Crunchyroll CDN access?
The attack it self relies on the CrunchyRoll CDN.
While looking at the new CrunchyRoll HTML player, I was curious to see, if I was able to attack the CDN, since it was no longer behind some shady flash player!

My initial idea, was to simply look at the network activity, which showed the following:


the mp2t was probably related to the CDN, since it was the largest in size, and was a repeated get request.
A quick search revealed that it's an internet media type under the MPEG transport stream


Doing some more research will reveal, that it uses the file extension: ".ts, .tsv, .tsa"
It splits the media up in several different .ts files, but luckily for us, there is an index storing all the .ts locations, with the file exstension ".m3u8"
Luckily for us, CrunchyRoll stores the .m3u8 in the source of every page of every vid, and can easily be extracted using python or Regular Expressions (see the tiny poc)

#!/usr/bin/python
import sys
import requests
import re
from bs4 import BeautifulSoup
# Python sucks so we have to use a shitty fix due to ascii issues
reload(sys)
sys.setdefaultencoding("utf-8")

s = requests.session()
raw = s.get('https://www.crunchyroll.com/goblin-slayer/episode-1-the-fate-of-particular-adventurers-777760').content.decode()
soup = BeautifulSoup(raw, 'lxml')

soup.body.find_all(string=re.compile('.*{0}.*'.format('.m3u8')), recursive=True)

This will extract all the .m3u8 links (still needs to be filtered a bit, but you get the point):

curl 'crunchyroll URL here' | grep "vilos.config.media" | cut -c 26- | jq '.streams[8].url'

A typical .m3u8 url can look like the following:

https://dl.v.vrv.co/evs/acb33ce60bc005e5ea0aae30e3e10759/assets/427c6d547df7dc68d59dfe75fbc33cd4_,3557880.mp4,3557881.mp4,3557879.mp4,3557877.mp4,3557878.mp4,.urlset/master.m3u8?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cCo6Ly9kbC52LnZydi5jby9ldnMvYWNiMzNjZTYwYmMwMDVlNWVhMGFhZTMwZTNlMTA3NTkvYXNzZXRzLzQyN2M2ZDU0N2RmN2RjNjhkNTlkZmU3NWZiYzMzY2Q0XywzNTU3ODgwLm1wNCwzNTU3ODgxLm1wNCwzNTU3ODc5Lm1wNCwzNTU3ODc3Lm1wNCwzNTU3ODc4Lm1wNCwudXJsc2V0L21hc3Rlci5tM3U4IiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNTQ1MzQ0MzA5fX19XX0_&Signature=ZaoCvxhuHjeDE3n~-iNymJBEJssOpY9MCuj7WWFdO9Pr5ssb-eIGGjmljN6GK~oAi7TWKqhDutU1VR6D0UU0sMFrZZExy6EdG1kREEnGRDEf6AoOfIKFE4HFHwx81Jk2r2zcsy8r5UFF~5ZWBt00GmwI~UaWxe63oEmBvp~0v~bgnJYZTsDAyrCo4nxtDomumGrfkseikoHhlas4LVLTmB9g5XrEgRnELFrNR-bCt7Pl4t0ZPkefLCUzHGjd7iKlrGRiIfpLTvtKk4zLA3rALy2ja9xjp2doV0G-PCcYP3kq-8vbYeXprdma101kfhuMuig5JU32B1Pj8Gue4mYEGw__&Key-Pair-Id=DLVR 

here is the real problem with it all:
They have no auth on the m3u8...... This means, that you can use any external player to play the m3u8 file or even download the episodes in 1080p using I.e. ffmpeg:

ffmpeg -i "m3u8 url here" -c copy -bsf:a aac_adtstoasc "output.mp4"
A stream window can look like this:


DEMO PLAYBACK USING HLS.JS