Crunchyroll CDN access?
The attack it self relies on the CrunchyRoll CDN.
While looking at the new CrunchyRoll HTML player, I was curious to see, if I was able to attack the CDN, since it was no longer behind some shady flash player!
My initial idea, was to simply look at the network activity, which showed the following:
the mp2t was probably related to the CDN, since it was the largest in size, and was a repeated get request.
A quick search revealed that it's an internet media type under the MPEG transport stream
Doing some more research will reveal, that it uses the file extension: ".ts, .tsv, .tsa"
It splits the media up in several different .ts files, but luckily for us, there is an index storing all the .ts locations, with the file exstension ".m3u8"
Luckily for us, CrunchyRoll stores the .m3u8 in the source of every page of every vid, and can easily be extracted using python or Regular Expressions (see the tiny poc)
from bs4 import BeautifulSoup
# Python sucks so we have to use a shitty fix due to ascii issues
s = requests.session()
raw = s.get('https://www.crunchyroll.com/goblin-slayer/episode-1-the-fate-of-particular-adventurers-777760').content.decode()
soup = BeautifulSoup(raw, 'lxml')
This will extract all the .m3u8 links (still needs to be filtered a bit, but you get the point):
here is the real problem with it all:
They have no auth on the m3u8...... This means, that you can use any external player to play the m3u8 file or even download the episodes in 1080p using I.e. ffmpeg: