print(resp)
- data = json.loads(resp[:-1])
- return data["token"]
- def report_bug(t,token):
- tmp = ("{"+f'"action":"report_bug","token":"{token}"'+"}\n")
- t.write(tmp.encode())
- resp = t.read_until(b'\n');print(resp)
- if b"invalid action" in resp or b'error' in resp:return 0
- data = json.loads(resp[:-1])
- return int(data["bounty"])
- class Hacker:
- def __init__(self):
- self.target = (ip,port)
- self.signature = b' ' ## lem == 32
- def reconnect(self):
- self.s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
- self.s.connect(self.target)
- self.t = Telnet()
- self.t.sock = self.s
- def close_connection(self):
- self.s.close()
- def attack(self):
- ## picking mod encryption
- '''## vector attack 1
- self.t.write(b'1\n')## cbc
- token_hex = (b'\0'+self.signature[1:]).hex()
- token = bytes.fromhex(import_key(self.t,token_hex))
- token = (bytes([token[0]^0x20])+token[1:]).hex()# token.hex()
- plain_int = report_bug(self.t,token)
- print(plain_int.to_bytes(64,'big'))
- '''
- ## vector attack 2
- t1,t2 = Telnet(ip,port),Telnet(ip,port)
- # self.t.write(b'2\n')
- t1.write(b'2\n')
- t2.write(b'2\n')
- plain_hex_1 = bytes(32).hex()
- plain_hex_2 = bytes(i for i in range(32)).hex()
- token_hex_1 = import_key(t1,plain_hex_1)
- token_hex_2 = import_key(t2,plain_hex_2)
- t1.sock.close(),t2.sock.close()
- nonce_1 = token_hex_1[:24]
- nonce_2 = token_hex_2[:24]
- if nonce_2!=nonce_1:return
- t3 = Telnet(*sage_service)
- nonce = nonce_1
- token_hex_3 = bytes(a^b for a,b in zip(self.signature,bytes.fromhex(token_hex_1)[12:-16])).hex()
- # test = import_key(self.t,token_hex_1)
- # print(test,token,token_hex_2)
- t3.write(f'{token_hex_1}\n'.encode())
- t3.write(f'{token_hex_2}\n'.encode())
- t3.write(f'{token_hex_3}\n'.encode())
- tmp = b''
- for _ in range(10):
- t0 = Telnet(ip,port)
- t0.write(b'2\n')
- resp = t3.read_until(b'\n');print(resp)
- T3 = resp[:-1].decode()
- token = nonce+token_hex_3+T3
- tmp = report_bug(t0,token)
- t0.close()
- if tmp:
- tmp = tmp.to_bytes(39,'big')
- if b'ASCIS{' in tmp:break
- t3.sock.close()
- tmp = tmp.decode()
- print(tmp)
- chall = "Crypto01"
- submit(chall, tmp)
- import time
- # fix_tag = 1606536000
- fix_tag = 1606535990
- minnute = 3
- if __name__=='__main__':
- while True:
- tmp = int(time.time())
- print((tmp - fix_tag)%(60*minnute))
- if (tmp - fix_tag)%(60*minnute) < 200:
- hacker=Hacker()
- hacker.reconnect()
- hacker.attack()
- hacker.close_connection()
- time.sleep(.5)
- # hacker.close_connection()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement