| import socket, struct, os, binascii, base64, random, time, itertools | |
| import telnetlib | |
| def readline(sc, show = True): | |
| res = "" | |
| while len(res) == 0 or res[-1] != "\n": | |
| data = sc.recv(1) | |
| if len(data) == 0: | |
| print repr(res) | |
| raise Exception("Server disconnected") |
Lots of commands in GDB's protocol use hex-encoded data. A $ starts a packet, and all packets end with # followed by a one-byte, hex-encoded checksum.
Let's look at the protocol for the request:
remote get /proc/self/cmdline ./cmdline
Which should fetch /proc/self/cmdline and dump it to ./cmdline. It does!
$ phd cmdline
| #!/usr/bin/python | |
| import sys | |
| # Credit: https://crypto.stackexchange.com/questions/52292/what-is-fast-prime | |
| generators = [ | |
| (2, 11), (6, 13), (8, 17), (9, 19), (3, 37), (26, 53), (20, 61), (35, 71), | |
| (24, 73), (13, 79), (6, 97), (51, 103), (53, 107), (54, 109), (42, 127), | |
| (50, 151), (78, 157), | |
| ] |
Collecting some information about the extend and affected products and keys of the Infineon RSA vulnerability (ROCA).
Estonian eID cards
| # Generate a new pgp key: (better to use gpg2 instead of gpg in all below commands) | |
| gpg --gen-key | |
| # maybe you need some random work in your OS to generate a key. so run this command: `find ./* /home/username -type d | xargs grep some_random_string > /dev/null` | |
| # check current keys: | |
| gpg --list-secret-keys --keyid-format LONG | |
| # See your gpg public key: | |
| gpg --armor --export YOUR_KEY_ID | |
| # YOUR_KEY_ID is the hash in front of `sec` in previous command. (for example sec 4096R/234FAA343232333 => key id is: 234FAA343232333) |
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
| from scryptos import * | |
| import hashlib | |
| import gmpy | |
| ''' | |
| References: | |
| [1] Hitachi, Ltd. 2001. Specification of HIME(R) CryptoSystem - http://www.hitachi.com/rd/yrl/crypto/hime/HIME_R_specE.pdf | |
| ''' | |
| SECRET = 'ASISCTF-17' | |
| C0 = [ hashlib.sha1(SECRET[i:] + SECRET[:i]).digest()[:16] for i in xrange(10) ] |
| #!/usr/bin/env python2 | |
| import socket | |
| import struct | |
| import telnetlib | |
| import sys, time | |
| import pwn | |
| HOST, PORT = "127.0.0.1", 1234 | |
| HOST, PORT = "reeses_fc849330ede1f497195bad5213deaebc.quals.shallweplayaga.me", 3456 |
| from sage.all import * | |
| import itertools | |
| # display matrix picture with 0 and X | |
| # references: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage | |
| def matrix_overview(BB, bound): | |
| for ii in range(BB.dimensions()[0]): | |
| a = ('%02d ' % ii) | |
| for jj in range(BB.dimensions()[1]): | |
| a += ' ' if BB[ii,jj] == 0 else 'X' |
| #include <cassert> | |
| #include <NTL/mat_GF2.h> | |
| #include <NTL/GF2.h> | |
| using NTL::GF2; | |
| using NTL::mat_GF2; | |
| using NTL::conv; | |
| int g(GF2 x1, GF2 z1, GF2 x2, GF2 z2) { |