HHC2016 - Analytics
Key Takeaways
The video demonstrates data analytics techniques using tools such as Burp, Intruder, Zap Proxy, and Metasploit to brute force user names, intercept requests, and analyze responses. It also covers using grep, nmap, and git to scan for open services, download source code, and identify potential hard-coded values.
Full Transcript
hello I'm Nick Ippolito and this can be a walkthrough of how to do analytics from the holiday hack challenge 2016 it is also called spruce egde and we'll get right into it the first thing it could be a vulnerability it could just be a finding it depends on the client and that is the ability to enumerate user names through just brute force and guessing so we do admin password try to login we get no such user if we change that to administrator and put something in the password we get a bad password so right off the bat we can check if a user is in the database which means we should probably put a word list in there and brute force a bunch of users to find who else exists in the database because chances are the administrator is gonna have a difficult password so turn intercept on put something in send this over to intruder and this is gonna have some limiting options on the free version so if you don't have professional you may want to switch over to zap proxy the workflow is gonna be essentially the same thing going over to positions we see two squiggly things we're gonna take the squiggly off password because we're not gonna try anything in the password field what so ever we're gonna leave the squigglies on administrator and again all these Quigley's do is it's looping through a file and for every line in the file it places that between these squigglies so the next thing is we have to load something in this for to process as quickly as I guess go to payload options load I'm in user share wordlist Metasploit go to UNIX users open this loads a bunch of users start the attack most applications you'd be will find out the difference between a success and a fail just to paste upon the length however in this case the length of the packet is the same for no such user and bad password which is annoying but burp has a way to filter this so bad password and will see only administrator and guests have accounts out of the old word list we did this is good because we noticed guest we know the password of guest just based upon a previous channel so I'm gonna disable my intercept and we're gonna log in with guests the password is busy reindeer 78 so guests busy reindeer 78 logs right in and the OP objective is to grab all the mp3 files this web application has two the first one can be grabbed by just clicking on mp3 and saving it but the second one is behind a sequel injection so let's keep poking around as a guest we can query data and we can view a previous query let's query data what do we want to launch usage is fine you did we don't know valid value for that so let's just do not equals to zero because that should return things and I want it to return things to kind of see what the database looks at well looks like I'm going in we see different rows we see the report was saved clicking this we see ID name details and we see the data of the query saved nothing else really interesting in this but there is one other vulnerability we want to look at and that's the session cookie that gets created when you log in so types of credentials again guests busy reindeer 78 turn my intercept on login send this over to sequencer which sequencers gonna do it's gonna keep walking in and save the authentication cookie which is the session cookie in this case and just will have a bunch of copies of it and hopefully it has a lot of entropy between it in this case it doesn't have entropy there's not much we can do right off the bat because the way it's stored I'll get into that in a second but in some things you may just be able to modify the cookie and change your privilege level from that so stopping this copy the tokens let's go in paste will take a little bit there we go say if I save it as token so grep let's do a dot so we only have lines that have a valid character on them because they had a lot of empty lines so we have a bunch of tokens it's 200 or so a 500sl WCHL 500 so we're gonna sort them first now I want to count all the uniques and we see oh there's not that many tokens and there's very low entropy 0 v 1 v 2 v that's the only value that's changing so chances are everything before this is hard-coded in and after this this is probably a hash based upon the time or something so in some applications if they store like a user ID number or a group name the cookie that's only one bite there's a chance you can just keep flipping bytes and eventually you flip the one byte that controls that one number and you can change it privilege level that way later on we'll find that's not the case it stores the whole user name and encrypted format and flipping one byte doesn't change guests to administrators so no real attack just something we want to look into if we ever got a hold of this source code of the application how is this cookie made because this is not secure it should be completely random and the next thing we look at we have ability to enumerate users and we know we need to look into cookies the web application itself was involved with a sequel injection so the next thing to do would be a nmap and for sake of time I'm only specifying four for three and using the flag - s capital C because that's what the elf told me to do in the game but in the real world you still and map the website if you don't have anything just to see if other services are open such as a MongoDB instance that may not require authentication things of that nature but and map returns a git repository so we're going to download this git repository because that is very good so W get - M analytics North Pole wonderland comm slash get what get is it's a version control system so we're gonna be able to get the source code of the website just from this one directory and not only will we get the source code but we can also get the source code history and all the previous versions won't go to it in this video but the text walkthrough does have how to copy out old versions of this repository so going in w get clear this analytics not North Pole Wonderland don't have the source code just yet but if we do it down - a - I'll show the hidden directories we have that get directory so get reset - - hard restore the directory to the leanest commit and we have the source code like magic crypto dot PHP looks like something we want to look at and we see it's just using a rc4 cipher a stream cipher rc4 stream cipher I believe it is I bad at crypto but from that line we see it's using this key as well but we want to know what actually calls this so I'm going to copy encrypt and we're going to grab all the PHP files for encrypt and we see it's used in crypto PHP in login dot PHP specifically for auth so I'm guessing this is right where it's generating that cookie so go into login so it's for off yep we see all equals in days on end code user name and date so copy this out I'm going to go back to a