#!/usr/bin/env python3 """ Test if the MISO sector values ARE the keys themselves """ import requests API = 'http://154.57.164.76:32127/api' uid = '04f6555b' username = '6178656c5f6f757472756e' # MISO extracted values s22_miso = 'cd335e314d4f8634cd1f' s34_miso = '5e4ce0a703078634cd1f' # MOSI extracted values mosi_full = '0292640464020a820860081608cd0833085e0831084d084f0886083408cd081f' print("[*] Testing hypothesis: MISO values ARE the LCG outputs embedded\n") # Test 1: What if cd335e314d4f (first 6 bytes of s22) ARE keys 4-5? print("Test 1: Using first 6 bytes of S22 MISO as keys") auth = mosi_full[:32] + s22_miso[:12] # sector + cd335e314d4f data = { 'uid': uid, 'username': username, 'authorization_code': auth, 'access_level': s34_miso } try: r = requests.post(API, data=data, timeout=3) result = r.json() if result.get('flag') and len(result.get('flag', '')) > 5: print(f"SUCCESS! FLAG: {result['flag']}") exit(0) else: print(f" Result: {result.get('door_status')}") except Exception as e: print(f" Error: {e}") # Test 2: What if we need DIFFERENT parts? # Maybe sector_22 is the MOSI data + MISO data appended? print("\nTest 2: MOSI sector + MISO as keys") auth = '0292640464020a82' + s22_miso # 8 bytes MOSI + MISO data['authorization_code'] = auth try: r = requests.post(API, data=data, timeout=3) result = r.json() if result.get('flag') and len(result.get('flag', '')) > 5: print(f"SUCCESS! FLAG: {result['flag']}") exit(0) else: print(f" Result: {result.get('door_status')}") except: pass # Test 3: Just MISO values as auth and access print("\nTest 3: MISO values directly") data['authorization_code'] = s22_miso data['access_level'] = s34_miso try: r = requests.post(API, data=data, timeout=3) result = r.json() if result.get('flag') and len(result.get('flag', '')) > 5: print(f"SUCCESS! FLAG: {result['flag']}") exit(0) else: print(f" Result: {result.get('door_status')}") except: pass # Test 4: Varying the split points print("\nTest 4: Different MOSI/MISO combinations") for mosi_len in [8, 10, 12, 14, 16]: for key_len in [6, 8, 10]: if mosi_len + key_len > len(mosi_full)//2: continue mosi_part = mosi_full[:mosi_len*2] key_part = s22_miso[:key_len*2] auth = mosi_part + key_part data['authorization_code'] = auth data['access_level'] = s34_miso try: r = requests.post(API, data=data, timeout=2) result = r.json() if result.get('flag') and len(result.get('flag', '')) > 5: print(f"\nSUCCESS! MOSI={mosi_len} bytes, KEY={key_len} bytes") print(f"FLAG: {result['flag']}") exit(0) except: pass print("\n[-] No combination worked") print("[*] The brute force continues...")