published on November 14, 2017 in Blog
tags: Security Bash curl Dormlife

Headless in the Studentdorm

To use the internet access in my student dorm you have to authenticate yourself in the browser. This is not only annoying but also makes my headless Raspberry Pi useless. First I thought i could just spoof the MAC address of my Raspberry on an other PC and authenticate it from that device. This kind of worked, how ever the access resets all the time (I did not figure out a clear pattern, but almost every day) so this wasn’t a long term option. I decided to try to automate the auth process in a simple script.

Automating In-Browser Authentication

Constraints

Automatically authenticate headless devices on the network
Light weight (Should work without installing shit like selenium)

How

I thought this would be kind of straight forward. Just replay the post request with curl and that is it. However this did not work.
I then noticed a strange hidden field in the login form:
TODO code
Yes, there is a random generated string in a hidden form field and yes it’s literally called magic 🙈 It seemed to be some kind of generated Token that is needed to be sent with the other form data.
EDIT: Each RPC message includes a random value from the initiator. This ensures that when the response is received it corresponds to the request previously sent. (see Magic cookie)

Final Product

This is the final script I came up with. I know it’s not pretty, but it works.

#!/bin/bash

magic=$(curl -s google.com | cut -d "?" -f 2 | cut -d "\"" -f 1)
curl -s http://10.10.0.1:1000/fgtauth?"$magic"

resp=$(curl -k --request POST 'https://10.10.0.1:1003/' 
  --data "username=USERNAME" --data "password=PASSWORD" 
  --data "magic=$magic" --data "4Tredir=google.com")

if [[ $resp == *"co continue."* ]]; then
  echo "logged in"
fi

Conclusion

It took more work than I first expected. The whole magic hash thing got me a little confused at first but in the end it worked out. The auth process seems kinda strange and should be investigated further. I’m still not sure what the generated token should prevent exactly. One could think that it should prevent automated logins, but scripting it wasn’t exactly magic (haha.. ha.. ha..)

Also the username and password combination does not get changed if you move out of the dorm room. The next person to rent the room will have the exact same password that you had and you are not able to change it. OPSEC on point…