189
0
0
SpyFi [picoCTF 2018]
Problem
James Brahm, James Bond's less-franchised cousin, has left his secure communication with HQ running, but we couldn't find a way to steal his agent identification code. Can you?
Conect with nc 2018shell3.picoctf.com 33893.
spy_terminal_no_flag.py
python
#!/usr/bin/python2 -u
from Crypto.Cipher import AES
agent_code = """flag"""
def pad(message):
if len(message) % 16 != 0:
message = message + '0'*(16 - len(message)%16 )
return message
def encrypt(key, plain):
cipher = AES.new( key.decode('hex'), AES.MODE_ECB )
return cipher.encrypt(plain).encode('hex')
welcome = "Welcome, Agent 006!"
print welcome
sitrep = raw_input("Please enter your situation report: ")
message = """Agent,
Greetings. My situation report is as follows:
{0}
My agent identifying code is: {1}.
Down with the Soviets,
006
""".format( sitrep, agent_code )
message = pad(message)
print encrypt( """key""", message )
Solution
ECBなので当てていく。
My agent identifying code is: picoCTF{@g3nt6_1$_th3_c00l3$t_9121600}
ruby
require 'socket'
def get(x)
s = TCPSocket.new('2018shell3.picoctf.com', 33893)
l = ''
l = s.readpartial(10000) until l.include? ':'
s.puts x
res=[s.gets].pack("H*")
s.close
res
end
ZEROPAT = ['3fea1ff4d9f3bf45101b55ea6628a237'].pack("H*")
zerocnt = 27
headpad = 11
tailpad = 0
s = "My agent identifying code is: "
ch = [*?a..?z,*?A..?Z,*?0..?9].join + '{}_?!@#$%&($#){}'
ch = ch.chars.uniq
100.times do |i|
res = get('a'*headpad + '0'*16 + ch.map{|c| (s+c)[-16,16]}.join + ' '*((16-i+tailpad)%16))
p res.index(ZEROPAT)
dict = res[res.index(ZEROPAT)+16, ch.size*16].chars.each_slice(16).each_with_index.map{|x, i| [ch[i], x.join]}
dict = Hash[*dict.flatten(1)]
p dict.select{|k,v| res.index(v, res.index(v)+1)}
s += dict.find{|k,v| res.index(v, res.index(v)+1)}[0]
p s
end