# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
# cat web_interception.py import socket host = 'vuln2014.picoctf.com' port = 65414 def print_recvdata(data): for i in range(0, len(data), kl * 2): print '<<< ' + data[i:i + (kl * 2)] def sendrecv(msg): s = socket.socket() s.connect((host, port)) s.recv(1024) s.send(msg) data = s.recv(1024) s.close() return data kl = 16 # key length cdl = 80 # current data length for i in range(1, 30): msg = 'aa' * i data = sendrecv(msg)[:-1] dl = len(data)/2 # data length if cdl < dl: print_recvdata(data) print 'Data = ', dl print 'Get = ', gl print 'Message = ', ml print 'Secret = ', sl break else: gl = len('GET /') ml = len(msg)/2 sl = dl - ml - gl # secret length print i pad = sl + kl - gl found = '' for i in range(pad - 1, kl - gl, -1): msg = 'aa' * i print '>>> ' + msg + '..' * (pad - len(msg)/2) data = sendrecv(msg)[:-1] f = 0 # from block1 t = (kl * 2) * (sl/kl + 1) # to block1 + #blocks(sl) key = data[f:t] #print_recvdata(data) for j in range(0, 256): h = format(j, '02x') nh = msg + found + h data = sendrecv(nh)[:-1] if data[f:t] == key: print '>>> ' + nh #print_recvdata(data) print 'found = \'' + chr(j) + '\'' found += h break print 'secret_data = \'' + found.decode('hex') + '\'' # python web_interception.py 1 2 3 4 5 6 7 8 9 10 11 <<< c2ede3651650defcac13ecd82b7b9e7b <<< 7a7bc20c2692db821734385bfa01f1db <<< 7bb2c562649b06c08ae178a597ba85d2 <<< c87adffd4197a50cdc4d47384db2b219 <<< 8e930fb9cdf30c3a2c914731545f9fb3 <<< 695e6035c5752aa0d133f436a7d4475f Data = 96 Get = 5 Message = 11 Secret = 64 >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20 found = ' ' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2048 found = 'H' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa204854 found = 'T' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454 found = 'T' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2048545450 found = 'P' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f found = '/' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f31 found = '1' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e found = '.' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e31 found = '1' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d 'ound = ' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a found = ' ' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a43 found = 'C' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b found = 'k' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69 found = 'i' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b6965 found = 'e' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a found = ':' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20 found = ' ' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a2066 found = 'f' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c found = 'l' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61 found = 'a' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c6167 found = 'g' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d found = '=' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d63 found = 'c' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e found = 'n' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67 found = 'g' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e6772 found = 'r' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e677261 found = 'a' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174 found = 't' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e6772617473 found = 's' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f found = '_' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e found = 'n' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f found = '_' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f79 found = 'y' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75 found = 'u' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f7572 found = 'r' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f found = '_' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66 found = 'f' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f6669 found = 'i' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f666972 found = 'r' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273 found = 's' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f6669727374 found = 't' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f found = '_' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f65 found = 'e' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563 found = 'c' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f656362 found = 'b' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f found = '_' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64 found = 'd' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f6465 found = 'e' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f646563 found = 'c' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............................................