Need a lead for decrypting this



  • Guys, I was confused about this target, I needed some help to decrypt it

    Unfortunately because there were many details in both post requests, I decided to share them all for no missing points

    This is only for learning purposes and to prevent abuse of this, Important values were filtered with [HiddenName]

    ========================
    Post Data:

    USER: thisisuserName
    PASS: ThisIsPass123
    

    Request 1 (Post):


    Request URL: https://account.HiddenName.com/api/auth/info

    Response Headers:

    access: application/vnd.[HiddenName].api+json;apiversion=3
    access-control-allow-credentials: true
    access-control-allow-origin: https://account.[HiddenName].com
    access-control-expose-headers: Date, Retry-After
    cache-control: no-store, no-cache, must-revalidate, max-age=0
    cache-control: no-cache, private
    content-encoding: gzip
    content-length: 882
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' blob: 'sha256-sr6QFXaAzaED/ceWMZXHe1Pyp61/PvOF8Qe1icp5vDQ='; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' blob: https://secure.[HiddenName].com; object-src 'self' blob:; child-src 'self' data: blob:; report-uri https://reports.[HiddenName].ch/reports/csp; frame-ancestors 'none';
    content-type: application/json
    date: Fri, 05 Jun 2020 10:17:16 GMT
    expect-ct: max-age=2592000, enforce, report-uri="https://reports.[HiddenName].ch/reports/tls"
    expires: Fri, 04 May 1984 22:15:00 GMT
    pragma: no-cache
    public-key-pins-report-only: pin-sha256="8joiNBdqaYiQpKskgtkJsqRxF7zN0C0aqfi8DacknnI="; pin-sha256="drtmcR2kFkM8qJClsuWgUzxgBkePfRCkRpqUesyDmeE="; report-uri="https://reports.[HiddenName].ch/reports/tls"
    referrer-policy: strict-origin-when-cross-origin
    set-cookie: Session-Id=XtoaD5nlrtRfU403DwoDOgAAAMQ; Domain=[HiddenName].com; Path=/; HttpOnly; Secure; Max-Age=7776000
    set-cookie: Version=default; Path=/; Secure; Max-Age=7776000
    set-cookie: Version=; Domain=[HiddenName].com; Path=/; Secure; Expires=Thu, 01 Jan 1970 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    vary: Accept-Encoding
    x-content-type-options: nosniff
    x-frame-options: deny
    x-permitted-cross-domain-policies: none
    x-xss-protection: 1; mode=block; report=https://reports.[HiddenName].ch/reports/csp
    

    Request Headers:

    accept: application/vnd.[HiddenName].v1+json
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Connection: keep-alive
    Content-Length: 29
    Content-Type: application/json
    Cookie: Session-Id=XtoaD5nlrtRfU403DwoDOgAAAMQ; Version=default
    Host: account.[HiddenName].com
    Origin: https://account.[HiddenName].com
    Referer: https://account.[HiddenName].com/login
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    x-pm-apiversion: 3
    x-pm-appversion: WebVPNSettings_4.1.19
    

    Request Payload:

    {Username: "thisisuserName"}
    

    Response:

