witchcraft - defcon 2017

witchcraft.py

#!/usr/bin/python2
#
# witchcraft - defcon 2017
#
# @_hugsy_
#
# PS: took 20min on a 8-core
#
# The flag is: bustin makes me feel good scengoybEm
#

import os, base64, telnetlib
from  subprocess import *
import string, threading

lock = threading.Lock()
solutions = {}
T = []
N = 50

def crack(f):
    global solutions, lock

    pre = ""

    while True:
        found = False
        #for i in range(256):
            #c = chr(i)
        for c in string.printable:
            p = Popen(["./%s" % f,],
                      stdout=PIPE,
                      stdin=PIPE,
                      close_fds=True
            )
            res = p.stdout.read(11)
            p.stdin.write(pre+c + '\n')
            p.wait()


            if p.returncode == 0: return pre+c

            if p.returncode == len(pre)+1: continue

            #print(p.returncode)
            # if p.returncode < 0:  continue

            pre += c
            found = True
            break

        if not found:
            raise Exception("bye")

        lock.acquire()
        solutions[f] = pre
        lock.release()

    return pre

# res = crack('fdfbaac6f478e138e5a42eb5a50cda1d05110496440d1dc8e0a78a5cc777b4f5')
# print base64.b64encode(res)
# exit(0)


print("[+] generating all solutions")
for f in os.listdir('.'):
    if '.' in f: continue

    t = threading.Thread(target=crack, args=(f,))
    t.daemon = True
    t.start()
    T.append(t)

    if len(T)==N:
        for t in T: t.join()
        T = []

for t in T: t.join()

print("[+] done")
print(solutions)

t = telnetlib.Telnet("cm2k-witchcraft_5f60e994e19a100de1dee736608d639f.quals.shallweplayaga.me", 12003)
t.read_until('send your solution as base64, followed by a newline\n')

while True:
    h = t.read_until('\n').strip()
    print "<<< ", h
    res = solutions[h]
    #res = crack(h)
    t.write( base64.b64encode(res)  + '\n')
    print ">>> ", res