[RealWorld] AES_BABY - Cew xp0int Posted on Apr 29 2021 首先穷举通过pow,然后上传elf至服务器运行,elf成功爆破并输出后四位密钥服务器就打印flag ``` // elf // aarch64-linux-gnu-gcc exp.c -I /openssl_path/openssl-aarch64/install/include/ -L /openssl_path/openssl-aarch64/install/lib -lssl -lcrypto -o exparm #include <stdio.h> #include <stdlib.h> #include <string.h> #include "openssl/aes.h" #define BLOCK_SIZE 16 void print_data(const char *tittle, const void* data, int len); int main( ) { unsigned char dic[62] = {97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57}; unsigned char aes_key[16] = {0}; unsigned char cmp[32] = {0}; unsigned char cmp_unhex[16] = {0}; unsigned char input[44] = {0}; scanf("%s", &input); for(int i=0;i<12;i++){ aes_key[i] = input[i]; } for(int i=0;i<32;i++){ cmp[i] = input[12+i]; } for(int i=0;i<16;i++){ unsigned char a = cmp[2*i] >= 'a' ? cmp[2*i] - 'a' + 10: cmp[2*i] - '0'; unsigned char b = cmp[2*i+1] >= 'a' ? cmp[2*i+1] - 'a' + 10: cmp[2*i+1] - '0'; cmp_unhex[i] = a << 4 | b; } unsigned char aes_input[] = {75, 85, 78, 80, 69, 78, 71, 95, 72, 80, 67, 95, 65, 69, 83, 33}; unsigned char enc_out[BLOCK_SIZE]; AES_KEY enc_key; //print_data("key", aes_key, 16); //print_data("enc", cmp_unhex, 16); for(int i=0;i<62;i++){ for(int j=0;j<62;j++){ for(int n=0;n<62;n++){ for(int m=0;m<62;m++){ aes_key[12] = dic[i]; aes_key[13] = dic[j]; aes_key[14] = dic[n]; aes_key[15] = dic[m]; AES_set_encrypt_key(aes_key, sizeof(aes_key)*8, &enc_key); AES_ecb_encrypt(aes_input, enc_out, &enc_key, AES_ENCRYPT); if(!memcmp(enc_out, cmp_unhex, 16)){ //printf("find!\n"); printf("%c%c%c%c", dic[i], dic[j], dic[n], dic[m]); } } } } } return 0; } void print_data(const char *tittle, const void* data, int len) { printf("%s : ",tittle); const unsigned char * p = (const unsigned char*)data; int i = 0; for (; i<len; ++i) printf("%02X ", *p++); printf("\n"); } ``` ``` # exp.py from pwn import * from hashlib import md5 import string context.log_level='debug' conn = remote("139.159.190.149", 10000) conn.recvuntil("md5(") content = conn.recvuntil("))", drop=True) known = content.split(b'+')[0] log.info("known: {}".format(known)) dic = string.ascii_letters+string.digits crack = None for a in dic: for b in dic: for c in dic: for d in dic: t = (a+b+c+d).encode() res = md5(known+t).hexdigest() if res[:6] == '000000': crack = t break if crack: break if crack: break if crack: break log.info("crack: {}".format(crack)) conn.sendline(crack) from base64 import b64encode elf = b64encode(open("exparm", "rb").read()) conn.sendlineafter("base64: ", elf) conn.interactive() ``` flag{F4st_AES_Ad9A4cB2E4} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] pwn1 - cpt.shao [Reverse] PE - Cew
没有帐号? 立即注册