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372 found = 'r' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f6465637279 found = 'y' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f646563727970 found = 'p' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372797074 found = 't' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...................................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f6465637279707469 found = 'i' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa........................................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372797074696f found = 'o' >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaa.......................................................................................................................... >>> aaaaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372797074696f6e found = 'n' >>> aaaaaaaaaaaaaaaaaaaaaaaaaa............................................................................................................................ >>> aaaaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372797074696f6e0d 'ound = ' >>> aaaaaaaaaaaaaaaaaaaaaaaa.............................................................................................................................. >>> aaaaaaaaaaaaaaaaaaaaaaaa20485454502f312e310d0a436f6f6b69653a20666c61673d636f6e67726174735f6f6e5f796f75725f66697273745f6563625f64656372797074696f6e0d0a found = ' ' secret_data = ' HTTP/1.1 Cookie: flag=congrats_on_your_first_ecb_decryption '
cat web_interception.py
python web_interception.py
# cat block.py #!/usr/bin/python2 from sys import argv, exit import struct SBoxes = [[15, 1, 7, 0, 9, 6, 2, 14, 11, 8, 5, 3, 12, 13, 4, 10], [3, 7, 8, 9, 11, 0, 15, 13, 4, 1, 10, 2, 14, 6, 12, 5], [4, 12, 9, 8, 5, 13, 11, 7, 6, 3, 10, 14, 15, 1, 2, 0], [2, 4, 10, 5, 7, 13, 1, 15, 0, 11, 3, 12, 14, 9, 8, 6], [3, 8, 0, 2, 13, 14, 5, 11, 9, 1, 7, 12, 4, 6, 10, 15], [14, 12, 7, 0, 11, 4, 13, 15, 10, 3, 8, 9, 2, 6, 1, 5]] SInvBoxes = [[3, 1, 6, 11, 14, 10, 5, 2, 9, 4, 15, 8, 12, 13, 7, 0], [5, 9, 11, 0, 8, 15, 13, 1, 2, 3, 10, 4, 14, 7, 12, 6], [15, 13, 14, 9, 0, 4, 8, 7, 3, 2, 10, 6, 1, 5, 11, 12], [8, 6, 0, 10, 1, 3, 15, 4, 14, 13, 2, 9, 11, 5, 12, 7], [2, 9, 3, 0, 12, 6, 13, 10, 1, 8, 14, 7, 11, 4, 5, 15], [3, 14, 12, 9, 5, 15, 13, 2, 10, 11, 8, 4, 1, 6, 0, 7]] def S(block, SBoxes): output = 0 for i in xrange(0, len(SBoxes)): output |= SBoxes[i][(block >> 4*i) & 0b1111] << 4*i return output PBox = [13, 3, 15, 23, 6, 5, 22, 21, 19, 1, 18, 17, 20, 10, 7, 8, 12, 2, 16, 9, 14, 0, 11, 4] PInvBox = [21, 9, 17, 1, 23, 5, 4, 14, 15, 19, 13, 22, 16, 0, 20, 2, 18, 11, 10, 8, 12, 7, 6, 3] def permute(block, pbox): output = 0 for i in xrange(24): bit = (block >> pbox[i]) & 1 output |= (bit << i) return output def encrypt_data(data, key): enc = "" for i in xrange(0, len(data), 3): block = int(data[i:i+3].encode('hex'), 16) for j in xrange(0, 3): block ^= key block = S(block, SBoxes) block = permute(block, PBox) block ^= key enc += ("%06x" % block).decode('hex') return enc def decrypt_data(data, key): dec = "" for i in xrange(0, len(data), 3): block = int(data[i:i+3].encode('hex'), 16) block ^= key for j in xrange(0, 3): block = permute(block, PInvBox) block = S(block, SInvBoxes) block ^= key dec += ("%06x" % block).decode('hex') return dec def encrypt(data, key1, key2): encrypted = encrypt_data(data, key1) encrypted = encrypt_data(encrypted, key2) return encrypted def decrypt(data, key1, key2): decrypted = decrypt_data(data, key2) decrypted = decrypt_data(decrypted, key1) return decrypted def usage(): print "Usage: %s [encrypt/decrypt] [key1] [key2] [in_file] [out_file]" % argv[0] exit(1) def main(): if len(argv) != 6: usage() if len(argv[2]) > 6: print "key1 is too large" elif len(argv[3]) > 6: print "key2 is too large" key1 = int(argv[2], 16) key2 = int(argv[3], 16) in_file = open(argv[4], "r") data = "" while True: read = in_file.read(1024) if len(read) == 0: break data += read in_file.close() if argv[1] == "encrypt": data = "message: " + data if len(data) % 3 != 0: #pad data += ("\x00" * (3 - (len(data) % 3))) output = encrypt(data, key1, key2) elif argv[1] == "decrypt": output = decrypt(data, key1, key2) else: usage() out_file = open(argv[5], "w") out_file.write(output) out_file.close() if __name__ == "__main__": main()
cat block.py
