Simple IPv4 and IPv6 HTTP Server

When doing hackthebox stuff I often use the SimpleHTTPServer module of python to download scripts and tools from my host system to the client.
Recently I needed an IPv6 http server because IPv4 was blocked. Since I didn’t find a simple way to host files via IPv6 I extent the SimpleHTTPServer module with IPv6 support. While I was at it I also implemented file upload via post.
The latest version can be found on my GitHub page https://github.com/wsoltys/tools
The current version as of this writing is listed below:

#!/usr/bin/python

import sys
import socket
from BaseHTTPServer import HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler

class MyHandler(SimpleHTTPRequestHandler):
  def do_GET(self):
    if self.path == '/ip':
      self.send_response(200)
      self.send_header('Content-type', 'text/html')
      self.end_headers()
      self.wfile.write('Your IP address is %s' % self.client_address[0])
      return
    else:
      return SimpleHTTPRequestHandler.do_GET(self)

  def do_POST(self):
      content_length = int(self.headers['Content-Length'])
      body = self.rfile.read(content_length)
      self.send_response(200)
      self.end_headers()
      self.wfile.write('ok')
      filename = self.path[1:]
      with open(filename, 'w') as f:
          f.write(body)
      return

  def do_PUT(self):
      MyHandler.do_POST(self)
      return

class HTTPServerV6(HTTPServer):
  address_family = socket.AF_INET6

def main():
  if len(sys.argv) > 1:
    port = int(sys.argv[1])
  else:
    port = 80  

  server = HTTPServerV6(('::', port), MyHandler)
  print('Serving http on '+server.server_name+' port '+str(server.server_port))
  print('Upload files with: curl -T <file> <server ip>')
  server.serve_forever()

if __name__ == '__main__':
  main()

#!/usr/bin/python

import sys

import socket

from BaseHTTPServer import HTTPServer

from SimpleHTTPServer import SimpleHTTPRequestHandler

class MyHandler(SimpleHTTPRequestHandler):

def do_GET(self):

if self.path == '/ip':

self.send_response(200)

self.send_header('Content-type', 'text/html')

self.end_headers()

self.wfile.write('Your IP address is %s' % self.client_address[0])

return

else:

return SimpleHTTPRequestHandler.do_GET(self)

def do_POST(self):

content_length = int(self.headers['Content-Length'])

body = self.rfile.read(content_length)

self.send_response(200)

self.end_headers()

self.wfile.write('ok')

filename = self.path[1:]

with open(filename, 'w') as f:

f.write(body)

return

def do_PUT(self):

MyHandler.do_POST(self)

return

class HTTPServerV6(HTTPServer):

address_family = socket.AF_INET6

def main():

if len(sys.argv) > 1:

port = int(sys.argv[1])

else:

port = 80

server = HTTPServerV6(('::', port), MyHandler)

print('Serving http on '+server.server_name+' port '+str(server.server_port))

print('Upload files with: curl -T <file> <server ip>')

server.serve_forever()

if __name__ == '__main__':

main()

JIS-CTF: VulnUpload Vulnhub Writeup

My first boot2root beginners challenge taken from here: JIS-CTF: VulnUpload from vulnhub.com.
First we start with a nmap scan:

# Nmap 7.60 scan initiated Sat Mar 10 13:13:04 2018 as: nmap -sV -sC -oN jordan.txt 192.X.X.X
Nmap scan report for Jordaninfosec-CTF01.fritz.box (192.X.X.X)
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| / /backup /admin /admin_area /r00t /uploads 
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 10 13:13:11 2018 -- 1 IP address (1 host up) scanned in 7.18 seconds

# Nmap 7.60 scan initiated Sat Mar 10 13:13:04 2018 as: nmap -sV -sC -oN jordan.txt 192.X.X.X

Nmap scan report for Jordaninfosec-CTF01.fritz.box (192.X.X.X)

Host is up (0.00015s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)

| 256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)

|_ 256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

| http-robots.txt: 8 disallowed entries

| / /backup /admin /admin_area /r00t /uploads

|_/uploaded_files /flag

|_http-server-header: Apache/2.4.18 (Ubuntu)

| http-title: Sign-Up/Login Form

|_Requested resource was login.php

MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Mar 10 13:13:11 2018 -- 1 IP address (1 host up) scanned in 7.18 seconds

Flag 1

The nmap scan already reveals a lot of information. The first flag can be found under the url http://[jordan vm]/flag:
The 1st flag is : {8734509128730458630012095}

Continue reading →

An overcomplicated solution for cmd2 ctf at Pwnable.kr

When I got some free time I try to solve some beginners hacker ctfs. Recently I stumbled over cmd2 at Pwnable.kr and it took me some time to solve it. Later I realized that my earlier attempts would have been successful if I knew the difference between calling arguments with "..." or '...'. 🙂
For starters, when calling a binary with "$(...)" the code inside $(…) will be executed first and then the result will be the arg for the binary.
When a binary is called with '$(...)' the whole parameter will be seen as argument. With some help from youtube I used the following solution for cmd2:

./cmd2 '$(cs() { printf ${@}; }; cs "\57bin\57cat\40fl"; cs "ag";)'

An easier solution as seen here would be:

./cmd2 '$(echo "\57bin\57cat \57home\57cmd2\57f")lag'

WiSo's collector blog

things I would like to remember

ctf

Simple IPv4 and IPv6 HTTP Server

JIS-CTF: VulnUpload Vulnhub Writeup

Flag 1

An overcomplicated solution for cmd2 ctf at Pwnable.kr