12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- import requests
- from binascii import hexlify, unhexlify
- url = 'http://192.168.0.222:5000'
- # Any registered username and password
- username = 'myBLfLEDraYh3Dq'
- password = '9GQLqu39EviKw'
- # default comment and any much longer string
- original = 'No description yet'
- description = 'stringadiversamapiulungastringadiversamapiulungastringa'.encode('ascii')
- # do login
- s = requests.session()
- r = s.post(url + '/login', data={'username': username, 'password': password})
- cur_iv = s.cookies['iv']
- ciphertext1 = s.cookies['session']
- # loop trough 256 requests to obtain a two time pad
- for i in range(int(cur_iv), int(cur_iv)+256):
- s.post(url + '/user', data={'description': description})
- if s.cookies['iv'] == cur_iv:
- ciphertext2 = s.cookies['session']
- for i in range(0, len(ciphertext1), 2):
- if ciphertext1[i:i+1] != ciphertext2[i:i+1]:
- break
- # obtain new cookis with the original comment to flip the fals in true
- s.post(url + '/user', data={'description': original})
- cur_iv = s.cookies['iv']
- uid = s.cookies['uid']
- description = description.hex()
- ciphertext1 = ciphertext1[i:]
- ciphertext2 = ciphertext2[i:i+len(description)]
- # xor our known plaintext with the given ciphertext to recover part of the rc4 stream
- key = '{:x}'.format(int(ciphertext2, 16) ^ int(description, 16))[0:len(ciphertext1)]
- # xor our known rc4 stream with the default comment on the same iteration to decrypt the final parte of the cookie
- plaintext = unhexlify('{:x}'.format(int(key, 16) ^ int(ciphertext1, 16)))
- # print the plaintext and notice it has a show_flag parameter
- print('[*] Decrypted first cookie: ' + plaintext.decode('ascii'))
- # xor 'true ' with 'false' to calculate the value to use to flip the ciphertext
- flip = '{:x}'.format(int('true '.encode('ascii').hex(), 16) ^ int('false'.encode('ascii').hex(), 16))
- cur_session = s.cookies['session']
- # xor to obtain 'true ' from false'
- flip = '{:x}'.format(int(flip, 16) ^ int(cur_session[-12:-2], 16))
- session = cur_session[0:-12] + flip + cur_session[-2:]
- # get the flag!
- flag = requests.get(url + '/user', cookies={'iv': cur_iv, 'uid': uid, 'session': session})
- print('[*] Got the flag: ' + flag.text)
|