initial commit
This commit is contained in:
96
CTF/CryptoFailureV1.1/cookie.php
Normal file
96
CTF/CryptoFailureV1.1/cookie.php
Normal file
@@ -0,0 +1,96 @@
|
||||
<?php
|
||||
include('config.php');
|
||||
|
||||
function generate_cookie($user,$ENC_SECRET_KEY) {
|
||||
$SALT=generatesalt(2);
|
||||
|
||||
$secure_cookie_string = $user.":".$_SERVER['HTTP_USER_AGENT'].":".$ENC_SECRET_KEY;
|
||||
|
||||
$secure_cookie = make_secure_cookie($secure_cookie_string,$SALT);
|
||||
|
||||
setcookie("secure_cookie",$secure_cookie,time()+3600,'/','',false);
|
||||
setcookie("user","$user",time()+3600,'/','',false);
|
||||
}
|
||||
|
||||
function cryptstring($what,$SALT){
|
||||
|
||||
return crypt($what,$SALT);
|
||||
|
||||
}
|
||||
|
||||
|
||||
function make_secure_cookie($text,$SALT) {
|
||||
|
||||
$secure_cookie='';
|
||||
|
||||
foreach ( str_split($text,8) as $el ) {
|
||||
$secure_cookie .= cryptstring($el,$SALT);
|
||||
}
|
||||
|
||||
return($secure_cookie);
|
||||
}
|
||||
|
||||
|
||||
function generatesalt($n) {
|
||||
$randomString='';
|
||||
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
|
||||
for ($i = 0; $i < $n; $i++) {
|
||||
$index = rand(0, strlen($characters) - 1);
|
||||
$randomString .= $characters[$index];
|
||||
}
|
||||
return $randomString;
|
||||
}
|
||||
|
||||
|
||||
|
||||
function verify_cookie($ENC_SECRET_KEY){
|
||||
|
||||
|
||||
$crypted_cookie=$_COOKIE['secure_cookie'];
|
||||
$user=$_COOKIE['user'];
|
||||
$string=$user.":".$_SERVER['HTTP_USER_AGENT'].":".$ENC_SECRET_KEY;
|
||||
|
||||
$salt=substr($_COOKIE['secure_cookie'],0,2);
|
||||
|
||||
if(make_secure_cookie($string,$salt)===$crypted_cookie) {
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( isset($_COOKIE['secure_cookie']) && isset($_COOKIE['user'])) {
|
||||
|
||||
$user=$_COOKIE['user'];
|
||||
|
||||
if (verify_cookie($ENC_SECRET_KEY)) {
|
||||
|
||||
if ($user === "admin") {
|
||||
|
||||
echo 'congrats: ******flag here******. Now I want the key.';
|
||||
|
||||
} else {
|
||||
|
||||
$length=strlen($_SERVER['HTTP_USER_AGENT']);
|
||||
print "<p>You are logged in as " . $user . ":" . str_repeat("*", $length) . "\n";
|
||||
print "<p>SSO cookie is protected with traditional military grade en<b>crypt</b>ion\n";
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
print "<p>You are not logged in\n";
|
||||
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
generate_cookie('guest',$ENC_SECRET_KEY);
|
||||
|
||||
header('Location: /');
|
||||
|
||||
|
||||
}
|
||||
?>
|
||||
1
CTF/CryptoFailureV1.1/cookie.txt
Normal file
1
CTF/CryptoFailureV1.1/cookie.txt
Normal file
@@ -0,0 +1 @@
|
||||
ZMo2taPOmMhdMZM2z2AphWcILoZMxFinCLiRVmEZMWLmCZ2GHerYZM1rS15r7gIwAZMqbuJOmUXbHEZMQJNUkDXzcjgZM81jTHEw6x7AZM5QmbHcA6swYZMfaTKbn9OSVUZMcy9ybzEcYooZMS9XvXW2YLQgZM0x9ygBRXkd.ZMjgjfPOZb5ZYZMw.PexD1NMpUZMOAoe8smu6HQZMWVrh9ayWl76ZMfh8Y.UuqFnQZMZ0z2OMEoJH2ZMA3%2FHC9OFvXcZMQiJ3o8MZfP.ZMw8DRJbQhT5cZMk1melCAEgg6ZMCkfK2wdjjywZMw9YyP4ZUgmIZMdz5BwNSEbiIZMMdf1cyEoC.6ZMt5kzmvdKFcwZMlzwOBHtPfJI
|
||||
1
CTF/CryptoFailureV1.1/file_fuzz1.txt
Normal file
1
CTF/CryptoFailureV1.1/file_fuzz1.txt
Normal file
File diff suppressed because one or more lines are too long
26
CTF/CryptoFailureV1.1/nmap_scan1.txt
Normal file
26
CTF/CryptoFailureV1.1/nmap_scan1.txt
Normal file
@@ -0,0 +1,26 @@
|
||||
# Nmap 7.95 scan initiated Fri Oct 17 16:03:12 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.199.200
|
||||
Nmap scan report for 10.10.199.200
|
||||
Host is up (0.099s latency).
