#!/usr/bin/python# coding: utf-8import osimport reimport sysimport c

1. #!/usr/bin/python
2. # coding: utf-8
3.  
4. import os
5. import re
6. import sys
7. import cgi
8. import hashlib
9. from urllib import unquote
10. from passlib.utils.pbkdf2 import pbkdf2
11.  
12. ###
13.  
14. sys.path.append('/home/orange/secret_file')
15. from secret_file import SECRET # 160 bytes secret
16. from secret_file import FLAG
17.  
18. ###
19.  
20. print 'Content-Type: text/html\n\n'
21.  
22. ###
23.  
24. def _pbkdf2(text):
25.     return pbkdf2(text, 'noggnogg', 1337).encode('hex').lower()
26.  
27. def _md5(text):
28.     return hashlib.md5( text ).hexdigest().lower()
29.  
30. def getenv(name):
31.     return unquote( os.environ.get(name) ) or ''
32.  
33. def gotoFail():
34.     print 'goto fail'
35.     print
36.     exit()
37.  
38. def m_hash(password):
39.     nr = int( 'P0W5'.encode('hex'), 16 )
40.     add = 7
41.     nr2 = 305419889
42.  
43.     for c in (ord(x) for x in password if x not in (' ', '\t')):
44.         nr^= (((nr & 63)+add)*c)+ (nr << 8) & 0xFFFFFFFF
45.         nr2= (nr2 + ((nr2 << 8) ^ nr)) & 0xFFFFFFFF
46.         add= (add + c) & 0xFFFFFFFF
47.  
48.     return "%08x%08x" % (nr & 0x7FFFFFFF,nr2 & 0x7FFFFFFF)
49. ###
50.  
51. request = cgi.FieldStorage()
52.  
53. checksum  = request.getvalue('checksum') or ''
54. query_str = getenv('QUERY_STRING')
55. if _md5( SECRET + query_str ) == checksum:
56.     mode = request.getvalue('mode') or ''
57.  
58.     if mode == 'download':
59.         filename = request.getvalue('filename') or ''
60.         filename = os.path.basename( filename )
61.         try:
62.             print open(filename).read()
63.         except IOError as e:
64.             print 'No such file or directory'
65.     elif mode == 'eval':
66.         bad_string = request.getvalue('filename') or ''
67.         good_string = bad_string.encode('hex')
68.         eval(good_string)
69.  
70.     else:
71.         stage1 = request.getvalue('stage1') or ''
72.         if m_hash(stage1) != '4141414141414141':
73.             gotoFail()
74.  
75.         ###
76.        
77.         plaintext = getenv('HTTP_USER_AGENT')
78.         stage2 = request.getvalue('stage2') or ''
79.         if stage2 == plaintext:
80.             gotoFail()
81.        
82.         if _pbkdf2(plaintext) != _pbkdf2(stage2):
83.             gotoFail()
84.  
85.         ###
86.  
87.         stage3 = request.getvalue('stage3') or ''
88.         stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5]
89.         if _md5( stage3 ) != '90954349a0e42d8e4426a4672bde16b9':
90.             gotoFail()
91.  
92.         ###
93.  
94.         print 'Congrat! The flag is',
95.         print 'HITCON{%s}' % FLAG
96.  
97. else:
98.     checksum = _md5( SECRET + 'filename=py4h4sher&mode=download' )
99.     print """
100. <!DOCTYPE html>
101. <html>
102. <head>
103.  <meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
104.  <meta name="author" content="orange@chroot.org">
105.  <title> PY4H4SHER </title>
106.  <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
107.  
108.  <style>
109. /*
110. Inspired by http://dribbble.com/shots/890759-Ui-Kit-Metro/attachments/97174
111. */
112. .out {
113.    white-space: -moz-pre-wrap;
114.    white-space: -pre-wrap;
115.    white-space: -o-pre-wrap;
116.    white-space: pre-wrap;
117.    word-wrap: break-word; /* Internet Explorer 5.5+ */
118.    background-color: white;
119.    border: 0px;
120. }
121.  
122. .nav-row {
123.  text-align: center;
124. }
125. .nav-row p {
126.  padding: 5px;
127. }
128. .nav-row .col-md-2 {
129.  background-color: #fff;
130.  border: 1px solid #e0e1db;
131.  border-right: none;
132. }
133. .nav-row .col-md-2:last-child {
134.  border: 1px solid #e0e1db;
135. }
136. .nav-row .col-md-2:first-child {
137.  border-radius: 5px 0 0 5px;
138. }
139. .nav-row .col-md-2:last-child {
140.  border-radius: 0 5px 5px 0;
141. }
142. .nav-row .col-md-2:hover {
143.  color: #e92d00;
144.  cursor: pointer;
145. }
146. .nav-row .glyphicon {
147.  padding-top: 15px;
148.  font-size: 40px;
149. }
150.  
151.  </style>
152.   <script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
153. </head>
154. <body>            
155. <script>
156.  var script_name = '/cgi-bin/py4h4sher';
157.  
158.  function gohome(){
159.    window.open( 'http://hitcon.org' );
160.  }
161.  function getflag(){
162.      $.get( script_name ,
163.              function(data){        
164.                  $('.out').text('nothing to do :(');
165.              });
166.  }
167.  function getsource(){
168.      $.post( script_name + '?filename=py4h4sher&mode=download',
169.              {'checksum': '%s'},
170.              function(data){
171.                  $('.out').text(data);
172.              });
173.  }
174. </script>
175.  
176. <div class="container" style="margin-top:160px;">
177.    <div class="row nav-row">
178.      <div class="col-md-3">
179.      </div>
180.      <div class="col-md-2" onclick='gohome()'>
181.        <span class="glyphicon glyphicon-home"></span>
182.        <p> Go Home </p>
183.      </div>
184.      <div class="col-md-2" onclick='getflag()'>
185.        <span class="glyphicon glyphicon-flag"></span>
186.        <p> Get Flag </p>
187.      </div>
188.      <div class="col-md-2" onclick='getsource()'>
189.        <span class="glyphicon glyphicon-cloud-download"></span>
190.        <p> Get Source </p>
191.      </div>
192.    </div>
193.  
194.    <div class='row nav-row'>
195.      <pre class='out' style='padding-top:64px; '>
196.      </pre>
197.    </div>
198. </div>
199.  
200. </body>
201. </html>
202. """ % checksum