    {"Code":1000,"Modulus":"-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nC64xF7X2IOtFb68IpEXQZeKlBdqAgzLIAuZqIePaRF0wGJWltNBzFseL10y336utbhMW9Htpjy88ZPxLowLnm3YhPx3DQzWwvEXR3rdTbviU52LuefcTfM3XW3KB2o+d4KF1D0lOhwoSHBIY9mm3dr2ASsEDLk+lnmYLjcIwnEPP+tvEvW4E6ezUK150EsnM9M5DRaG6cj4dXR8QqMdVR4nS7tzcs16y13Uyx+KpxJfvdb2Qlb6zBlJguSmhKqTqFB8nSWR6H0ij5iKFSHnJg/B+0iRgw2vslPkp9/YTKkVmTLjqGI/aS3PuYJ7JVjlyWcOExPtdsz1Z0yjZNv3EgA==\n-----BEGIN PGP SIGNATURE-----\nVersion: [HiddenName]\nComment: https://[HiddenName].com\n\nwl4EARYIABAFAlwB1j4JEDUFhcTpUY8mAAAX+gEAw6Ayovf+34lSdqaeI7sL\n17vbw8/4fRlgfqatJ0RyrbgBAOf0Ko6x1t5cC9mjm+xM5exEBV9EyEQ39DQS\nYnv90PMP\n=RUtD\n-----END PGP SIGNATURE-----\n","ServerEphemeral":"TJaW/B0G+V79WtDnRl1eQ78zksLbyB0hr588ixEgZ1E0U8vJaTLp2GlROxIZGu+1ojSIexTuDaLrnBp3BlffmX4nCi0HmTP0FEYVQhMdUZOgwuk/0xRHN0kxaNFfTzN1ZmGbUzNhZ90cL9EFsyh7SAwcT2C1z9lrdKRWNou1MzUVfdQiRCG046jfuT+ouwYCoSBO8tvGyMTs6RgxUY0r+OimgxILvw9K4Jlxfz2wHYNlb2hOfkc+g14L8+ka0XlUbymo7VCAIpoKB9qIdFdRGIMNP72yNaV3teDqL3QBXVwUDp5FYJVgwkAKutyCZ7K1Fq3ocm/2r17rf3BfQbplfQ==","Version":4,"Salt":"tgKvLUwCNpGZig==","SRPSession":"5d1deb6be7254b6696cbd2559548be38"}
    

    Request 2 (Post):


    Request URL: https://account.HiddenName.com/api/auth

    Response Headers:

    access: application/vnd.[HiddenName].api+json;apiversion=3
    access-control-allow-credentials: true
    access-control-allow-origin: https://account.[HiddenName].com
    access-control-expose-headers: Date, Retry-After
    cache-control: no-store, no-cache, must-revalidate, max-age=0
    cache-control: no-cache, private
    content-length: 104
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' blob: 'sha256-sr6QFXaAzaED/ceWMZXHe1Pyp61/PvOF8Qe1icp5vDQ='; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self' blob: https://secure.[HiddenName].com; object-src 'self' blob:; child-src 'self' data: blob:; report-uri https://reports.[HiddenName].ch/reports/csp; frame-ancestors 'none';
    content-type: application/json
    date: Fri, 05 Jun 2020 10:17:16 GMT
    expect-ct: max-age=2592000, enforce, report-uri="https://reports.[HiddenName].ch/reports/tls"
    expires: Fri, 04 May 1984 22:15:00 GMT
    pragma: no-cache
    public-key-pins-report-only: pin-sha256="8joiNBdqaYiQpKskgtkJsqRxF7zN0C0aqfi8DacknnI="; pin-sha256="drtmcR2kFkM8qJClsuWgUzxgBkePfRCkRpqUesyDmeE="; report-uri="https://reports.[HiddenName].ch/reports/tls"
    referrer-policy: strict-origin-when-cross-origin
    set-cookie: Session-Id=XtoaD5nlrtRfU403DwoDOgAAAMQ; Domain=[HiddenName].com; Path=/; HttpOnly; Secure; Max-Age=7776000
    set-cookie: Version=default; Path=/; Secure; Max-Age=7776000
    set-cookie: Version=; Domain=[HiddenName].com; Path=/; Secure; Expires=Thu, 01 Jan 1970 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-content-type-options: nosniff
    x-frame-options: deny
    x-permitted-cross-domain-policies: none
    x-xss-protection: 1; mode=block; report=https://reports.[HiddenName].ch/reports/csp
    

    Request Headers:

    accept: application/vnd.[HiddenName].v1+json
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Connection: keep-alive
    Content-Length: 803
    Content-Type: application/json
    Cookie: Session-Id=XtoaD5nlrtRfU403DwoDOgAAAMQ; Version=default
    Host: account.[HiddenName].com
    Origin: https://account.[HiddenName].com
    Referer: https://account.[HiddenName].com/login
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    x-pm-apiversion: 3
    x-pm-appversion: WebVPNSettings_4.1.19
    

