hacktracking: # PicoCTF 2k14 - Revenge of the Bleichenbacher

# PicoCTF 2k14 - Revenge of the Bleichenbacher

# cat bleichenbacher_attack.py 
import gmpy
import hashlib
import sys

# '0001ffffffffff' + '00' + hash + garbage

cmd = sys.argv[1]
sha1 = hashlib.sha1(cmd)
hash = sha1.hexdigest()

padding = '0001ffffffffff'
garbage = 'f' * (768 - len(padding) - 2 - len(hash))
data = padding + '00' + hash + garbage

print data, len(data)

number = gmpy.mpz(int(data, 16))

print cmd, hex(number.root(3)[0])[2:]

# python bleichenbacher_attack.py list
0001ffffffffff0038b62be4bddaa5661c7d6b8e36e28159314df5c7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 768
list 7fffffffffeaaf6483a8619ae8009d52df3e7921d7819d9d62870b544568abce57f39fa2a74369d54d0ba30926901871ae72ed82a787a5cbbc728c77520bbd360ed07857d0078023e808efd3f815bcfacec62b8d3f18e49ac3743e023aec9bbe80fec3f97b1b90542951c0945b5a14683689da03b422e2ca462c2cf3241964e

# python bleichenbacher_attack.py cat
0001ffffffffff009d989e8d27dc9e0ec3389fc855f142c3d40f0c50ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 768
cat 7fffffffffeab7ccb7e1151dde4920716e7822264ba7031df08d0e85877dfc3f377d52361f9ece607ef63b4c3db72a38509511a9bab8e99fe564d63cc8c83c63d019166d207e83dcdefba0e287bb47915a11999baec3b3612cfd6604220387529d776cf1a1cdbf85e77821786f8102eab3207435dffdab0ac0012bb2541c2d3

# nc vuln2014.picoctf.com 4919
list 7fffffffffeaaf6483a8619ae8009d52df3e7921d7819d9d62870b544568abce57f39fa2a74369d54d0ba30926901871ae72ed82a787a5cbbc728c77520bbd360ed07857d0078023e808efd3f815bcfacec62b8d3f18e49ac3743e023aec9bbe80fec3f97b1b90542951c0945b5a14683689da03b422e2ca462c2cf3241964e
Please enter which directory you'd like to list in (enter '.' for current directory).
.
CommandServer.jar
.profile
flag
.bashrc
.bash_logout
cat 7fffffffffeab7ccb7e1151dde4920716e7822264ba7031df08d0e85877dfc3f377d52361f9ece607ef63b4c3db72a38509511a9bab8e99fe564d63cc8c83c63d019166d207e83dcdefba0e287bb47915a11999baec3b3612cfd6604220387529d776cf1a1cdbf85e77821786f8102eab3207435dffdab0ac0012bb2541c2d3
Please enter which file you'd like to read.
flag
arent_signature_forgeries_just_great
Reference

https://web.archive.org/web/20150315062111/http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
# PicoCTF 2k14 - Revenge of the Bleichenbacher

No comments:
