Stage 3 - Poke-A-Mango

[ikornaselur]

Description

I love these new AR games that have been coming out recently, so I decided that I would make my own with my favorite fruit! The Mango! Can you catch 500 mangos? pokeamango.apk

Solution

Flag is: ``

[ikornaselur]

http://stackoverflow.com/a/4177581

[ikornaselur]

It's a cordova project. Might just need to unpack the apk, edit one thing and then repackage and run on a phone.

There's a http post to "buy flag", but I wasn't able to curl it.

Might want to check this too tomorrow

[ikornaselur]

curl -H 'Host: poke-a-mango.vuln.icec.tf' -H 'Accept: */*' -H 'Origin: file://' -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Mobile Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept-Language: en-GB,en-US;q=0.8' -H 'X-Requested-With: tf.icec.pokeamango' --data-binary "uuid=7253d06cf35b6d88" --compressed 'http://poke-a-mango.vuln.icec.tf/store/flag'

{ 
  "message": "You haven't caught enough mangos", 
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiNzI1M2QwNmNmMzViNmQ4OCJ9.MCe1gCq2k_CtB0j7ddjtBIUW8XsjE7s2D_iPvV6k0b8"
} 

Just need to update the count to be 500 somehow.. need to figure out that request.

[ikornaselur]

curl -H 'Host: poke-a-mango.vuln.icec.tf' -H 'Accept: */*' -H 'Origin: file://' -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Mobile Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept-Language: en-GB,en-US;q=0.8' -H 'X-Requested-With: tf.icec.pokeamango' --data-binary "uuid=7253d06cf35b6d88&curLat=64.10000&curLong=-21.10000&mangoLat=64.100001&mangoLong=-21.10001" --compressed 'http://poke-a-mango.vuln.icec.tf/mango/catch'
{
  "message": "You need to be closer to the mango", 
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiNzI1M2QwNmNmMzViNmQ4OCJ9.MCe1gCq2k_CtB0j7ddjtBIUW8XsjE7s2D_iPvV6k0b8"
}

wot

[ikornaselur]

App was crashing constantly, though I had written something about it here. But anyway, that was just Android 6+ not requesting camera access, so I'm back on track

[ikornaselur]

I believe this is just a matter of creating a bot to catch 500 mangos.. I have one currently running.

The server is really overloaded, so on each 5xx error, I wait 5 seconds. The script is as follows:

import requests
from time import sleep

headers = {
    'Host': 'poke-a-mango.vuln.icec.tf',
    'Accept': '*/*',
    'Origin': 'file://',
    'User-Agent': 'User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Mobile Safari/537.36',  # noqa
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept-Language': 'en-GB',
    'X-Requested-With': 'tf.icec.pokeamango'
}

list_url = 'http://poke-a-mango.vuln.icec.tf/mango/list'
catch_url = 'http://poke-a-mango.vuln.icec.tf/mango/catch'
count_url = 'http://poke-a-mango.vuln.icec.tf/mango/count'

def list_data(lat, lon, uuid='7253d06cf35b6d88'):
    return {
        'lat': lat,
        'long': lon,
        'uuid': uuid,
    }

def catch_data(lat, lon, uuid='7253d06cf35b6d88'):
    return {
        'curLat': lat,
        'curLong': lon,
        'mangoLat': lat,
        'mangoLong': lon,
        'uuid': uuid,
    }

def get_count():
    print "Trying to get count"
    while True:
        r = requests.post(count_url, data={'uuid': '7253d06cf35b6d88'})
        if r.status_code > 500:
            print "Got {} while trying to get mango count.. Retrying in 5 sec".format(r.status_code)
            sleep(5)
            continue
        print "Caught {} mangos so far!".format(r.json()['count'])
        break

def catch_mangos(mangos):
    for mango in mangos:
        data = catch_data(mango['lat'], mango['lng'])
        print "Trying to catch mango at {}, {}".format(mango['lat'], mango['lng'])
        while True:
            r = requests.post(catch_url, data=data)
            if r.status_code > 500:
                print "Got {} while trying to catch mango.. Retrying in 5 sec".format(r.status_code)
                sleep(5)
                continue
            print r.json()['message']
            break

lat = 64.1431968
lon = -21.94666069999994
alt = False

while True:
    r = requests.post(list_url, data=list_data(lat, lon))
    if r.status_code > 500:
        print "Got {}, retrying in 5 sec...".format(r.status_code)
        sleep(5)
        continue
    json = r.json()
    mangos = json['mangos']
    if not len(mangos):
        print "No mangos found at {}, {}? Trying somewhere else..".format(lat, lon)  # noqa
        if alt:
            lat += 0.01  # Switch these +/- around for at least four directions
        else:
            lon -= 0.01
        alt = not alt
    else:
        print "Found {} mangos! Catching them all...".format(len(mangos))
        catch_mangos(mangos)
        get_count()

[ikornaselur]

[ikornaselur]

23 out of 500 mangos so far! This will take a while.

[koddsson]

IRC is saying that this is now 151 mangos?

[koddsson]

Aaaaaaaaaaaaaaaaaand Glitch has shut down the server as of now and is putting it back up later redesigned.

[ikornaselur]

I'm closing this issue until further notice. If it's the same challenge redesigned, I'll re-open it, if not, it's a new issue.

[ikornaselur]

Btw, the script was working just fine! If I had started a little bit earlier I would have got the flag. 🐱

[koddsson]

😭 😭 😭