CTFs and solutions
This commit is contained in:
emln
71
back-to-the-future/2
Normal file
71
back-to-the-future/2
Normal file
@ -0,0 +1,71 @@
|
||||
#!/usr/bin/env python3
|
||||
from Cryptodome.Cipher import ChaCha20
|
||||
from Cryptodome.Random import get_random_bytes
|
||||
from Cryptodome.Util.number import long_to_bytes, bytes_to_long
|
||||
import time
|
||||
from random import randint
|
||||
from pwn import *
|
||||
import base64
|
||||
import requests
|
||||
import time
|
||||
from requests.utils import cookiejar_from_dict
|
||||
LOGIN ="http://130.192.5.212:6522/login"
|
||||
FLAG = "http://130.192.5.212:6522/flag"
|
||||
username='aa'
|
||||
admin=0
|
||||
expire_date=int(time.time()) + 30 * 24 * 60 * 60
|
||||
cookie = f"username={username}&expires={expire_date}&admin={admin}"
|
||||
print(f"Cookie len:{len(cookie.encode())}")
|
||||
LOGIN="http://127.0.0.1:5000/login"
|
||||
FLAG="http://127.0.0.1:5000/flag"
|
||||
# expire = 1.748.345.396
|
||||
PARAMS = {"username":'aa','admin':1}
|
||||
|
||||
s = requests.Session()
|
||||
r = s.get(url=LOGIN,params=PARAMS)
|
||||
cookie= r.json()['cookie']
|
||||
print(f"Cookie encrypted len:{len(long_to_bytes(cookie))}")
|
||||
#sleep(1000)
|
||||
nonce = r.json()['nonce']
|
||||
|
||||
cookie = bytearray(long_to_bytes(cookie))
|
||||
|
||||
for i in range(1,256):
|
||||
cookie[-1]= cookie[-1] ^ i
|
||||
|
||||
COOKIES = {'cookie':bytes_to_long(cookie), 'nonce': nonce}
|
||||
f = s.get(url=FLAG,params=COOKIES)
|
||||
print(f.text)
|
||||
"""if(f.text == "You have expired!"):
|
||||
print(f"Guessed byte:{i}")
|
||||
cookie[20] = 2 ^ i
|
||||
COOKIES['cookie'] = bytes_to_long(cookie)
|
||||
f = s.get(url=FLAG,params=COOKIES)
|
||||
print(f.text)"""
|
||||
#break
|
||||
"""decCookie = cipher.decrypt(encCookie)
|
||||
print(decCookie)
|
||||
sleep(10000)
|
||||
r = s.get(url=LOGIN,params=PARAMS)
|
||||
for cookie in s.cookies:
|
||||
print(cookie)
|
||||
keyEncoded = cookie.value
|
||||
key = base64.urlsafe_b64decode(keyEncoded+'=')
|
||||
|
||||
print(f"LEN:{len(key)}")
|
||||
|
||||
LOG_PARAMS = {"username":'aaaaaaaaa','admin':1}
|
||||
r = s.get(url=LOGIN,params=LOG_PARAMS)
|
||||
print(f"login:{r.json()}")
|
||||
cookie=long_to_bytes(r.json()['cookie'])
|
||||
nonce=long_to_bytes(r.json()['nonce'])
|
||||
print(f"Nonce:{bytes_to_long(nonce)}")
|
||||
cipher = ChaCha20.new(key=key, nonce=nonce)
|
||||
decrypt=cipher.decrypt(cookie)
|
||||
print(len(decrypt))
|
||||
sleep(1000)
|
||||
nonce = bytes_to_long(nonce)
|
||||
cookie = bytes_to_long(cipher.encrypt(testCookie.encode()))
|
||||
PARAMS = {'cookie':cookie, 'nonce':nonce }
|
||||
f = s.get(url=FLAG, params=PARAMS)
|
||||
print(f.text)"""
|
||||
Reference in New Issue
Block a user