HOW TO HACK THIS ONE?

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...
Post Reply
1misscall
n00b
Posts: 2
Joined: Sat May 26, 2018 12:02 am

HOW TO HACK THIS ONE?

Post by 1misscall » Sat May 26, 2018 1:02 am

HELLO ...
I want to hack or bypass or find OTP(one-time password) that this site sends to mobile phone numbers.

here is inspector of the site when you want to input activation code:
---------------------------------------------------------------------
<form id="fm" name="fm" method="post" action="/user/signUp.xhtml" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="fm" value="fm">
<div id="fm:step2">

<div class="form-check">
<div class="mobile-number-text"><input type="text" name="fm:j_idt15" autocomplete="off" class="text-field" disabled="disabled" placeholder="mymobilephonenumber">
<img src="assets/images/phone.png" class="mobile-number">
<label class="form-label">plz input activation code:</label><input type="password" name="fm:j_idt17" autocomplete="off" value="" dir="ltr" maxlength="6" tabindex="4" class="text-field mobile-pass allow-numbers-only" placeholder="activation code">
</div>
<div class="form">
</div>
</div>

<div class="clearfix">
<div class="col-xs-12 col-sm-4 col-sm-offset-4 col-md-6 col-md-offset-3 col-lg-6 col-lg-offset-3"><input id="fm:j_idt25" type="submit" name="fm:j_idt25" value="check activation code" tabindex="6" class="btn btn-secondary-dark btn-block" onclick="mojarra.ab(this,event,'action','fm:step2','@form',{'onevent':function(event) { handleMessage(event, 'fixed');$('.allow-numbers-only').numbersOnly();$('#fm\\:step2Captcha').val('');if (event.status == 'success') { refreshCaptcha('fm:step2CaptchaImage');}}});return false">
</div>
</div></div><ul id="fm:message"><li class="tc-red"> </li></ul>
<input type="hidden" name="javax.faces.ViewState" value="-5386286413554590238:-6133632685432798175"></form>

--------------------------------------------------------------------------

this value="-5386286413554590238:-6133632685432798175"> is Variable for each activation code, for example activation code for this value is: "174944"

what kind of algorithm is this value? is there any way to decode these type of algorithm?
is there another way to hack?

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: HOW TO HACK THIS ONE?

Post by Cool_Fire » Sat May 26, 2018 7:20 am

How did you deduce that this contains the activation code? From the context of the code it appears in, it just looks like some JSP viewstate, which MAY contain that activation code but is by itself not in any way guaranteed.

Anyway, the encrypted viewstate for this seems to usually be AES encryption and HMAC-SHA256 signed, or DES encryption and HMAC-SHA1 signed for older versions. I'm not sure if this viewstate is encrypted at all though. It will usually be a base64-encoded binary blob if it is, and this just appears to be a pair of numbers.

From the large negative value my guess would be they're some possibly wrongly encoded unsigned numbers, interpreted here as signed numbers. You can maybe figure out what would reasonably be the unsigned number that it was originally meant to represent by messing around with the binary encoding. From the number range and the fact that it seems to be a java-based application I would guess you need to try a java signed long to a java unsigned long (8 bytes).

Again, no guarantee that either of these two numbers will actually be your activation code, but if the activation code IS in there, this would be my guess for how you can retrieve it.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: HOW TO HACK THIS ONE?

Post by Cool_Fire » Sat May 26, 2018 9:55 am

I took a quick look but it doesn't seem that either of those two numbers can be turned into your activation code by changing the encoding, regardless of endianness, signedness, or taking partial byteslices as smaller numbers. I didn't split beyond 32-bit numbers since 16-bit numbers aren't able to hold a 6-digit number anyway.

Code: Select all

signed 64-bit (le) | original
(-5386286413554590238,)
(-6133632685432798175,)

signed 64-bit (be) | endianness swap
(-2099363053273268043,)
(2415070601299746986,)

unsigned 64-bit (le) | signedness swap
(13060457660154961378L,)
(12313111388276753441L,)

unsigned 64-bit (be) | endianness and signedness swap
(16347381020436283573L,)
(2415070601299746986,)

signed 32-bit (le) | original split
(1838210530,)
(-1254092533,)
(-368212959,)
(-1428097647,)

signed 32-bit (be) | endianness swap split
(-488796051,)
(185680053,)
(562302442,)
(-1846157142,)

unsigned 32-bit (le) | signedness swap split
(1838210530,)
(3040874763,)
(3926754337,)
(2866869649,)

unsigned 32-bit (be) | endianness and signedness swap split
(3806171245,)
(185680053,)
(562302442,)
(2448810154,)
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

1misscall
n00b
Posts: 2
Joined: Sat May 26, 2018 12:02 am

Re: HOW TO HACK THIS ONE?

Post by 1misscall » Sat May 26, 2018 12:54 pm

special thanks for your time and answer
i just guess , maybe the value contains the activation code...no more
is there another way to bypass the activation code??

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: HOW TO HACK THIS ONE?

Post by Cool_Fire » Sat May 26, 2018 5:06 pm

I would start by looking at the requests with your browsers dev tools (I'm pretty sure it's F12 in chrome and firefox, idk about other browsers.)
Beyond that you can dive into the communication further with a tool like burp suite or ZAP, but you might just not find it.

It's not unheard of for the token to be exposed but it's not supposed to ever expose the token. The websites developers must have made a mistake for it to ever be exposed.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply