CTFs and solutions

back-to-the-future/attack.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+from Cryptodome.Cipher import ChaCha20
+from Cryptodome.Random import get_random_bytes
+from Cryptodome.Util.number import long_to_bytes, bytes_to_long
+import time
+from random import randint
+from pwn import *
+import base64
+import requests
+import time
+from requests.utils import cookiejar_from_dict
+LOGIN ="http://130.192.5.212:6522/login"
+FLAG = "http://130.192.5.212:6522/flag"
+
+#LOGIN="http://127.0.0.1:5000/login"
+#FLAG="http://127.0.0.1:5000/flag"
+# expire = 1.748.345.396
+PARAMS = {"username":'aa','admin':1}
+givenTime = int(time.time())
+
+minAdminDate = givenTime - 10 * 24 * 60 * 60
+maxAdminDate = givenTime - 259 * 24 * 60 * 60
+avgAdminDate = int((minAdminDate + maxAdminDate)/2)
+expire_date = givenTime + 30 * 24 * 60 * 60
+eMin = expire_date - minAdminDate
+eMax = expire_date - maxAdminDate
+eAvg = (eMin+eMax) / 2
+plaintext = f"username={PARAMS['username']}&expires={expire_date}&admin={PARAMS['admin']}"
+plaintext = plaintext.encode()
+s = requests.Session()
+r = s.get(url=LOGIN,params=PARAMS)
+cookie= r.json()['cookie']
+cookie = long_to_bytes(cookie)
+print(f"Cookie encrypted len:{len(cookie)}, Plaintext len:{len(plaintext)}")
+nonce = r.json()['nonce']
+
+ks = bytes([c ^ p for c,p in zip(cookie, plaintext)])
+
+print(f"Keystream len:{len(ks)}")
+for i in range(1):
+
+    payload = f"username={PARAMS['username']}&expires={maxAdminDate + 295 * 24 * 60 * 60}&admin={1}".encode()
+
+    cookie = bytes([p ^ k for p,k in zip(payload,ks)])
+    print(f"Malicious cookie len:{len(cookie)}")
+    COOKIES = {'cookie':bytes_to_long(cookie),'nonce':nonce}
+    f = s.get(url=FLAG,params=COOKIES)
+    print(f.text)
+
+##########