41 lines
1.1 KiB
Python
41 lines
1.1 KiB
Python
#!/usr/bin/env python3
|
|
|
|
from pwn import *
|
|
from Cryptodome.Cipher import AES
|
|
from Cryptodome.Util.Padding import pad, unpad
|
|
from Cryptodome.Util.number import long_to_bytes, bytes_to_long
|
|
HOST = "130.192.5.212"
|
|
PORT = "6552"
|
|
server = remote(HOST,PORT)
|
|
sleepT = 0.1
|
|
#21 bytes of cookie + username bytes to add
|
|
"""firstBlock=b'username='+b'A'*7
|
|
print(len(firstBlock))
|
|
#secondBlock=pad(b'true',AES.block_size)
|
|
thirdBlock=b'A'*9+b'&admin='
|
|
print(len(firstBlock+thirdBlock))"""
|
|
payload = b'A'*7+pad(b'true',AES.block_size)+b'B'*9
|
|
# &admin in one block and false in another one
|
|
# remove false and add true block
|
|
print(server.recv(1024))
|
|
sleep(sleepT)
|
|
print(f"Sending:{payload,len(payload)}")
|
|
server.send(payload)
|
|
server.send(b'\n')
|
|
sleep(sleepT)
|
|
enc = server.recv(1024).strip().split(b'\n')[0]
|
|
enc = int(enc)
|
|
enc=long_to_bytes(enc)
|
|
#print(enc[0:16])
|
|
#print(enc[16:32])
|
|
copypaste=enc[0:16]+enc[32:48]+enc[16:32]
|
|
out=bytes_to_long(copypaste)
|
|
sleep(sleepT)
|
|
server.send(b'flag\n')
|
|
print(server.recv(1024))
|
|
sleep(sleepT)
|
|
server.send(str(out))
|
|
server.send(b'\n')
|
|
print(server.recv(1024))
|
|
sleep(sleepT)
|