    Request Payload:

    {"ClientProof":"c63LKAed3Sp5+W4a7f1UgY7V5t8tMTTt/3MXONOVLTi9K5DnFxVo922VWeWa/ddt+odZYPt+Dl1vfN6N4agkPPLmLiEZb5o15st1Zm5k7g0uRJnLaaiB1AW6wajdcoXL8WoF/I70FP54kj6fd4GFK/4X0N2JnbCWkfwY0whHCgWxpp8MZvBArbJLER3ITZUdZVcflD3K2jJjozQX3CW0G7l1bCbeJWAhwOfLkbaNp5Omsutn2IG/Q/bgsBeTyL0ac1VZommED0b7mzUgAc6o6SjBztLAExaBjeFYYPJbFDQXRe3l3RFg19cgZ4hFM60fHu3SfJ24rjh7kUhSbWjHFg==","ClientEphemeral":"hD93Acp1+zNokntCFm4vBzkcLEXPsbDweaWllYAZ1lLOZC01ZEMe9T/2PJQY5CIT1+KdRVTTOtpQ3HKc5yy5zDxBTMtjO8135tY1wt2BYbwWw+/Cm8hvJ8HooqlAnAHIc5P1Qz6nEQ2FrYqAKcilj0CpMsGY08tCYUhGuS52UXquCAZ+qwhk69XxIKqNt8sJN+rzGPs7Fe1+Y+YKYREEdKcl7eMIu9nvyg4rWtpNlvII+Dd/m36dV5FelbDHGE03xW8gBLErozUnbJ9Ihqvaqk8x7vc65m/IJdEuJYmIuRvX0Z6cmKM4OMEXwKMMhXunM/9F2f/G5u+8r8bEc8R4BA==","SRPSession":"5d1deb6be7254b6696cbd2559548be38","Username":"thisisuserName"}
    

    Response:

    {"Code":8002,"Error":"Incorrect login credentials. Please try again","ErrorDescription":"","Details":{}}
    

    Note: these are the only two requests that happen on each login


  • Donator

    reset your cache for that site and then
    capture loaded javascript
    and then search for the keywords ClientProof and ClientEphemeral
    if you cant find the keywords check the initator in the network tab when you send your request it should show you the script and then set breakpoints
    and then have fun reversing the code 😄
    after that replicate the encryption or hashing method in openbullet either with javascript or with the available blocks if its possible





  • Thanks for your answer

    I did another search on incognito and tried to search for something like "ClientEphemeral" in the results but nothing was found (Tested it on both login and home page)

    I'm a newbie on some of those subjects which includes reversing the code and probably dehashing (And I didn't find a value to hash or encrypt it)

    What I also did is that I sent the first request with the <USER> input and it gives me "ServerEphemeral" instead of "ClientEphemeral" and some hashed values


  • Donator

    if you use google network tools sometimes it doesnt load the response/js code. either use fiddler or switch to source tab and search from there



  • Tested both, yet no result

    even though I tested source code tab before but did it again for the sake of insurance



  • Example : https://cryptojs.gitbook.io/docs/
    review all resources.


  • Donator

    send the site via private message



  • @dr-Hex8 I will definitely read them all, thanks



  • i know this website, it has both VPN and MAIL

    even if you are lucky to finish the js
    you wont be able to brute with a high cpm



  • I'm not really into getting an account or having a high CPM for it

    Just trying to learn how to solve the puzzle (finish the js)



  • if you are trying to learn, start with something easy
    this one is really hard



  • you have your hash and salt you can parse both of them and make a request to site to decrypt them



  • @qMMMp Well this is almost the level that I'm at right now but if I knew an easier version of this obstacle on another website I would've definitely try it

    @matricx Unfortunately I don't know how to use both of them to decrypt it but as I'm still working on it right now, thanks for the help


Log in to reply