Description: I was sniffing some web traffic for a while, I think i finally got something interesting. Help me find flag through all these packets.
net_756d631588cb0a400cc16d1848a5f0fb.pcap
First we opened up this pcap in Wireshark and looked through the packets until we found something interesting, a python script! Neat!
import string import random from base64 import b64encode, b64decode FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}' enc_ciphers = ['rot13', 'b64e', 'caesar'] # dec_ciphers = ['rot13', 'b64d', 'caesard'] def rot13(s): ._rot13 = string.maketrans( ."ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", ."NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm") .return string.translate(s, _rot13) def b64e(s): .return b64encode(s) def caesar(plaintext, shift=3): alphabet = string.ascii_lowercase shifted_alphabet = alphabet[shift:] + alphabet[:shift] table = string.maketrans(alphabet, shifted_alphabet) return plaintext.translate(table) def encode(pt, cnt=50): .tmp = '2{}'.format(b64encode(pt)) .for cnt in xrange(cnt): ..c = random.choice(enc_ciphers) ..i = enc_ciphers.index(c) + 1 .._tmp = globals()[c](tmp) ..tmp = '{}{}'.format(i, _tmp) return tmp if __name__ == '__main__': .print encode(FLAG, cnt=?)So lets follow this TCP stream and see what else pops up:
2Mk16Sk5iakYxVFZoS1RsWnZXbFZaYjFaa1prWmFkMDVWVGs1U2IyODFXa1ZuTUZadU1YVldiVkphVFVaS1dGWXlkbUZXTVdkMVprWnJWMlZHYzFsWGJscHVVekpOWVZaeFZsUmxWMnR5VkZabU5HaFdaM1pYY0hkdVRXOWFSMVJXYTA5V1YwcElhRVpTVm1WSGExUldWbHBrWm05dk5sSnZVbXhTVm5OWVZtNW1NV1l4V1dGVWJscFVaWEJoVjFsdVdtUm5iMUpYVjNGS2IxWlViMWhXVnpFd1YwWktkbVpGWVZkbFIxRXdWa1JHVDJZeFRuWlhjRzlUWlZkclkxWlhZVk5TYmpGSFZsaHJaRkpVYjFOWmJsVXhWakZTVjFkd09WaFNNRlkyVmxjMVIxWldXa1pUY0d0WFpVWnpZbHBYWVhwVFYwWkhWM0JyVG1Wd2EydFdjSE5MVFVkSllsWnVaMWRsYm5OWldWUk9VMlV4VWxkWGJuZFVWbTl6V0Zad2QyNWtWbHAxVGxabldsWldWV0ZXYmxwTFZqRk9kV1pHYTJ0a01YTlpWb...(this type of stuff keeps going for a while)So using that really long encrypted text and the python script we can solve this. An easy way to solve this is by stepping through the encode function with an example, I simply used the string "yo".
tmp = '2{}'.format(b64encode(pt))First, "yo" is base64 encoded and a 2 is placed at the front of the resulting text. This means that when we are decoding our ciphertext will find this 2 and do the opposite, base64 decoding. Got it.
Next we go through the loop:
for cnt in xrange(cnt): c = random.choice(enc_ciphers) i = enc_ciphers.index(c) + 1 _tmp = globals()[c](tmp) tmp = '{}{}'.format(i, _tmp)
It makes a random choice about the cipher it uses and this is 'c'.
It also grabs the index of the cipher used and adds 1 and places that into 'i'.
'_tmp' is merely the result of putting the string into the randomly chosen cipher.
Finally, the 'tmp' is set to the index of the chosen cipher along with the string it encoded. All I had to do from there was script the decode function and run it.
import string import random from base64 import b64encode, b64decode FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}' enc_ciphers = ['rot13', 'b64e', 'caesar'] dec_ciphers = ['rot13', 'b64d', 'caesard'] def rot13(s): _rot13 = string.maketrans( "ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", "NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm") return string.translate(s, _rot13) def b64e(s): return b64encode(s) def b64d(s): return b64decode(s) def caesar(plaintext, shift=3): alphabet = string.ascii_lowercase shifted_alphabet = alphabet[shift:] + alphabet[:shift] table = string.maketrans(alphabet, shifted_alphabet) return plaintext.translate(table) def caesard(plaintext, shift=-3): return caesar(plaintext, -3) def encode(pt, cnt=50): tmp = '2{}'.format(b64encode(pt)) for cnt in xrange(cnt): c = random.choice(enc_ciphers) i = enc_ciphers.index(c) + 1 _tmp = globals()[c](tmp) tmp = '{}{}'.format(i, _tmp) print tmp return tmp def decode(pt): while pt[0].isdigit(): i = dec_ciphers[int(pt[0])-1] pt = globals()[i](pt[1:]) return pt if __name__ == '__main__': with open("lol",'r') as f: filez = f.read() print decode(filez)
The result gave me:
flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}
--RedAnimus
No comments:
Post a Comment