crypto file paste this in and we're going to echo off and for the username we're going to hard-code this to be administrator so it always generates us a cookie for the administrator user it's this is no random it should be able to generate a cookie that works on the remote server from a local workstation so save this as crypto - dot PHP and now when we execute crypto - dot PHP we do get some junk but that's just because it's the ASCII representation of hex so what we want to do pipe that to xxd and we're going to say - p because we only want the heck if we didn't have that - P let me copy this first it puts it in the three column format and that's just her to work with so put this on one line and this is a valid administrator token so we're going to go back to a web app I'm going to log in as guest so where as guest we're going to open up the developer tools go to cookies edit this authentication paste our administrator token as the cookie value refresh the page and we can see we have a new field called edit this is definitely awesome looking at edit we see we need an ID a name and a description so let's go back to query let's create a report save the ID go over to edit paste names hello edit this checking for ID Hyup checking for name yelp checking for description yelp and checking for query and it shows us the query if you can spot the problem right now kudos to you it's kind of asked it's looping through all the get parameters of this HTTP request as we can go over here we can see we gave it the ID parameter the name parameter and the description parameter it's looping through each of those parameters and if it exists it says yep and we can verify that by going over into the query the source code search for yup so it's looping through columns in the database checking for variable if variable is set say yup so just glancing over this you can easily skip because it says checking for query and then displays the query and it's like oh you want me to look at that yum that query looks good the behavior of the reporting feature it doesn't save the actual data in the report it's just saving the query as we can see from this update the report set the ID and change the name and description where the ID equals the ID we specified so what we can do is a mass assignment type thing because it's checking for query but it's not actually sending query of the webpage but if we did send query it would go through magically so let's do that real quick go back to the intercept page let's for this clear this copy that turn recept off edit turn intercept on paste this and we're going to put and query equals select Plus version plus oh no - - plus - the plus is just translate two spaces that's just HTML encoding and we're going to first send this over to repeater because I feel like we're gonna want to change this query multiple times click go and we in turn that intercept off we don't need that anymore because we have an in repeater and it's set ID set name and it sets the query remember I said the behave of the app wasn't to save data it just saves the query so we can run that same report multiple times so the queries now select version and commented out all the junk after what our query is so we go over to view let's paste our query ID number and see what happens I have a ' so that a single quote and we see it ran the version query so the next thing we want to do is show tables to see what is in this database so tables go refresh and we can see the different table so audio we probably want to see what's in that audio so we're going to change that to describe audio to see what columns are in that table refresh and we see IDs verkehr 36 verkehr 32 worker 32 medium blob it's actually storing the mp3 file in the database itself it's not storing a link to it but it's storing the actual file in the database which is a bit odd and that'll be a little more impaired when we do the next query which is going to be select star from audio do this refresh the page and we have the guest user gets access to discombobulated audio to administrator user gets access to discombobulated audio 7 now mp3 is blank because again of that weird how it's encoded so what we're going to do is select hex mp3 from audio and that's going to convert whatever's in this column to hex the other thing we're going to add is a limit statement limit one to one that means it's going to grab the first row it starts at zero so row zero Row 1 so I grabbed everything from Row 1 to Row 1 if it was 0 1 it means grab everything from row 0 to Row 1 which we got both of these hopefully that makes sense so we do that we refresh the page and we get V hex I could copy and paste this but that's a lot to copy and paste it takes a while so what I'm going to do is right click copy as curl command and we're going to download the file manually so - OH audio mp3 ex and now we're going to unhex it with xxd - are for reverse and - p because it will only specify in the hex not the three columns audio and we're going to direct that into just audio mp3 running this and we got data so I screwed up somewhere Oh silly me after we download that we downloaded all the HTML so we have to delete a bunch of junk so deleting the lines from the file so we only have hex and I deleted too much there go back I feel as my curl command did not work i down the wrong page so I had downloaded the wrong page let's turn intercept on refresh the page copy ESCO command this is the right page the page I had downloaded if we look was the page that had the UPS so the page beforehand so paste the new Co save that as audio mp3 dot hex delete the lines and I just deleted more than I wanted to oh we won't go fancy we're just hold D D body so we're right near the hex there we go again we only want the hex of this file my V is going a bit laggy so hopefully I don't start deleting the A's of base64 there we go now we can run that xxd command on file and we have a mp3 audio file thankfully that one worked and if you notice my terminal window wasn't clear when I started this because I was playing with trying to put a shell on the system but instead of hexing it let's see if we can actually just base64 it because basics before would be a bit small of a payload so instead of hex we're going to put base64 underscore two I believe and let's see if this works I think I get the basic C for command wrong I'm not sure what I did but anyways we got the file that was the end of the goal to get mp3 out of the database so that's it hopefully that makes sense keep in mind if it doesn't I'm sure there's other write ups and I've done text ropes or everything which I think I did a good job explaining everything so I hope you enjoyed the challenge take care happy holidays bye
Original Description
Write Up:
https://ippsec.github.io/holidayhack2016/part-4/#analytics
Note: Video may contain slight errors, most notably in this video is mistakenly saying "Hash" instead of "Encrypt" (ex: @5 minutes).
A full text writeup can be found at:
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 1 of 60
← Previous
Next →
▶
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related AI Lessons
🎓
Tutor Explanation
DeepCamp AI