import requests
from binascii import hexlify, unhexlify

url = 'http://192.168.0.222:5000'

# Any registered username and password
username = 'myBLfLEDraYh3Dq'
password = '9GQLqu39EviKw'

# default comment and any much longer string
original = 'No description yet'
description = 'stringadiversamapiulungastringadiversamapiulungastringa'.encode('ascii')

# do login
s = requests.session()
r = s.post(url + '/login', data={'username': username, 'password': password})

cur_iv = s.cookies['iv']

ciphertext1 = s.cookies['session']

# loop trough 256 requests to obtain a two time pad
for i in range(int(cur_iv), int(cur_iv)+256):
	s.post(url + '/user', data={'description': description})

	if s.cookies['iv'] == cur_iv:
		ciphertext2 = s.cookies['session']

for i in range(0, len(ciphertext1), 2):
	if ciphertext1[i:i+1] != ciphertext2[i:i+1]:
		break

# obtain new cookis with the original comment to flip the fals in true
s.post(url + '/user', data={'description': original})

cur_iv = s.cookies['iv']
uid = s.cookies['uid']

description = description.hex()
ciphertext1 = ciphertext1[i:]
ciphertext2 = ciphertext2[i:i+len(description)]

# xor our known plaintext with the given ciphertext to recover part of the rc4 stream
key = '{:x}'.format(int(ciphertext2, 16) ^ int(description, 16))[0:len(ciphertext1)]
# xor our known rc4 stream with the default comment on the same iteration to decrypt the final parte of the cookie
plaintext = unhexlify('{:x}'.format(int(key, 16) ^ int(ciphertext1, 16)))

# print the plaintext and notice it has a show_flag parameter
print('[*] Decrypted first cookie: ' + plaintext.decode('ascii'))

# xor 'true ' with 'false' to calculate the value to use to flip the ciphertext
flip = '{:x}'.format(int('true '.encode('ascii').hex(), 16) ^ int('false'.encode('ascii').hex(), 16))

cur_session = s.cookies['session']
# xor to obtain 'true ' from false'
flip = '{:x}'.format(int(flip, 16) ^ int(cur_session[-12:-2], 16))
session = cur_session[0:-12] + flip + cur_session[-2:]
# get the flag!
flag = requests.get(url + '/user', cookies={'iv': cur_iv, 'uid': uid, 'session': session})

print('[*] Got the flag: ' + flag.text)