2020-04-23 16:23:06 +02:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
import re
|
|
|
|
import time
|
|
|
|
import socket
|
|
|
|
import hashlib
|
|
|
|
import requests
|
|
|
|
import sympy
|
2020-05-01 20:56:02 +02:00
|
|
|
import hashcash
|
2020-04-23 16:23:06 +02:00
|
|
|
"""
|
|
|
|
requirements:
|
|
|
|
sympy
|
|
|
|
requests
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
def knock():
|
|
|
|
for port in [1337, 2674, 4011]:
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
s.setblocking(False)
|
|
|
|
|
|
|
|
print("Knocking {}".format(port))
|
|
|
|
s.connect_ex(("152.66.249.144", port))
|
|
|
|
|
|
|
|
s.close()
|
|
|
|
|
|
|
|
time.sleep(0.1)
|
|
|
|
|
|
|
|
|
|
|
|
def server_communicate():
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
s.setblocking(True)
|
|
|
|
|
|
|
|
s.connect_ex(("152.66.249.144", 8888))
|
|
|
|
|
|
|
|
print(s.recv(1024).decode())
|
|
|
|
s.send("Y8O353".encode())
|
|
|
|
print(s.recv(1024).decode())
|
|
|
|
|
|
|
|
last_solution = numbre_crunch(s)
|
|
|
|
|
|
|
|
print(s.recv(1024).decode())
|
|
|
|
print(s.recv(1024).decode())
|
|
|
|
|
|
|
|
sha1_magic(s, last_solution)
|
|
|
|
|
|
|
|
s.close()
|
|
|
|
|
|
|
|
|
|
|
|
def sha1_magic(s, last_solution):
|
|
|
|
hash_sha1 = hashlib.sha1()
|
|
|
|
print('Y8O353{}'.format(last_solution))
|
|
|
|
hash_sha1.update('Y8O353{}'.format(last_solution).encode())
|
|
|
|
digest = str(hash_sha1.hexdigest())
|
|
|
|
print(digest)
|
|
|
|
s.send(digest.encode())
|
|
|
|
print(s.recv(1024).decode())
|
2020-05-01 20:56:02 +02:00
|
|
|
newstring = hashcash.generate(16, 'Y8O353{}'.format(last_solution))
|
|
|
|
print(s.recv(1024).decode())
|
|
|
|
print(newstring)
|
|
|
|
s.send(newstring.encode())
|
|
|
|
print(s.recv(1024).decode())
|
2020-04-23 16:23:06 +02:00
|
|
|
|
|
|
|
|
|
|
|
def http_comm():
|
|
|
|
sess = requests.Session()
|
|
|
|
url = "http://152.66.249.144/"
|
|
|
|
sess.post(url, data={"neptun": "Y8O353", "password": "crysys"})
|
|
|
|
cert = sess.get("{}getcert.php".format(url), allow_redirects=True)
|
|
|
|
open("/tmp/clientcert.pem", "wb").write(cert.content)
|
|
|
|
key = sess.get("{}getkey.php".format(url), allow_redirects=True)
|
|
|
|
open("/tmp/clientkey.pem", "wb").write(key.content)
|
|
|
|
|
|
|
|
|
|
|
|
def https_comm():
|
|
|
|
sess = requests.Session()
|
|
|
|
url = "https://152.66.249.144/"
|
2020-05-01 20:56:02 +02:00
|
|
|
flag = sess.get(url, cert=("/tmp/clientcert.pem", "/tmp/clientkey.pem"), verify=False, headers={'User-Agent': 'CrySyS'})
|
2020-04-23 16:23:06 +02:00
|
|
|
print(flag.content)
|
|
|
|
|
|
|
|
|
|
|
|
def numbre_crunch(s):
|
|
|
|
problem_statement = s.recv(1024).decode().split('\n')
|
|
|
|
numofcycles = re.findall(r'[0-9]+', problem_statement[0])
|
|
|
|
|
|
|
|
print(problem_statement)
|
|
|
|
solution1 = sympy.sympify(problem_statement[2].split('.')[1].split('=')[0])
|
|
|
|
print(solution1)
|
|
|
|
s.send(str(solution1).encode())
|
|
|
|
|
|
|
|
last_solution = None
|
|
|
|
|
|
|
|
for i in range(int(numofcycles[0]) - 1):
|
|
|
|
problem_statement_for = s.recv(1024).decode()
|
|
|
|
print(problem_statement_for)
|
|
|
|
solution = sympy.sympify(problem_statement_for.split('.')[1].split('=')[0])
|
|
|
|
print(solution)
|
|
|
|
s.send(str(solution).encode())
|
2020-05-01 20:56:02 +02:00
|
|
|
last_solution = solution
|
2020-04-23 16:23:06 +02:00
|
|
|
|
|
|
|
return last_solution
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
knock()
|
|
|
|
server_communicate()
|
|
|
|
http_comm()
|
2020-05-01 20:56:02 +02:00
|
|
|
https_comm()
|
|
|
|
|
|
|
|
# FLAG: YouCanHandleNetworking-Y8O353-1d66de
|