by stdcall83 on 5/9/19, 6:58 PM with 98 comments
by atdt on 5/9/19, 9:40 PM
Poke around and you'll find code for POSTing JSON-encoded credentials to http://35.246.158.51:8070/auth/getUrl. (Grep for the IP to find it.)
So, using the web site name as the seed and the 'client id' as the password, we get:
$ curl -X POST -H "Content-Type: application/json" -d '{"Seed": "3d375032374147a7865753e4bbc92682", "Password": "d7c6bdcfcb184bf587ceee7c7c28e72e"}' http://35.246.158.51:8070/auth/getUrl
The response is an HTTP 200 and: {"AuthURL":"/auth/v2"}
http://35.246.158.51:8070/auth/v2 is I guess the next step.
edit: The /auth/getUrl endpoint responds to any request with the same response, so that may not be the right Seed/Password combination.
by chrismeller on 5/9/19, 8:17 PM
by tdhoot on 5/9/19, 8:10 PM
"Welcome Agent.
A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack.
The intel is contained in a safe, the plans for which are available to authorized clients via an app [0].
Our client ID is d09ff4ec651c48f89f7f7aa19160bd55
Your mission is to retrieve those plans, and allow our team to break into the safe.
Good luck!,
M."
by jsdev93 on 5/9/19, 8:57 PM
As an ip address, 35.246.158.51 leads to the site OP posted.
by laurentl on 5/9/19, 9:36 PM
The challenges usually involve static analysis / disassembly, breaking improperly configured crypto, etc. The best part (for me at least) is that competitors must submit a write-up of how they cracked the challenge, and the best write-ups are published. It makes for fascinating reading even if you’re not really into that scene.
by andr0id on 5/10/19, 2:44 AM
https://books.google.rs/books?id=1nfhpqvLSM4C&pg=PA397&lpg=P...
on page 397 there is entry in index: iWalk, v2 71 on the same page there are interesting terms like islamic terrorism, jihad via internet, judism... also page number 71 which stands next to iWalk term is interesting coincidence since this riddle is celebrating 71 years of Israel independence...
by hashberry on 5/9/19, 9:33 PM
1. Access $("#text1")[0].innerHTML
2. $( document ).ready() { typeWriter (); }
facepalm
by lone_haxx0r on 5/9/19, 8:29 PM
by salawat on 5/9/19, 8:23 PM
Remember, this thing'll be getting picked apart by everybody considering the source.
Unless you're afraid of getting black bagged that i...<SIGNAL LOST>
by qwerty40 on 5/17/19, 4:38 AM
by Ritsuko_akagi on 5/9/19, 8:24 PM
by jakobov on 5/9/19, 8:41 PM
by Harible on 5/10/19, 2:26 PM
by alphagrep12345 on 5/9/19, 8:39 PM
by Naac on 5/9/19, 8:41 PM
by DvirRonaldo on 5/10/19, 7:58 AM
Challenge-1 :Link http://3d375032374147a7865753e4bbc92682.xyz / http://35.246.158.51
Download app.apk from http://3d375032374147a7865753e4bbc92682.xyz/static/app.apk Remember your Client ID - mine is 854279b4c89e4b5c9722352c3f9f1d6c You will user it as "Seeder" property in the app //////////////////////////////////////////////////////////////////////////////////////////////// using WireShark (or any other packet snipper) we can see that the login button does this:
POST /auth/v2 HTTP/1.1si user-agent: iWalk-v2 content-type: application/json; charset=utf-8 accept-encoding: gzip content-length: 29 host: 35.246.158.51:8070 {"Seed":"admin","Password":"admin "}HTTP/1.1 200 OK Content-Type: application/json Date: Wed, 08 May 2019 21:49:05 GMT Content-Length: 47
{"IsValid":false,"LockURL":"","Time":149646302} ///////////////////////////////////////////////////////
Using http://www.javadecompilers.com/, i Decompiled the apk, and got a lock at the Manifest < <xml version="1.0" encoding="utf-8" ....... <activity android:configChanges="density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize" android:hardwareAccelerated="true" android:launchMode="singleTop" android:name="com.iwalk.locksmither.MainActivity" .... .....
The line "look for us on github.com" got my attention, so i looked for iwalk.locksmither in github and found "iwalk-locksmithers" linke: https://github.com/iwalk-locksmithers-app the server source code was there. In the code, there are a few comments that can help
https://github.com/iwalk-locksmithers-app/server/blob/master... link 70 points us to the auth-1 weeknes.
the part of "for currentIndex < len(lock.Password) && currentIndex < len(loginData.Password) { if lock.Password[currentIndex] != loginData.Password[currentIndex] { break } //OG: securing against bruteforce attempts... ;-) time.Sleep(30 * time.Millisecond) currentIndex++ }"
the securing aginst bruteforce (tyring all combinations) is the weeknes. The idea behind for hacking the password is to try only one char at first. if we get a 30ms dealy, it means we got the 1st char right, so then we can check the next one, so we will try 2 chars (the 1st we know, the second we will guess) if we will get 60 ms +- dealy then we got th 2nd char and we will try the third one, and again and again, until we will get the password.
To solve it, it wrote a simple c# code that does in a loop http push to the server every time we try to add a new char to the password, and if we got a dealy that is +- 30ms more then the last try, we add that char our final password the uri is http://35.246.158.51:8070/auth/v1_1 and user agent is ed9ae2c0-9b15-4556-a393-23d500675d4b (as writen in the server) I did some avg calcs of the dealys The password length is 32 with hexa char (didnt know that until i guessed the password) we can know that the password is correct when we get back "IsValid":true" *Time we get is in nano Seconds and not ms
After I enterd the pasword and cliend id, i got a link for a token and a linke for challenge 2
http://759d8eba52184f538c8a4525680cfb33.xyz/
Challenge-2 http://759d8eba52184f538c8a4525680cfb33.xyz/
by zuburking on 5/12/19, 4:16 PM
by yanirta on 5/11/19, 1:02 PM