Randomito

ÉnoncĂ©

Pourrez-vous deviner le secret aléatoire généré ?

randomyto.py

Analyse du script

#!/usr/local/bin/python2

import sys
import signal
from random import randint

# Time allowed to answer (seconds)
DELAY = 10

def handler(signum, frame):
   raise Exception("Time is up!\n")

def p(s):
    sys.stdout.write(s)
    sys.stdout.flush()

def challenge():

    for _ in range(10):
        p("[+] Generating a 128-bit random secret (a, b)\n")
        secret_a = randint(0, 2**64 - 1)
        secret_b = randint(0, 2**64 - 1)
        secret   = "{:016x}{:016x}".format(secret_a, secret_b)
        p("[+] Done! Now, try go guess it!\n")
        p(">>> a = ")
        a = int(input())
        p(">>> b = ")
        b = int(input())
        check = "{:016x}{:016x}".format(a, b)
        p("[-] Trying {}\n".format(check))
        if check == secret:
            flag = open("flag.txt").read()
            p("[+] Well done! Here is the flag: {}\n".format(flag))
            break
        else:
            p("[!] Nope, it started by {}. Please try again.\n".format(secret[:5]))

if __name__ == "__main__":
    signal.alarm(DELAY)
    signal.signal(signal.SIGALRM, handler)
    try:
        challenge()
    except Exception, e: 
        exit(0)
    else:
        exit(0)

Le script génÚre deux secrets, secret_a et secret_b Ils contiennent un nombre compris entre 1 et 2^64-1

secret_a = randint(0, 2**64 - 1)
secret_b = randint(0, 2**64 - 1)

Ils sont ensuite converti en héxadécimal et concaténé.

secret   = "{:016x}{:016x}".format(secret_a, secret_b)

On voit aussi qu'il y a un délais pour trouver le secret

DELAY = 10
if __name__ == "__main__":
    signal.alarm(DELAY)
    signal.signal(signal.SIGALRM, handler)

Debug

J'ai ajouté un délais plus large + print des secrets

#!/usr/local/bin/python2

import sys
import signal
from random import randint

# Time allowed to answer (seconds)
DELAY = 1000000000

def handler(signum, frame):
   raise Exception("Time is up!\n")

def p(s):
    sys.stdout.write(s)
    sys.stdout.flush()

def challenge():

    for _ in range(10):
        p("[+] Generating a 128-bit random secret (a, b)\n")
        secret_a = randint(0, 2**64 - 1)
                print(secret_a)
                secret_b = randint(0, 2**64 - 1)
                print(secret_b)
        secret   = "{:016x}{:016x}".format(secret_a, secret_b)
        print(secret)
                p("[+] Done! Now, try go guess it!\n")
        p(">>> a = ")
        a = int(input())
        p(">>> b = ")
        b = int(input())
        check = "{:016x}{:016x}".format(a, b)
        p("[-] Trying {}\n".format(check))
        if check == secret:
            #flag = open("flag.txt").read()
            flag = "OK FLAG"
                        p("[+] Well done! Here is the flag: {}\n".format(flag))
            break
        else:
            p("[!] Nope, it started by {}. Please try again.\n".format(secret[:5]))

if __name__ == "__main__":
    signal.alarm(DELAY)
    signal.signal(signal.SIGALRM, handler)
    try:
        challenge()
    except Exception, e: 
        exit(0)
    else:
        exit(0)

Si on test une éxécution :

onosh@kali:/home/onosh/FCSC/MISC# python randomito.py
[+] Generating a 128-bit random secret (a, b)
16141621770963719195
12208871211096206965
e0028f7a8d01141ba96e9fae5de1ee75
[+] Done! Now, try go guess it!
>>> a = 16141621770963719195
>>> b = 12208871211096206965
[-] Trying e0028f7a8d01141ba96e9fae5de1ee75
[+] Well done! Here is the flag: OK FLAG

Mais alors comment trouver le secret en 10 secondes ? Simplement en lui donnant ce qu'il attend :

onosh@kali:/home/onosh/FCSC/MISC# python randomito.py
[+] Generating a 128-bit random secret (a, b)
6141270817308741848
5049640784231285106
553a2d453f2910d84613ed8a036e4172
[+] Done! Now, try go guess it!
>>> a = secret_a
>>> b = secret_b
[-] Trying 553a2d453f2910d84613ed8a036e4172
[+] Well done! Here is the flag: OK FLAG

Il n'y a plus qu'à tester en réel :

onosh@kali:/home/onosh/FCSC/MISC# nc challenges2.france-cybersecurity-challenge.fr 6001
[+] Generating a 128-bit random secret (a, b)
[+] Done! Now, try go guess it!
>>> a = secret_a
>>> b = secret_b
[-] Trying d955218681608306fc0e9b492dbdda1c
[+] Well done! Here is the flag: FCSC{4496d11d19db92ae53e0b9e9415d99d877ebeaeab99e9e

DerniĂšre mise Ă  jour