0

I have been given this challange, to "hack" a website to register in it, with some given hints. It includes 3 steps.

1.site_url/login - a POST request with login credentials (username, password - I have these) in the body of the request. After this it gives a JSON response that looks like this:

{
    "token": "U2FsdGVkX18VaaqQc/R3Xi3jQtMMlPNku0YJzn0KNMYX0GY2ZELDfA5smRduUs5Cf519WmgaQnA+j6MpwCsvi/699R5oaUdXHCrgzrsZEKM="
}

Every time I send the request I get a different token from the previous one.

  1. site_url/keys - a GET request with the token in the Authorization field of the header. It returns an array of 500 base64 strings that look like this:
[
"U2FsdGVkX19UgyaPxxLVM2J5LIzQPR+FDjjMWkSWcOseMSfGPWTrnC4EAIzB6EbmKS9jewVBq9BCf9FiHQDlxipYADA3A2i+jTYt0028sOrd/dkrAZCXVJBbNUDWYy6+",
    "U2FsdGVkX1/9YThiCftxiLRK6GpEY6iouivp5eGCzCfv+HVoKeaS8z/Ut7BFWAm4yVTUasl87MM2pR47EIVJZ8A62sPmfTtGabz9PMlOKCnf1UKRAZFr69dZzQy71jc7",
    
......
    "U2FsdGVkX1/yN0jrC5VPyzbiLZ5HAiPREyojo9sb+dUw+pYcGmIUocoh9m8SeQsItKFElyVz/7xhaGkrBmpvOsdFNLFsIcfObVqZ1H7T9ZAPXoZibg9+tVRDYV/3VQWm"
]

Every time I send this it gives me a different strings from the previous ones.

3.site_url/register - a POST request with the token in the Authorization field of the header (without it responds "unathorized") and one of the keys from the aray in the body JSON as such:

{
    "key": "U2FsdGVkX18vwo3TVGLIwbxvkJ4NIf1GhBBIkNw9deRciB9O6/aC9KkFxVZ09WrxzB2YFncchsNY/hZYec/Hxvj1wlCK+7iZAyqNaW0hIBm17lZEloIwJVVfjX9wlkVr"

}

It returns:

{ error: 'Forbidden: Invalid registration key' }

I am assuming that I need to "bruteforce" those 500 keys and see which one works, but so far I couldn't do that as after few requests the website gives error 503 or 502. From my side it seems like the website is getting down (even when I check on my phone with mobile data). After couple of minutes it again starts working. I am using node.js and fetch API.

List of things I tried so far: -changed referrer in the fetch options -generated random IP adress for 'X-Forwarded-For' in the request header -put these in the fetch options credentials: "omit", cache: "no-store" -tried doing step 2 and changin the Authorization field in the header for every key in the array

List of things I want to try but don't know how: -try decrypting those salted Base64 strings -try somehow combining those strings in the array into a file

Hope the explanation was clear.

What can I try else or what am I doing wrong?

Taron Ghlijyan
  • 1
  • 1
  • See [What is U2FsdGVkX1?](https://crypto.stackexchange.com/q/8776) If you know the password, you should be able to decrypt the ciphertext, e.g. with [openssl enc](https://www.openssl.org/docs/man1.1.1/man1/enc.html). Algorithm (aes-256-cbc,...) for decryption, digest (md5, sha256,...) for key derivation etc. have to be tried (if not known). – Topaco Jan 21 '23 at 07:51

0 Answers0