37 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			37 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| from pwn import *
 | |
| from flag import flag
 | |
| from Crypto.Cipher import AES
 | |
| from hashlib import sha256
 | |
| import base64
 | |
| 
 | |
| flag = b''
 | |
| first_flag = b''
 | |
| wordlist = b'123456789qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM{}_'
 | |
| for i in range(16):
 | |
|     for j in wordlist:
 | |
|         r = remote("127.0.0.1", 10002)
 | |
|         payload = b'0'*(16-5) + b'0' * (15 - i)\
 | |
|             + first_flag + j.to_bytes() + \
 | |
|             b'0' * (15 - i)
 | |
|         r.sendline(payload)
 | |
|         cipher = r.recvline()
 | |
|         cipher = base64.b64decode(cipher)
 | |
|         if cipher[16:32] == cipher[32:48]:
 | |
|             first_flag = first_flag + j.to_bytes()
 | |
|             break
 | |
|         
 | |
| last_flag = b''
 | |
| for i in range(21-16):
 | |
|     for j in wordlist:
 | |
|         r = remote("127.0.0.1", 10002)
 | |
|         payload = b'0' * 11 +  j.to_bytes() + \
 | |
|             last_flag + b'0' * 27
 | |
|         r.sendline(payload)
 | |
|         cipher = r.recvline()
 | |
|         cipher= base64.b64decode(cipher)
 | |
|         if cipher[16:32] == cipher[64:80]:
 | |
|             last_flag = j.to_bytes() + last_flag
 | |
|             break
 | |
|                 
 | |
| 
 | |
| print(first_flag + last_flag) |