Stripe CTF lvl8 Solvers
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTU
1
TimestampNickSource URLLanguageCleanlinessEfficiencyCommentsBlog URL
2
8/29/2012 15:06:17pepijndevoshttps://gist.github.com/ecd0e0e20c6cd72f91c3Python45hit the deadline in the middle of the final run
3
8/29/2012 15:06:43lukegbhttps://github.com/lukegb/Stripe-CTF-2.0/blob/master/level8/pingit_recvit.goGo!37IT'S AWESOME! ;)https://github.com/lukegb/Stripe-CTF-2.0/blob/master/level8.md
4
8/29/2012 15:06:48IntruderAlerthttps://gist.github.com/3d9730a3793eb5e0bc90Python65It took 15 minutes on Friday when there were less people on the servers, but 55 minutes on the last day of the CTF.
5
8/29/2012 15:07:46IntruderAlerthttps://gist.github.com/f1128ad7ab3f8689c04dAssembly11Assembly attempt - unfinished due to real life
6
8/29/2012 15:09:02lunahttp://pastebin.com/X3naehw5Python54It works!
7
8/29/2012 15:13:20Matt Fullerhttps://github.com/matthewdfuller/stripe-ctf-solutions/blob/master/level8/exploit.pyPython23Awesome challenge. Check my blog for detailed level-by-level walkthroughs and explanations.http://blog.matthewdfuller.com/2012/08/stripe-capture-flag-level-by-level.html
8
8/29/2012 15:13:33danopiahttps://gist.github.com/0b0ec3ef08d507c17a93Ruby43http://blog.danopia.net/2012/09/stripe-ctf-v20-level-8.html
9
8/29/2012 15:17:01nionhttp://pastie.org/4612069Python54works :)
10
8/29/2012 15:18:46Foohttps://github.com/abrinsmead/Stripe-ctf-2-level-8-solution/blob/master/level-08-solution.pyPython55This was designed to be conservative and just get me the password on the slow 8-2 server I started with. I eventually had to switch to 8-3 to capture the flag. The script could be made much faster with a little work.
11
8/29/2012 15:25:11jcromartiehttps://gist.github.com/92896a3af1c9aa43da67Python63I think the code is pretty clean. Nothing too hacky except kicking off a HTTP POST in a thread and doing socket.accept() immediately, and counting on that to work.

It may be possible to make this concurrent.
12
8/29/2012 15:25:34JensenDiedhttps://gist.github.com/3517473Python56
13
8/29/2012 15:34:54davidboyhttps://gist.github.com/3517664Python63
14
8/29/2012 15:40:41atoxhttp://pastebin.com/RqV2A9KYPHP22Quite dirty, had to add in flush() because of the php5-cgi that I was using and not even sure it is the latest version I used. But it workedhttp://www.mindloop.be/stripe-ctf-security/
15
8/29/2012 15:48:34originalcamperhttps://gist.github.com/3517422Ruby34Ended up including net-http-persistent to speed up reqs. ~150 LOC without it.
16
8/29/2012 15:50:10Douglashttps://gist.github.com/3517847Ruby45Not fully automated... needs patched as each chunk is solved. But uses a single HTTPS connection, which makes me think it must be efficient, right?
17
8/29/2012 15:50:11rm_youhttp://pastebin.com/TVszNfv1Python55For the record, I didn't even know how Python global variables worked before I wrote this... I needed to get it running quickly, and not deal with huge argument lists. :)

Still not a parallel solution, but it will figure out chunks 1-3 on its own, one at a time. It doesn't exit properly, but who cares... I know I didn't! :)

The final chunk was solved with this simpler script (and I watched it like a hawk):
http://pastebin.com/AZXTiTHn
18
8/29/2012 15:50:16pettazzhttps://github.com/pettazz/Stripe-CTF-2.0/blob/master/8/comm_4.pyPython53This was revision 4 when I was just about ready to give up. The threaded versions look more awesome but don't even come close to working. Facepalms all over the place.http://pettazz.com/2012/08/24/capturing-the-flag/
19
8/29/2012 15:58:12nemohttps://gist.github.com/3517896Python25http://gist.io/3517896
20
8/29/2012 16:02:08x616d726bhttp://pastie.org/private/e8ieskfe1lz7jcp6ixzaxqPython32It was horrible. :(
21
8/29/2012 16:14:33axisKhttps://gist.github.com/3518251C++15Really really really bad code quality and horrible threading, I haven't actually written anything in c++ before this. Ran in around 1.5 minutes per chunk and 2 minutes for the last chunk for which I commented out the file writing and just looked at the output
22
8/29/2012 16:36:47usewarehttps://gist.github.com/3518444Go!76This is my first Go program and I tried to explore as much Go sugar as I felt appropriate. I might do a post/tutorial about the code later. Comments on the gist would be nice :)
23
8/29/2012 16:38:20leyyinhttps://gist.github.com/3517903Python34
24
8/29/2012 16:44:54Shadow6363https://gist.github.com/3507384Python54I'm working on improving the efficiency and I don't know Python all that well.
25
8/29/2012 18:08:05mitonhttps://gist.github.com/3519510Python33my first one was a lot better, but used twisted so I could not run it on level02 so I bastardized this together quickly
it actually gets decent requests/second to the point you need to put the sleep in to keep the sync (which it doesn't even actually really bother to try to keep)

