Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

Untitled

mage_1868 Aug 18th, 2014 (edited) 50 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. #!/usr/bin/python
  2. # coding: utf-8
  3.  
  4. import os
  5. import re
  6. import sys
  7. import cgi
  8. import hashlib
  9. from urllib import unquote
  10. from passlib.utils.pbkdf2 import pbkdf2
  11.  
  12. ###
  13.  
  14. sys.path.append('/home/orange/secret_file')
  15. from secret_file import SECRET # 160 bytes secret
  16. from secret_file import FLAG
  17.  
  18. ###
  19.  
  20. print 'Content-Type: text/html\n\n'
  21.  
  22. ###
  23.  
  24. def _pbkdf2(text):
  25.     return pbkdf2(text, 'noggnogg', 1337).encode('hex').lower()
  26.  
  27. def _md5(text):
  28.     return hashlib.md5( text ).hexdigest().lower()
  29.  
  30. def getenv(name):
  31.     return unquote( os.environ.get(name) ) or ''
  32.  
  33. def gotoFail():
  34.     print 'goto fail'
  35.     print
  36.     exit()
  37.  
  38. def m_hash(password):
  39.     nr = int( 'P0W5'.encode('hex'), 16 )
  40.     add = 7
  41.     nr2 = 305419889
  42.  
  43.     for c in (ord(x) for x in password if x not in (' ', '\t')):
  44.         nr^= (((nr & 63)+add)*c)+ (nr << 8) & 0xFFFFFFFF
  45.         nr2= (nr2 + ((nr2 << 8) ^ nr)) & 0xFFFFFFFF
  46.         add= (add + c) & 0xFFFFFFFF
  47.  
  48.     return "%08x%08x" % (nr & 0x7FFFFFFF,nr2 & 0x7FFFFFFF)
  49. ###
  50.  
  51. request = cgi.FieldStorage()
  52.  
  53. checksum  = request.getvalue('checksum') or ''
  54. query_str = getenv('QUERY_STRING')
  55. if _md5( SECRET + query_str ) == checksum:
  56.     mode = request.getvalue('mode') or ''
  57.  
  58.     if mode == 'download':
  59.         filename = request.getvalue('filename') or ''
  60.         filename = os.path.basename( filename )
  61.         try:
  62.             print open(filename).read()
  63.         except IOError as e:
  64.             print 'No such file or directory'
  65.     elif mode == 'eval':
  66.         bad_string = request.getvalue('filename') or ''
  67.         good_string = bad_string.encode('hex')
  68.         eval(good_string)
  69.  
  70.     else:
  71.         stage1 = request.getvalue('stage1') or ''
  72.         if m_hash(stage1) != '4141414141414141':
  73.             gotoFail()
  74.  
  75.         ###
  76.        
  77.         plaintext = getenv('HTTP_USER_AGENT')
  78.         stage2 = request.getvalue('stage2') or ''
  79.         if stage2 == plaintext:
  80.             gotoFail()
  81.        
  82.         if _pbkdf2(plaintext) != _pbkdf2(stage2):
  83.             gotoFail()
  84.  
  85.         ###
  86.  
  87.         stage3 = request.getvalue('stage3') or ''
  88.         stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5]
  89.         if _md5( stage3 ) != '90954349a0e42d8e4426a4672bde16b9':
  90.             gotoFail()
  91.  
  92.         ###
  93.  
  94.         print 'Congrat! The flag is',
  95.         print 'HITCON{%s}' % FLAG
  96.  
  97. else:
  98.     checksum = _md5( SECRET + 'filename=py4h4sher&mode=download' )
  99.     print """
  100. <!DOCTYPE html>
  101. <html>
  102. <head>
  103.  <meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
  104.  <meta name="author" content="orange@chroot.org">
  105.  <title> PY4H4SHER </title>
  106.  <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
  107.  
  108.  <style>
  109. /*
  110. Inspired by http://dribbble.com/shots/890759-Ui-Kit-Metro/attachments/97174
  111. */
  112. .out {
  113.    white-space: -moz-pre-wrap;
  114.    white-space: -pre-wrap;
  115.    white-space: -o-pre-wrap;
  116.    white-space: pre-wrap;
  117.    word-wrap: break-word; /* Internet Explorer 5.5+ */
  118.    background-color: white;
  119.    border: 0px;
  120. }
  121.  
  122. .nav-row {
  123.  text-align: center;
  124. }
  125. .nav-row p {
  126.  padding: 5px;
  127. }
  128. .nav-row .col-md-2 {
  129.  background-color: #fff;
  130.  border: 1px solid #e0e1db;
  131.  border-right: none;
  132. }
  133. .nav-row .col-md-2:last-child {
  134.  border: 1px solid #e0e1db;
  135. }
  136. .nav-row .col-md-2:first-child {
  137.  border-radius: 5px 0 0 5px;
  138. }
  139. .nav-row .col-md-2:last-child {
  140.  border-radius: 0 5px 5px 0;
  141. }
  142. .nav-row .col-md-2:hover {
  143.  color: #e92d00;
  144.  cursor: pointer;
  145. }
  146. .nav-row .glyphicon {
  147.  padding-top: 15px;
  148.  font-size: 40px;
  149. }
  150.  
  151.  </style>
  152.   <script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
  153. </head>
  154. <body>            
  155. <script>
  156.  var script_name = '/cgi-bin/py4h4sher';
  157.  
  158.  function gohome(){
  159.    window.open( 'http://hitcon.org' );
  160.  }
  161.  function getflag(){
  162.      $.get( script_name ,
  163.              function(data){        
  164.                  $('.out').text('nothing to do :(');
  165.              });
  166.  }
  167.  function getsource(){
  168.      $.post( script_name + '?filename=py4h4sher&mode=download',
  169.              {'checksum': '%s'},
  170.              function(data){
  171.                  $('.out').text(data);
  172.              });
  173.  }
  174. </script>
  175.  
  176. <div class="container" style="margin-top:160px;">
  177.    <div class="row nav-row">
  178.      <div class="col-md-3">
  179.      </div>
  180.      <div class="col-md-2" onclick='gohome()'>
  181.        <span class="glyphicon glyphicon-home"></span>
  182.        <p> Go Home </p>
  183.      </div>
  184.      <div class="col-md-2" onclick='getflag()'>
  185.        <span class="glyphicon glyphicon-flag"></span>
  186.        <p> Get Flag </p>
  187.      </div>
  188.      <div class="col-md-2" onclick='getsource()'>
  189.        <span class="glyphicon glyphicon-cloud-download"></span>
  190.        <p> Get Source </p>
  191.      </div>
  192.    </div>
  193.  
  194.    <div class='row nav-row'>
  195.      <pre class='out' style='padding-top:64px; '>
  196.      </pre>
  197.    </div>
  198. </div>
  199.  
  200. </body>
  201. </html>
  202. """ % checksum
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top