|
||||
Not shown: 998 closed tcp ports (reset)
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 256 57:2c:43:78:0c:d3:13:5b:8d:83:df:63:cf:53:61:91 (ECDSA)
|
||||
|_ 256 45:e1:3c:eb:a6:2d:d7:c6:bb:43:24:7e:02:e9:11:39 (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.59 ((Debian))
|
||||
|_http-title: Did not follow redirect to /
|
||||
|_http-server-header: Apache/2.4.59 (Debian)
|
||||
Device type: general purpose
|
||||
Running: Linux 4.X
|
||||
OS CPE: cpe:/o:linux:linux_kernel:4.15
|
||||
OS details: Linux 4.15
|
||||
Network Distance: 2 hops
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
TRACEROUTE (using port 554/tcp)
|
||||
HOP RTT ADDRESS
|
||||
1 69.27 ms 10.14.0.1
|
||||
2 68.41 ms 10.10.199.200
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
# Nmap done at Fri Oct 17 16:03:26 2025 -- 1 IP address (1 host up) scanned in 13.81 seconds
|
||||
69
CTF/CryptoFailureV1.1/python_create_cookie.py
Normal file
69
CTF/CryptoFailureV1.1/python_create_cookie.py
Normal file
@@ -0,0 +1,69 @@
|
||||
#!/usr/bin/env python3
|
||||
# generate_admin_cookie_passlib.py
|
||||
# Produces ready-to-use Set-Cookie headers for user=admin replicating PHP crypt() with 2-char salt.
|
||||
#
|
||||
# Requires: pip install passlib
|
||||
#
|
||||
import sys
|
||||
import time
|
||||
import random
|
||||
import email.utils
|
||||
from passlib.hash import des_crypt # pip install passlib
|
||||
|
||||
def generatesalt(n=2):
|
||||
characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
return ''.join(random.choice(characters) for _ in range(n))
|
||||
|
||||
def make_secure_cookie(text, salt):
|
||||
"""
|
||||
Replicates the PHP code:
|
||||
foreach (str_split($text, 8) as $el) { $secure_cookie .= crypt($el, $SALT); }
|
||||
using DES-based crypt (2-char salt). Each chunk becomes a 13-char crypt output;
|
||||
these are concatenated to form the secure_cookie.
|
||||
"""
|
||||
chunks = [text[i:i+8] for i in range(0, len(text), 8)]
|
||||
out = "".join(des_crypt.hash(chunk, salt=salt) for chunk in chunks)
|
||||
return out
|
||||
|
||||
def http_expires_secs(seconds_from_now=3600):
|
||||
return email.utils.formatdate(time.time() + seconds_from_now, usegmt=True)
|
||||
|
||||
def generate_admin_cookie(enc_secret_key, user_agent=None, salt=None, lifetime=3600):
|
||||
if user_agent is None:
|
||||
user_agent = "Mozilla/5.0 (X11; Linux x86_64)"
|
||||
if salt is None:
|
||||
salt = generatesalt(2)
|
||||
secure_cookie_string = f"admin:{user_agent}:{enc_secret_key}"
|
||||
secure_cookie = make_secure_cookie(secure_cookie_string, salt)
|
||||
expires = http_expires_secs(lifetime)
|
||||
return {
|
||||
"user": "admin",
|
||||
"secure_cookie": secure_cookie,
|
||||
"salt": salt,
|
||||
"expires": expires,
|
||||
"path": "/"
|
||||
}
|
||||
|
||||
def main():
|
||||
args = sys.argv[1:]
|
||||
if len(args) >= 1:
|
||||
ENC_SECRET_KEY = args[0]
|
||||
else:
|
||||
print("Usage: python generate_admin_cookie_passlib.py <ENC_SECRET_KEY> [User-Agent] [salt]")
|
||||
sys.exit(1)
|
||||
|
||||
ua = args[1] if len(args) >= 2 else "Mozilla/5.0 (X11; Linux x86_64)"
|
||||
salt_arg = args[2] if len(args) >= 3 else None
|
||||
|
||||
cookie = generate_admin_cookie(ENC_SECRET_KEY, user_agent=ua, salt=salt_arg)
|
||||
print("# Ready-to-use Set-Cookie headers (paste into Burp / DevTools -> Request Headers)")
|
||||
print(f"Set-Cookie: user={cookie['user']}; Expires={cookie['expires']}; Path={cookie['path']}")
|
||||
print(f"Set-Cookie: secure_cookie={cookie['secure_cookie']}; Expires={cookie['expires']}; Path={cookie['path']}")
|
||||
print("\n# Example: curl with cookies (server sees your request's User-Agent):")
|
||||
print(f"curl -A \"{ua}\" -b \"user={cookie['user']}; secure_cookie={cookie['secure_cookie']}\" http://TARGET/")
|
||||
print("\n# If you want to use a specific salt (e.g. to match an existing cookie's salt), pass it as the 3rd arg.")
|
||||
print("# Note: replace TARGET with the challenge domain/host when using curl.")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
Reference in New Issue
Block a user