# cat meet_in_the_middle.py from block import encrypt_data, decrypt, decrypt_data f = open('encrypted', 'r') data = f.read() f.close() enc = [] print '+ enc' for i in range(0, 0xffffff + 1): enc.append(encrypt_data('message: ', i).encode('hex')) dec = [] print '+ dec' for i in range(0, 0xffffff + 1): dec.append(decrypt_data(data[:9], i).encode('hex')) print '+ check' match = list(set(enc) & set(dec))[0] key1 = enc.index(match) key2 = dec.index(match) print match, hex(key1)[2:], hex(key2)[2:] print decrypt(data, key1, key2) # pypy meet_in_the_middle.py + enc + dec + check e06e0453ea35d9beb6 a6bffa 6fa0d message: c57d156f9cbcdb526b8544df95d9cb
cat meet_in_the_middle.py
pypy meet_in_the_middle.py
# cat bitpuzzle.py from z3 import * v1 = BitVec('v1', 32) v2 = BitVec('v2', 32) v3 = BitVec('v3', 32) v4 = BitVec('v4', 32) v5 = BitVec('v5', 32) v6 = BitVec('v6', 32) v7 = BitVec('v7', 32) v8 = BitVec('v8', 32) s = Solver() s.add(v3 + v2 == 0xc0dcdfce) s.add(v1 + v2 == 0xd5d3dddc) s.add((5 * v2) + (3 * v1) == 0x404a7666) s.add(v1 ^ v4 == 0x18030607) s.add(v4 & v1 == 0x666c6970) s.add(v5 * v2 == 0xb180902b) s.add(v3 * v5 == 0x3e436b5f) s.add(v5 + (2 * v6) == 0x5c483831) s.add(v6 & 0x70000000 == 0x70000000) s.add(v6 / v7 == 1) s.add(v6 % v7 == 0xe000cec) s.add((3 * v5) + (2 * v8) == 0x3726eb17) s.add((7 * v8) + (4 * v3) == 0x8b0b922d) s.add(v4 + (3 * v8) == 0xb9cf9c91) import struct d = {} if s.check() == sat: m = s.model() print m for v in m: d[str(v)] = struct.pack('<I', int(str(m[v]))) flag = '' for k in sorted(d): flag += d[k] print flag # python bitpuzzle.py [v6 = 1953459295, v7 = 1718574963, v2 = 1600613993, v4 = 1852795252, v8 = 1853187679, v3 = 1635086693, v1 = 1986817907, v5 = 1936285555] solving_equations_is_lots_of_fun
cat bitpuzzle.py
python bitpuzzle.py
# cat low_entropy.py import Crypt import gmpy import Socket publickey = 0xc20a1d8b3903e1864d14a4d1f32ce57e4665fc5683960d2f7c0f30d5d247f5fa264fa66b49e801943ab68be3d9a4b393ae22963888bf145f07101616e62e0db2b04644524516c966d8923acf12af049a1d9d6fe3e786763613ee9b8f541291dcf8f0ac9dccc5d47565ef332d466bc80dc5763f1b1139f14d3c0bae072725815f ciphertext = 0x49f573321bdb3ad0a78f0e0c7cd4f4aa2a6d5911c90540ddbbaf067c6aabaccde78c8ff70c5a4abe7d4efa19074a5249b2e6525a0168c0c49535bc993efb7e2c221f4f349a014477d4134f03413fd7241303e634499313034dbb4ac96606faed5de01e784f2706e85bf3e814f5f88027b8aeccf18c928821c9d2d830b5050a1e cont = True while cont: s = Socket.Socket(Socket.TCP) s.connect('vuln2014.picoctf.com', 51818) s.read() recv = s.read() if recv != '': n = int('0x' + recv, 16) p = Crypt.egcd(publickey, n)[0] if p != 1: cont = False s.close() q = publickey / p n = p * q totien = (p - 1) * (q - 1) e = 65537 d = gmpy.invert(e, totien) cleartext = pow(ciphertext, d, n) print hex(cleartext)[2:].decode('hex') # python low_entropy.py [i] Sock: Connecting... [i] Sock: Connecting... [i] Sock: Connecting... [i] Sock: Connecting... Good thing no one can read this! I'd hate for them to know that the flag is make_sure_your_rng_generates_lotsa_primes.
cat low_entropy.py
python low_entropy.py
String Encoding: ASCII def STR(a): a = str(a) # Yes, this is a little bit silly :-) for i in range(0, len(a) - 1, 2): print(chr(int(a[i:i+2]))), e.g. STR(7269767679) = "HELLO" Cryptosystem: Elliptic Curve: y^2 = x^3 + ax + b mod n a = 0 b = ? n = 928669833265826932708591 Encryption: C = e * M mod n Decryption: M = d * C mod n e = 141597355687225811174313 d = 87441340171043308346177 C = (236857987845294655469221, 12418605208975891779391) STR(M.x) + STR(M.y) = ?
# apt-add-repository -y ppa:aims/sagemath # apt-get update # apt-get install sagemath-upstream-binary # sage sage: y = 12418605208975891779391 sage: x = 236857987845294655469221 sage: a = 0 sage: n = 928669833265826932708591 sage: b = (y**2 - x**3 - a*x) % n sage: b 268892790095131465246420 sage: F = FiniteField(n) sage: E = EllipticCurve(F, [a, b]) sage: G = E.point((x, y)) sage: d = 87441340171043308346177 sage: M = G * d sage: M (6976767380847367326785 : 828669833265826932708578 : 1) In [1]: print STR(6976767380847367326785), STR(828669833265826932708578) ELLIPTIC CURVES ARE FUN
apt-add-repository -y ppa:aims/sagemath
apt-get update
apt-get install sagemath-upstream-binary
sage
y = 12418605208975891779391
x = 236857987845294655469221
a = 0
n = 928669833265826932708591
b = (y**2 - x**3 - a*x) % n
b
F = FiniteField(n)
E = EllipticCurve(F, [a, b])
G = E.point((x, y))
d = 87441340171043308346177
M = G * d
M
print STR(6976767380847367326785), STR(828669833265826932708578)