hashcat Forum Misc General Talk v
Custom Base64 ?

Thread Closed 
Threaded Mode
Custom Base64 ?
alert Offline
Junior Member
**
Posts: 8
Threads: 1
Joined: Sep 2015
#1
09-12-2015, 04:59 PM
Hey !

I registered cause I saw a similar topic and well you guys cracked it out ...

I've been working on a pentest here, after founding couple SQLI and XSS I'm now working on the some kind of token you pass through cookies, and well you're then considered logged in if you have a correct one

after a quick test with Burp Sequencer it seems quite random but i'm sure it's not

it a two parter that goes like this : someB64lookingchars*somemore*

both sometimes end up with one or two dots(.)

both contains a-zA-Z0-9, but first one sometimes contains _ or -

both have a major repetitive part

I believe it to be custom alphabet Base64, cause when I decode it I get each time same structure(for the second part, and nothing for the first), but with weird chars

I coded in py something trying each alphabet possibility and lookinf for a coherent one, but it's a very time consuming solution, maybe a year I don't know .... so if you have better solution for me I take it !!!

Sample of first part 

Code:
AQIC5wM2LY4SfcwSi-WAEW4nRPOBFUSCATEDsaE9zUTc-LM.
AQIC5wM2LY4SfcxA0BdpH9sdVrQ5WOBFUSCATEDo468Puh0.
AQIC5wM2LY4SfcwONGMDb6_0exML9OBFUSCATEDShVd0OYI.
AQIC5wM2LY4Sfcxw01hmll4OBFUSCATEDBQWr1kbi3_VtDY.


Sample of second part


Code:
AAJTSQACMDIAAlNLABIxMjk1NjAxMjg1NDcOBFUSCATEDlMxAAIwMQ.
AAJTSQACMDIAAlNLABQtMjU4NDYxNzM0MTBOFUSCATEDOQACUzEAAjAx
AAJTSQACMDIAAlNLABQtODU0ODI5MjYwMTOBFUSCATEDNAACUzEAAjAx
AAJTSQACMDIAAlNLABM2MTE1NTQ4NjMxNTOBFUSCATEDAAJTMQACMDE
AAJTSQACMDIAAlNLABQtODU1OTEyOTgwMzOBFUSCATEDOAACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzE3MDY4NjUyNTOBFUSCATEDMQACUzEAAjAx
AAJTSQACMDIAAlNLABQtMzI4Mjc0NjEwODOBFUSCATEDMwACUzEAAjAx


Decoded sample second part

Code:
 ☻SI ☻02 ☻SK ¶-HERE_GOES_PURE_INTS ☻S1 ☻01

and it's urlencoded version in case you can't see thoses beautifull smyleys Smile

Code:
%00%02SI%00%0202%00%02SK%00%14-HERE_GOES_PURE_INTS%00%02S1%00%0201


HERE_GOES_PURE_INTS is if it's unclear, 19 numbers like 65923230900000144855

I Obfuscated part of each sample for the forum rules

thanks




PYTHON CUSTOM B64 BRUTEFORCE

Code:
import string,base64,sys,re,time

alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

total = list("0")

lout = list("OOOO")

open('C:\Users\John\Desktop\pouet.txt', 'w').close()
open('C:\Users\John\Desktop\pouet2.txt', 'w').close()

file1 =  open('C:\Users\John\Desktop\pouet.txt', 'a+')
file2 =  open('C:\Users\John\Desktop\pouet2.txt', 'a+')

def dec(txt1,custom):

out = ""

for v in txt1: out += str(custom[string.find(Base64,v)])

out = base64.b64decode(out+"=")

if out != lout[0]:

un = re.search('([\a-zA-Z0-9\&~#"\'\{\(\[\-\]\)\}\$\]\+=\*/_,\.;:!<>\s @%]+){19,}',out)

if un:  
file2.write (out+"  :::::  "+custom+"\r\n")
total[0] = int(total[0])+1

else:  
file1.write (out+"  :::::  "+custom+"\r\n")




lout[0] = out


def dept(a1,t1,c1):

i = 0
for x in a1:
a2 = list(a1)
e1 = a2[i]
del a2[i]
if len(a2) > 0:
dept(a2,str(t1)+str(e1),c1)
else:

w = (t1+e1)[::-1]
c1.append(w)
sys.stdout.write(str(total[0])+" - "+w+"\r")
sys.stdout.flush()    

#if int(total[0]) > 2: sys.exit(str(total[0])+" :::::::::: ok :::::::::::::::   ")
dec("AAJTSQACMDIAAlNLABM3NTM2NzA0NTgzNDc5Nzg2NTg1AAJTMQACMDE",w)

i += 1

c1 = list()
dept(alphabet[::-1],"",c1)

sys.exit("out")
Find
alert Offline
Junior Member
**
Posts: 8
Threads: 1
Joined: Sep 2015
#2
09-15-2015, 03:03 PM
.... Sad

well now i'm trying to decode just the first few letter "AAJTSQA" since I have 3 time a A i'm saving some precious time ...

Now in the millions of result i'm looking for some known syntax but till now nothing coherent ...

what if thoses special chars in with the normal alphabet are made for a special backe end like Java or something like that ? is it possible ?
Find
Thread Closed