it still works but takes a while and it really conservative

I would not recommend reading it as it has no value itself
26
8/29/2012 20:18:57klangehttps://gist.github.com/9166bf3ff321968dae02C57http://twitter.com/kevinlange
27
8/29/2012 20:24:37phobot1https://github.com/pkallos/stripe-ctf2-level08Go!26First GO program, ugly but performs okay.
28
8/29/2012 23:04:49eeveehttp://paste.pound-python.org/show/XVsuIyr0pmBX24Fy1YOQ/Python55it is exceptionally mediocre.

also i am very sorry about the hard tabs. level02 didn't have my .vimrc and all. i bring shame upon my entire family.
http://me.veekun.com/blog/2012/08/29/stripe-ctf-2-dot-0/
29
8/30/2012 0:22:26Daegalushttps://gist.github.com/6939e3c74023acad4215Python43I don't get to use Python often, as much as I enjoy it. So lots of messy and poor code. But it worked. Except for the final iff statment. Its missing an str() and fails when it needs to print out the last 2 lines. Luckily you still get time to see the last number.
30
8/30/2012 1:44:45rokotekohttp://p3m.org/pfn/162Perl46Since there was no Perl submissions I decided to add this.

The code is pretty fast, it was developed when load was very high. Uses async requests through sockets (no http module) to post the queries. Set's TCP_NODELAY on the sockets to make it faster.

Divides the requests to chunks of 100 to avoid the max: 100 of keep-alive, which I didn't figure out how to reset.

So it sends 100 password using a single socket, then re-creates sockets, send another 100 etc. And because it's built in async fashion the requests go out immediately and then we just wait for responses.

The code could be re-factored a bit more and lack all documentation and has only a few comments, which can make it more difficult to understand. But I think in overall it's pretty clean to be async socket code written in perl.

Only does one chunk at the time, you have to reconfigure for the next chunk(s).

First time I used IO::Lambda (for the async requests) and gotta say it's pretty sweet.

31
8/30/2012 2:15:52charliesomehttps://gist.github.com/737d93640caa8d9936d4Ruby25
32
8/30/2012 3:22:06MaikuMorihttps://github.com/MaikuMori/finalfloorGo!66Should be quite fast ;).
33
8/30/2012 5:46:40simonhttp://pastebin.com/vzpm4baPPython45A further improvement is/was to use a persistent HTTPS connection to the stripe server.
34
8/30/2012 5:48:24lukshttp://blog.sploit.de/2012/08/26/stripe-ctf-level8/Python66it just werks (if you have the requests module installed :))http://blog.sploit.de/2012/08/26/stripe-ctf-level8/
35
8/30/2012 6:01:37Lucianhttps://gist.github.com/f981c261182ddaa6dafaPython54
36
8/30/2012 7:46:09titanoushttps://gist.github.com/3526951Go!46
37
8/30/2012 8:51:14TvdWhttps://gist.github.com/38c0430b5084f8442858Python67It's pretty fast - uses SSL sessions, optimally only 1 call per option, it's all in one script, etc. The 4th chunk could've been faster though.
38
8/30/2012 12:35:06Bootvishttps://gist.github.com/3532498#commentsPython22Don't judge me :(
39
8/30/2012 17:42:29ancathttps://github.com/ancat/level8-solution/blob/master/chunky.pyPython74The only solution I've seen that doesn't run an HTTP server and doesn't use threading. And it still works pretty good! http://sec.omar.li/2012/08/stripe-ctf-writeup.html
40
8/30/2012 17:56:43rmmhhttps://gist.github.com/3ec1a1bc17bc370cd657Python65
41
8/30/2012 23:50:24mpirstitzhttps://gist.github.com/3548849C66
42
9/30/2012 6:51:52jermenkoohttps://gist.github.com/37a13687b2971cfe3346Go!65
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Sheet1