Login
Immutable PageDiscussionInfoAttachments
CTF/Writeup/31C3 CTF/sso

MMA

sso

前の文字列から次の文字のkeyが決まってxorされる感じ?

   1 use strict;
   2 use warnings;
   3 my $target = '{"User":"admin","Hash":"AA8K5.AZ9BzSw"} ';
   4 
   5 my $info_url = 'http://188.40.18.87:5144/info.php?token=';
   6 
   7 sub system_pipe {
   8     my @args = @_;
   9     open my $pipe, "-|", @args or return;
  10     my @result = <$pipe>;
  11     join "", @result;
  12 }
  13 sub info {
  14     my $token = shift;
  15     system_pipe qw(curl -s), $info_url.$token;
  16 }
  17 
  18 my $token = "69222e97316b9dd8f7d74a";
  19 for my $i (length($token)/2 .. length($target)-1) {
  20     print "----------------\n";
  21     print "pos: $i\n";
  22     
  23     my $result0 = info($token . "00");
  24     printf "got: %02x\n", ord(substr($result0, $i, 1));
  25     my $key = substr($result0, $i, 1);
  26     
  27     $token .= unpack("H*", $key ^ substr($target, $i, 1));
  28     print "token: $token\n";
  29     print info($token . unpack("H*", $key ^ substr($target, $i, 1))), "\n";
  30     
  31     sleep 1;
  32 }
  33 print "token: $token\n";

得られたtokenでadmin.phpにアクセスするだけ。

31C3_7eaf3fa7cf9e401357bc

passwordとは一体なんだったのか

CTF/Writeup/31C3 CTF/sso (last edited 2014-12-30 05:53:00 by ytoku)