[SWPU 2020]ecb | Putao0v0のBlog

type

Post

status

Published

date

Jul 5, 2022

slug

[SWPU 2020]ecb

summary

[SWPU 2020]ecb


from Crypto.Cipher import AES
import os
BLOCKSIZE = 16
flag = os.environ['FLAG']


def pad(data):
        pad_len = BLOCKSIZE - (len(data) % BLOCKSIZE) if  len(data) % BLOCKSIZE != 0 else 0
        return data + chr(pad_len) * pad_len

def unpad(data):
        num = ord(data[-1])
        return data[:-num]


def enc(data,key):
	cipher = AES.new(key,AES.MODE_ECB)
	encrypt = cipher.encrypt(pad(data))
	return encrypt


def dec(data,key):
	try:
		cipher = AES.new(key,AES.MODE_ECB)
		encrypt = cipher.decrypt(data)
		return unpad(encrypt)
	except:
		exit()


def task():
        try:
                key = os.urandom(16)
                while True:
                        plaintext = raw_input("Amazing function: ").decode('hex')
                        yusa = plaintext+flag
                        print enc(yusa,key).encode('hex')
        except Exception as e:
                print str(e)
                exit()
if __name__ == "__main__":
        task()

可以知道他是16个一组进行加密的，我们可以传入15个0 使flag[0]和15个0一起加密，然后再爆破它（0~255）


import binascii

from Crypto.Cipher import AES
from pwn import *

re=remote("1.14.71.254",28754)
ta=''
for j in range(48):

    re.recvuntil(b'Amazing function: ')
    a=binascii.hexlify(b'0'*(47-j))
    re.sendline(a)
    h=re.recvline().decode().strip()

    for i in range(256):
        a = binascii.hexlify(b'0'*(47-j)+ta.encode()+chr(i).encode())
        re.recvuntil(b'Amazing function: ')
        re.sendline(a)
        x = re.recvline().decode().strip()
        if(x[64:96]==h[64:96]):
            ta+=chr(i)
            print(ta)
            break

re.interactive()