emln/crypto2025
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aa0fe54b3bf8331c174c7be107fcfa2b67f2322a
crypto2025/back-to-the-future/2
emln aa0fe54b3b CTFs and solutions
2025-04-27 19:24:27 +02:00

72 lines
2.1 KiB
Python
Raw Blame History

#!/usr/bin/env python3
from Cryptodome.Cipher import ChaCha20
from Cryptodome.Random import get_random_bytes
from Cryptodome.Util.number import long_to_bytes, bytes_to_long
import time
from random import randint
from pwn import *
import base64
import requests
import time
from requests.utils import cookiejar_from_dict
LOGIN ="http://130.192.5.212:6522/login"
FLAG = "http://130.192.5.212:6522/flag"
username='aa'
admin=0
expire_date=int(time.time()) + 30 * 24 * 60 * 60
cookie = f"username={username}&expires={expire_date}&admin={admin}"
print(f"Cookie len:{len(cookie.encode())}")
LOGIN="http://127.0.0.1:5000/login"
FLAG="http://127.0.0.1:5000/flag"
# expire = 1.748.345.396
PARAMS = {"username":'aa','admin':1}
s = requests.Session()
r = s.get(url=LOGIN,params=PARAMS)
cookie= r.json()['cookie']
print(f"Cookie encrypted len:{len(long_to_bytes(cookie))}")
#sleep(1000)
nonce = r.json()['nonce']
cookie = bytearray(long_to_bytes(cookie))
for i in range(1,256):
cookie[-1]= cookie[-1] ^ i
COOKIES = {'cookie':bytes_to_long(cookie), 'nonce': nonce}
f = s.get(url=FLAG,params=COOKIES)
print(f.text)
"""if(f.text == "You have expired!"):
print(f"Guessed byte:{i}")
cookie[20] = 2 ^ i
COOKIES['cookie'] = bytes_to_long(cookie)
f = s.get(url=FLAG,params=COOKIES)
print(f.text)"""
#break
"""decCookie = cipher.decrypt(encCookie)
print(decCookie)
sleep(10000)
r = s.get(url=LOGIN,params=PARAMS)
for cookie in s.cookies:
print(cookie)
keyEncoded = cookie.value
key = base64.urlsafe_b64decode(keyEncoded+'=')
print(f"LEN:{len(key)}")
LOG_PARAMS = {"username":'aaaaaaaaa','admin':1}
r = s.get(url=LOGIN,params=LOG_PARAMS)
print(f"login:{r.json()}")
cookie=long_to_bytes(r.json()['cookie'])
nonce=long_to_bytes(r.json()['nonce'])
print(f"Nonce:{bytes_to_long(nonce)}")
cipher = ChaCha20.new(key=key, nonce=nonce)
decrypt=cipher.decrypt(cookie)
print(len(decrypt))
sleep(1000)
nonce = bytes_to_long(nonce)
cookie = bytes_to_long(cipher.encrypt(testCookie.encode()))
PARAMS = {'cookie':cookie, 'nonce':nonce }
f = s.get(url=FLAG, params=PARAMS)
print(f.text)"""
Reference in New Issue View Git Blame Copy Permalink