{"id":12931,"date":"2019-12-10T00:27:34","date_gmt":"2019-12-09T23:27:34","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=12931"},"modified":"2020-04-21T09:23:09","modified_gmt":"2020-04-21T07:23:09","slug":"mr-robot-curls","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2019\/12\/10\/mr-robot-curls\/","title":{"rendered":"Mr Robot curls"},"content":{"rendered":"\n

The Mr Robot<\/a> TV series features a security expert and hacker lead character, Elliot.<\/p>\n\n\n\n

Season 4, episode 8<\/h2>\n\n\n\n

Vasilis Lourdas<\/a><\/strong> reported that he did a “curl sighting” in the show and very well I took a closer peek and what do we see some 37 minutes 36 seconds into episode 8 season 4…<\/p>\n\n\n\n

(I haven’t followed the show since at some point in season two so I cannot speak for what actually has happened in the plot up to this point. I’m only looking at and talking about what’s on the screenshots here.)<\/p>\n\n\n\n

Elliot writes Python. In this Python program, we can see two curl invokes, both unfortunately a blurry on the right side so it’s hard to see them exactly (the blur is really there in the source and I couldn’t see\/catch a single frame without it). Fortunately, I think we get some additional clues later on in episode 10, see below.<\/p>\n\n\n\n

He invokes curl with -i<\/code> to see the response header coming back but then he makes some questionable choices. The -k<\/code> option is the short version of --insecure<\/code>. It truly makes a HTTPS connection insecure since it completely switches off the CA cert verification. We all know no serious hacker would do that in a real world use.<\/p>\n\n\n\n

Perhaps the biggest problem for me is however the following -X POST<\/code>. In itself it doesn’t have to be bad, but when taking the second shot from episode 10 into account we see that he really does combine this with the use of -d<\/code> and thus the -X<\/code> is totally superfluous or perhaps even wrong<\/a>. The show technician who wrote this copied a bad example…<\/p>\n\n\n\n

The -b<\/code> that follows is fun. That sets a specific cookie to be sent in the outgoing HTTP request. The random look of this cookie makes it smell like a session cookie of some sorts, which of course you’d rarely then hard-code it like this in a script and expect it to be of use at a later point. (Details unfold later.)<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Season 4, episode 10<\/h2>\n\n\n\n

Lucas Pardue followed-up<\/a> with this second sighting of curl from episode 10, at about 23:24. It appears that this might be the python program from episode 8 that is now made to run on or at least with a mobile phone. I would guess this is a session logged in somewhere else.<\/p>\n\n\n\n

In this shot we can see the command line again from episode 8.<\/p>\n\n\n\n

We learn something more here. The -b option didn’t specify a cookie – because there’s no = anywhere in the argument following. It actually specified a file name. Not sure that makes anything more sensible, because it seems weird to purposely use such a long and random-looking filename to store cookies in…<\/p>\n\n\n\n

Here we also see that in this POST request it passes on a bank account number, a “coin address” and amountOfCoins=3684210526.31579<\/code> to this URL: https:\/\/buy-crypto-coin.net\/purchase<\/code>, and it gets 200 OK<\/code> back from a HTTP\/1.1 server.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

I tried it<\/h2>\n\n\n\n
curl -i -k -X POST -d bankAccountNumber=8647389203882 -d coinAddress=1MbwAEKJCtPYpLPxEkUmZxwjk63nQrpbXo -d amountOfCoins=3684210526.31579 https:\/\/buy-crypto-coin.net\/purchase<\/pre>\n\n\n\n
I don’t have the cookie file so it can’t be repeated completely. What did I learn?<\/p>\n\n\n\n
First: OpenSSL 1.1.1 doesn’t even want to establish a TLS connection against this host and says dh key too small<\/code>. So in order to continue this game I took to a curl built with a TLS library that didn’t complain on this silly server.<\/p>\n\n\n\n
Next: I learned that the server responding on this address (because there truly is a HTTPS server there) doesn’t have this host name in its certificate so -k<\/code> is truly required to make curl speak to this host!<\/p>\n\n\n\n
Then finally it didn’t actually do anything fun that I could notice. How boring. It just responded with a 301 and Location: http:\/\/www.buy-crypto-coin.net<\/code>. Notice how it redirects away from HTTPS.<\/p>\n\n\n\n
What’s on that site<\/a>? A rather good-looking fake cryptocurrency market site. The links at the bottom all go to various NBC Universal and USA Network URLs, which I presume are the companies behind the TV series. I saved a screenshot below just in case it changes.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a “curl sighting” in the show and very well I took a closer peek and what do we see some 37 minutes 36 seconds into episode 8 season 4… (I haven’t … Continue reading Mr Robot curls<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":12948,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,108],"class_list":["post-12931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-tv"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/12931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=12931"}],"version-history":[{"count":10,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/12931\/revisions"}],"predecessor-version":[{"id":13950,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/12931\/revisions\/13950"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/12948"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=12931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=12931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=12931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}