58 lines
1.3 KiB
Python
58 lines
1.3 KiB
Python
import hashpumpy
|
|
import hashlib
|
|
import itertools
|
|
from pwn import * # type: ignore
|
|
import string
|
|
import re
|
|
|
|
context.log_level = 'debug'
|
|
|
|
conn = remote("localhost",10001)
|
|
strings = conn.recvline().decode('utf-8')
|
|
alpha_bet = string.ascii_lowercase + string.digits
|
|
strlist = itertools.permutations(alpha_bet, 5)
|
|
obj = re.search('\w{32}', strings)[0] # type: ignore
|
|
obj2 = re.search('\w{15}', strings)[0] # type: ignore
|
|
|
|
for i in strlist:
|
|
data=i[0]+i[1]+i[2]+i[3]+i[4]+obj2
|
|
data_sha=hashlib.md5(data.encode('utf-8')).hexdigest()
|
|
if(data_sha==obj):
|
|
conn.sendline(data[:5].encode())
|
|
break
|
|
|
|
|
|
string1 = conn.recvline().decode()
|
|
conn.recvline()
|
|
|
|
md5hash = re.search('\w{32}', string1)[0] # type: ignore
|
|
md5plain = re.search('\w{16}', string1)[0] # type: ignore
|
|
a = hashpumpy.hashpump(md5hash,md5plain,"1",4)
|
|
|
|
payload1 = a[0].encode()
|
|
payload2 = a[1]
|
|
|
|
conn.sendline(payload1)
|
|
conn.sendline(payload2)
|
|
|
|
response = conn.recvline()
|
|
|
|
string1 = conn.recvline().decode()
|
|
conn.recvline()
|
|
|
|
|
|
|
|
md5hash = re.search('\w{32}', string1)[0] # type: ignore
|
|
md5plain = re.search('\w{12}', string1)[0] # type: ignore
|
|
a = hashpumpy.hashpump(md5hash,md5plain,"ilove0xfa",8)
|
|
|
|
payload_md5 = a[0].encode()
|
|
payload2 = a[1]
|
|
|
|
conn.sendline(payload_md5)
|
|
conn.sendline(payload2)
|
|
|
|
response = conn.recvall()
|
|
|
|
conn.close()
|