#!/usr/bin/env python3 from Cryptodome.Cipher import ChaCha20 from Cryptodome.Random import get_random_bytes from Cryptodome.Util.number import long_to_bytes, bytes_to_long import time from random import randint from pwn import * import base64 import requests import time from requests.utils import cookiejar_from_dict LOGIN ="http://130.192.5.212:6522/login" FLAG = "http://130.192.5.212:6522/flag" username='aa' admin=0 expire_date=int(time.time()) + 30 * 24 * 60 * 60 cookie = f"username={username}&expires={expire_date}&admin={admin}" print(f"Cookie len:{len(cookie.encode())}") LOGIN="http://127.0.0.1:5000/login" FLAG="http://127.0.0.1:5000/flag" # expire = 1.748.345.396 PARAMS = {"username":'aa','admin':1} s = requests.Session() r = s.get(url=LOGIN,params=PARAMS) cookie= r.json()['cookie'] print(f"Cookie encrypted len:{len(long_to_bytes(cookie))}") #sleep(1000) nonce = r.json()['nonce'] cookie = bytearray(long_to_bytes(cookie)) for i in range(1,256): cookie[-1]= cookie[-1] ^ i COOKIES = {'cookie':bytes_to_long(cookie), 'nonce': nonce} f = s.get(url=FLAG,params=COOKIES) print(f.text) """if(f.text == "You have expired!"): print(f"Guessed byte:{i}") cookie[20] = 2 ^ i COOKIES['cookie'] = bytes_to_long(cookie) f = s.get(url=FLAG,params=COOKIES) print(f.text)""" #break """decCookie = cipher.decrypt(encCookie) print(decCookie) sleep(10000) r = s.get(url=LOGIN,params=PARAMS) for cookie in s.cookies: print(cookie) keyEncoded = cookie.value key = base64.urlsafe_b64decode(keyEncoded+'=') print(f"LEN:{len(key)}") LOG_PARAMS = {"username":'aaaaaaaaa','admin':1} r = s.get(url=LOGIN,params=LOG_PARAMS) print(f"login:{r.json()}") cookie=long_to_bytes(r.json()['cookie']) nonce=long_to_bytes(r.json()['nonce']) print(f"Nonce:{bytes_to_long(nonce)}") cipher = ChaCha20.new(key=key, nonce=nonce) decrypt=cipher.decrypt(cookie) print(len(decrypt)) sleep(1000) nonce = bytes_to_long(nonce) cookie = bytes_to_long(cipher.encrypt(testCookie.encode())) PARAMS = {'cookie':cookie, 'nonce':nonce } f = s.get(url=FLAG, params=PARAMS) print(f.text)"""