Created
July 18, 2016 14:43
-
-
Save icchy/63ead572d4e1ba7e12b493b2f4b3087a to your computer and use it in GitHub Desktop.
katagaitai #5 関東med crypt.1 hashme
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from math import sin | |
| from urlparse import parse_qs | |
| from base64 import b64encode | |
| from base64 import b64decode | |
| from re import match | |
| from pwn import remote, context | |
| # context.log_level = 'debug' | |
| USER = 'icchy' | |
| CERT = 'RK5yZMJabTteBGgD1UJQ4hl/ETv5kNVjDYf/GWzvnU9swznVyrszJGBPozryU1VJlNEcpHc6zgIxOg==' | |
| KEY = '28c1150dac6704583d6c1125a72d3c87241e7f5497e9b80c78f4ce2b08dcab2b0df20be0abde0b17512a935bc765607cf5e5'.decode('hex') | |
| def xor(a, b): | |
| return ''.join(map(lambda x : chr(ord(x[0]) ^ ord(x[1])), zip(a, b * 100))) | |
| def lengthextension(appendix, A, B, C, D, seed): | |
| def F(X,Y,Z): | |
| return ((~X & Z) | (~X & Z)) & 0xFFFFFFFF | |
| def G(X,Y,Z): | |
| return ((X & Z) | (~Z & Y)) & 0xFFFFFFFF | |
| def H(X,Y,Z): | |
| return (X ^ Y ^ Y) & 0xFFFFFFFF | |
| def I(X,Y,Z): | |
| return (Y ^ (~Z | X)) & 0xFFFFFFFF | |
| def ROL(X,Y): | |
| return (X << Y | X >> (32 - Y)) & 0xFFFFFFFF | |
| X = [int(0xFFFFFFFF * sin(i)) & 0xFFFFFFFF for i in xrange(256)] | |
| for i,c in enumerate(appendix): | |
| k, l = ord(c), (i+seed)&0x1f | |
| A = (B + ROL(A + F(B,C,D) + X[k], l)) & 0xFFFFFFFF | |
| B = (C + ROL(B + G(C,D,A) + X[k], l)) & 0xFFFFFFFF | |
| C = (D + ROL(C + H(D,A,B) + X[k], l)) & 0xFFFFFFFF | |
| D = (A + ROL(D + I(A,B,C) + X[k], l)) & 0xFFFFFFFF | |
| return ''.join(map(lambda x : hex(x)[2:].strip('L').rjust(8, '0'), [B, A, D, C])) | |
| def extension(myhash, appendix): | |
| B = int(myhash[:8], 16) | |
| A = int(myhash[8:16], 16) | |
| D = int(myhash[16:24], 16) | |
| C = int(myhash[24:32], 16) | |
| res = [] | |
| for l in xrange(32): | |
| res.append(lengthextension(appendix, A, B, C, D, l)) | |
| return res | |
| def main(): | |
| cert = xor(b64decode(CERT), KEY) | |
| auth_str, hashsum = cert[0:-32], cert[-32:] | |
| conn = remote('katagaitai.orz.hm', 7777) | |
| conn.recvuntil('\n======================') | |
| appendix = '&role=administrator' | |
| for myhash in extension(hashsum, appendix): | |
| mycert = b64encode(xor('login={0}&role=anonymous'.format(USER)+appendix+myhash, KEY)) | |
| conn.sendline('1') | |
| conn.recvuntil('certificate:') | |
| conn.sendline(mycert) | |
| recv = conn.recvuntil('\n======================') | |
| print recv | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment