Scribd
Upload
42 views2 pages

ass5_10

Uploaded by

Meet Vyas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
42 views2 pages

ass5_10

Uploaded by

Meet Vyas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

The same web server code is used for all challenges.

The level for this challenge is 10.

This is the code for level 10:


def level10():
db.execute(("CREATE TABLE IF NOT EXISTS credentials AS "
'SELECT "flag" AS account_name, ? as secret, ? as is_exposed'),
(flag, False))

if request.path == "/login":
if request.method == "POST":
account_name = request.form.get("account_name")
secret = request.form.get("secret")
assert account_name, "Missing `account_name` form"
assert secret, "Missing `secret` form"

account = db.execute(f"SELECT rowid, * FROM credentials WHERE


account_name = ? AND secret = ?", (account_name, secret)).fetchone()
assert account, "Invalid `account_name` or `secret`"

session["account"] = int(account["rowid"])
return redirect(request.path)

return form(["account_name", "secret"])

if request.path == "/is-exposed":
account_id = int(session.get("account", -1))
account = db.execute("SELECT * FROM credentials WHERE rowid = ?",
(account_id,)).fetchone()
assert account, "Not logged in"
db.execute(f"UPDATE credentials SET is_exposed = TRUE WHERE rowid = ?",
(account_id,))
return "true\n"

if request.path == "/info":
assert "account" in request.args, "Missing `account` argument"
account_id = int(request.args["account"])
account = db.execute("SELECT * FROM credentials WHERE rowid = ?",
(account_id,)).fetchone()
assert account, "Invalid `account`"
info = [account["account_name"]]
if account["is_exposed"]:
info.append(account["secret"])
return " ".join(info) + "\n"

if request.path == "/visit":
url = request.args.get("url")
assert url, "Missing `url` argument"

url_arg_parsed = urllib.parse.urlparse(url)
assert url_arg_parsed.hostname == capture_url, f"Invalid `url`, hostname
should be `{capture_url}`"

with run_browser() as browser:


browser.get(f"http://{capture_url}/login")

account_form = {
"account_name": "flag",
"secret": flag,
}
for name, value in account_form.items():
field = browser.find_element(By.NAME, name)
field.send_keys(value)

submit_field = browser.find_element(By.ID, "submit")


submit_field.submit()
WebDriverWait(browser, 10).until(EC.staleness_of(submit_field))

browser.get(url)
time.sleep(1)

return "Visited\n"

if request.path == "/echo":
echo = request.args.get("echo")
assert echo, "Missing `echo` argument"
return html(echo)

return "Not Found\n", 404

The visit path logs into the account for us, and then goes to a URL that we can
specify. We can see that the is-exposed path exposes the secret field for the flag
account (which is the value of the flag). So we can send the visit path to the is-
exposed path, and then go to the info path and get the value of the flag.

Go to firefox on desktop.

`http://capture.local/visit?url=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttp%2Fcapture.local%2Fis-exposed`

Once above URL shows 'Visited', open this URL:

`http://capture.local/info`

And we have the flag.

You might also like