SHARE
TWEET

Untitled

mage_1868 Aug 18th, 2014 (edited) 23 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. # coding: utf-8
  3.  
  4. import os
  5. import re
  6. import sys
  7. import cgi
  8. import hashlib
  9. from urllib import unquote
  10. from passlib.utils.pbkdf2 import pbkdf2
  11.  
  12. ###
  13.  
  14. sys.path.append('/home/orange/secret_file')
  15. from secret_file import SECRET # 160 bytes secret
  16. from secret_file import FLAG
  17.  
  18. ###
  19.  
  20. print 'Content-Type: text/html\n\n'
  21.  
  22. ###
  23.  
  24. def _pbkdf2(text):
  25.     return pbkdf2(text, 'noggnogg', 1337).encode('hex').lower()
  26.  
  27. def _md5(text):
  28.     return hashlib.md5( text ).hexdigest().lower()
  29.  
  30. def getenv(name):
  31.     return unquote( os.environ.get(name) ) or ''
  32.  
  33. def gotoFail():
  34.     print 'goto fail'
  35.     print
  36.     exit()
  37.  
  38. def m_hash(password):
  39.     nr = int( 'P0W5'.encode('hex'), 16 )
  40.     add = 7
  41.     nr2 = 305419889
  42.  
  43.     for c in (ord(x) for x in password if x not in (' ', '\t')):
  44.         nr^= (((nr & 63)+add)*c)+ (nr << 8) & 0xFFFFFFFF
  45.         nr2= (nr2 + ((nr2 << 8) ^ nr)) & 0xFFFFFFFF
  46.         add= (add + c) & 0xFFFFFFFF
  47.  
  48.     return "%08x%08x" % (nr & 0x7FFFFFFF,nr2 & 0x7FFFFFFF)
  49. ###
  50.  
  51. request = cgi.FieldStorage()
  52.  
  53. checksum  = request.getvalue('checksum') or ''
  54. query_str = getenv('QUERY_STRING')
  55. if _md5( SECRET + query_str ) == checksum:
  56.     mode = request.getvalue('mode') or ''
  57.  
  58.     if mode == 'download':
  59.         filename = request.getvalue('filename') or ''
  60.         filename = os.path.basename( filename )
  61.         try:
  62.             print open(filename).read()
  63.         except IOError as e:
  64.             print 'No such file or directory'
  65.     elif mode == 'eval':
  66.         bad_string = request.getvalue('filename') or ''
  67.         good_string = bad_string.encode('hex')
  68.         eval(good_string)
  69.  
  70.     else:
  71.         stage1 = request.getvalue('stage1') or ''
  72.         if m_hash(stage1) != '4141414141414141':
  73.             gotoFail()
  74.  
  75.         ###
  76.        
  77.         plaintext = getenv('HTTP_USER_AGENT')
  78.         stage2 = request.getvalue('stage2') or ''
  79.         if stage2 == plaintext:
  80.             gotoFail()
  81.        
  82.         if _pbkdf2(plaintext) != _pbkdf2(stage2):
  83.             gotoFail()
  84.  
  85.         ###
  86.  
  87.         stage3 = request.getvalue('stage3') or ''
  88.         stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5]
  89.         if _md5( stage3 ) != '90954349a0e42d8e4426a4672bde16b9':
  90.             gotoFail()
  91.  
  92.         ###
  93.  
  94.         print 'Congrat! The flag is',
  95.         print 'HITCON{%s}' % FLAG
  96.  
  97. else:
  98.     checksum = _md5( SECRET + 'filename=py4h4sher&mode=download' )
  99.     print """
  100. <!DOCTYPE html>
  101. <html>
  102. <head>
  103.  <meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
  104.  <meta name="author" content="orange@chroot.org">
  105.  <title> PY4H4SHER </title>
  106.  <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
  107.  
  108.  <style>
  109. /*
  110. Inspired by http://dribbble.com/shots/890759-Ui-Kit-Metro/attachments/97174
  111. */
  112. .out {
  113.    white-space: -moz-pre-wrap;
  114.    white-space: -pre-wrap;
  115.    white-space: -o-pre-wrap;
  116.    white-space: pre-wrap;
  117.    word-wrap: break-word; /* Internet Explorer 5.5+ */
  118.    background-color: white;
  119.    border: 0px;
  120. }
  121.  
  122. .nav-row {
  123.  text-align: center;
  124. }
  125. .nav-row p {
  126.  padding: 5px;
  127. }
  128. .nav-row .col-md-2 {
  129.  background-color: #fff;
  130.  border: 1px solid #e0e1db;
  131.  border-right: none;
  132. }
  133. .nav-row .col-md-2:last-child {
  134.  border: 1px solid #e0e1db;
  135. }
  136. .nav-row .col-md-2:first-child {
  137.  border-radius: 5px 0 0 5px;
  138. }
  139. .nav-row .col-md-2:last-child {
  140.  border-radius: 0 5px 5px 0;
  141. }
  142. .nav-row .col-md-2:hover {
  143.  color: #e92d00;
  144.  cursor: pointer;
  145. }
  146. .nav-row .glyphicon {
  147.  padding-top: 15px;
  148.  font-size: 40px;
  149. }
  150.  
  151.  </style>
  152.   <script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
  153. </head>
  154. <body>            
  155. <script>
  156.  var script_name = '/cgi-bin/py4h4sher';
  157.  
  158.  function gohome(){
  159.    window.open( 'http://hitcon.org' );
  160.  }
  161.  function getflag(){
  162.      $.get( script_name ,
  163.              function(data){        
  164.                  $('.out').text('nothing to do :(');
  165.              });
  166.  }
  167.  function getsource(){
  168.      $.post( script_name + '?filename=py4h4sher&mode=download',
  169.              {'checksum': '%s'},
  170.              function(data){
  171.                  $('.out').text(data);
  172.              });
  173.  }
  174. </script>
  175.  
  176. <div class="container" style="margin-top:160px;">
  177.    <div class="row nav-row">
  178.      <div class="col-md-3">
  179.      </div>
  180.      <div class="col-md-2" onclick='gohome()'>
  181.        <span class="glyphicon glyphicon-home"></span>
  182.        <p> Go Home </p>
  183.      </div>
  184.      <div class="col-md-2" onclick='getflag()'>
  185.        <span class="glyphicon glyphicon-flag"></span>
  186.        <p> Get Flag </p>
  187.      </div>
  188.      <div class="col-md-2" onclick='getsource()'>
  189.        <span class="glyphicon glyphicon-cloud-download"></span>
  190.        <p> Get Source </p>
  191.      </div>
  192.    </div>
  193.  
  194.    <div class='row nav-row'>
  195.      <pre class='out' style='padding-top:64px; '>
  196.      </pre>
  197.    </div>
  198. </div>
  199.  
  200. </body>
  201. </html>
  202. """ % checksum
RAW Paste Data
Top