[强网先锋] bank - Donek1 xp0int Posted on Aug 28 2020 # [强网先锋] bank ## 操作内容 工作量证明,很简单,脚本直接爆破 1000钱可以买flag 流程: 1.随便一个账号先转账给先前注册了的账号,得到密文,因为是ecb加密,且直接拼接密文,可以获得本账户的身份密文。 2.查看交易记录,提取交易记录到账用户和金额的密文。伪造交易记录进行交易,将其他用户的钱转到自己帐户 3.买flag  ## 脚本 ``` from pwn import * import string from hashlib import * from time import * #context(log_level="debug") seed = string.printable def aaa(head,tail): #print head,tail st1 = string.printable for i in st1: for j in st1: for k in st1: tmp = i + j + k shaaa = sha256(tmp+head) #print shaaa.hexdigest(),tail if shaaa.hexdigest() == tail: return tmp p = remote('39.101.134.52',8005) sha = p.recvuntil('XXX:').split("\n")[0] tmp1 = sha.find('+') tmp2 = sha.find(' ') head = sha[tmp1+1:tmp2-1] mid = sha[tmp2:] tail = mid[mid.find("=")+3:] result = aaa(head.strip(),tail.strip()) #print result p.sendline(result) sleep(0.2) p.recv() p.sendline('icq1d32a79f249369198eafd015dee55') sleep(0.2) p.recv() sa = [] for i in range(4): sa.append(random.choice(seed)) salt = ''.join(sa) p.sendline(salt) sleep(0.2) p.recv() p.sendline('transact') sleep(0.2) p.recv() p.sendline('name 10') sleep(0.2) final_sha = p.recv() sss = final_sha[:final_sha.find("\n")] name_add = sss[0:32].strip() print sss,name_add p.sendline('view records') sleep(0.2) all_re = p.recv().split("\n") #print(all_re) for i in range(1,len(all_re)-4): other = all_re[i][32:64].strip() money = all_re[i][64:].strip() st = other+name_add+money assert len(st)==96 p.sendline('provide a record') sleep(0.2) p.recvuntil("money.\n>") p.sendline(st) sleep(0.2) print p.recv() p.sendline('get flag') sleep(0.2) print p.recv() ``` ## flag flag{90f4a4f81454d475ce4912d289a23366} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 0x00 题目名称 [强网先锋] Funhash - Donek1
没有帐号? 立即注册