Challenge #7 pentesteracademylab

1. #!/usr/bin/perl
2. #@kaiux
3.  
4. use Digest::MD5 qw(md5);
5. use LWP::UserAgent;
6. use URI;
7.  
8. $max_length = 6;
9. @collection = ('x','y','z','1','2','3');
10. # digest
11. # https://en.wikipedia.org/wiki/Digest_access_authentication
12. # http://www.sitepoint.com/understanding-http-digest-access-authentication/
13. # http://perldoc.perl.org/Digest/MD5.html
14.  
15. =comment damn you perl :P
16. Authorization: Digest username="webadmin", realm="Pentester-Academy",
17. nonce="X95LDujmBAA=9c8ec8a0aeee0ddf7f24a5a75c57d0f90245d0f5", uri="/",
18. algorithm=MD5, response="0fd7c603fdf61e89bfc9c95fb73e343a", qop=auth,
19. nc=00000001, cnonce="89b024ea3adb54ec"
20. =cut
21.  
22. ### got from the pcap file
23. my $single_response = "0fd7c603fdf61e89bfc9c95fb73e343a";
24. my $username = "webadmin";
25. my $realm = "Pentester-Academy";
26. my $nonce="X95LDujmBAA=9c8ec8a0aeee0ddf7f24a5a75c57d0f90245d0f5";
27. my $nc="00000001";
28. my $cnonce="89b024ea3adb54ec";
29. my $qop="auth";
30.  
31. sub get_a1_digest {
32.     my $password = $_[0];
33.     my $dig_handler = Digest::MD5->new;
34.     my $a1_data = "$username:$realm:$password";
35.     $dig_handler->add($a1_data);
36.     my $a1_digest = $dig_handler->hexdigest;
37.  
38.     return $a1_digest;
39. }
40.  
41. sub get_a2_digest {
42.     my $dig_handler = Digest::MD5->new;
43.     my $a2_data = "GET:/";
44.     $dig_handler->add($a2_data);
45.     my $a2_digest = $dig_handler->hexdigest;
46.  
47.     return $a2_digest;
48. }
49.  
50. sub get_md5_response {
51.     my $a1 = $_[0];
52.     my $a2 = $_[1];
53.  
54.     my $response_data = "$a1:$nonce:$nc:$cnonce:$qop:$a2";
55.  
56.     my $dig_handler = Digest::MD5->new;
57.     $dig_handler->add($response_data);
58.     my $response = $dig_handler->hexdigest;
59.  
60.     return $response;
61. }
62.  
63.  
64. sub run_http_request {
65.     my $password = $_[0];
66.  
67.     my $url=qw(http://pentesteracademylab.appspot.com/lab/webapp/digest3/1);
68.     my $u = URI->new($url);
69.     my $ua = LWP::UserAgent->new(keep_alive => 1);
70.  
71.     $u->query_form(
72.         'username' => $username,
73.         'password' => $password,
74.     );
75.  
76.     #runing request
77.     my $response = $ua->get($u);
78.  
79.     my $output = $response->decoded_content;
80.     if ($output =~ "cracked") {
81.         print "Hell Yeah!!! \n";
82.         print "user: $username, pass $password \n";
83.  
84.         return 1; #1 - TRUE :p
85.     }
86.  
87.     return 0;
88. }
89.  
90. #http://sness.blogspot.com.br/2008/04/permutations-with-repetition.html
91. generate('');
92.  
93. sub generate {
94.     my ($val) = $_[0];
95.     my ($add) = $_[1];
96.     $val .= $add;
97.  
98.     my $item;
99.  
100.     if (length($val) > $max_length - 1) {
101.  
102.         my $md5_response = get_md5_response(get_a1_digest($val), get_a2_digest());
103.         #print $md5_response . "\n";
104.  
105.         if ($md5_response eq $single_response) {
106.             print "Found it!!- $val - $md5_response - $single_response\n";
107.             print "Lets try to authenticate \n";
108.  
109.             if (run_http_request($val)) {
110.                 exit(1);
111.             }
112.         }
113.  
114.     } else {
115.         foreach $item (@collection) {
116.             generate($val,$item);
117.         }
118.     }
119. }