ctf.hacker101 — Postbook
We are starting our exercise with GO option at the end of the exercise title on https://ctf.hacker101.com/ctf
We are seeing sign up and sing in section on the welcome page at the exercise.
First of all, we create new user from sign up section and then sign in with these user credential.
We see, there is two different post from another two users. When we click the title of any of these posts we read the post.
On the URL, the page has an numbered-ID as “id=1” and “id=3”, so that we try to change this ID information.
RESULT: The flag was captured.
Secondly, we write a new post from “What’s on your mind?”.
On the “Post timeline” area, our post has a “edit” and “delete” option, and we choice the “edit”.
As we know from the first result, on the URL, the page has an numbered-ID and we changed it again on this site.
This situation shows us the webpage has an IDOR (Insecure Direct Objectives Reference)[1] and we change the post and save it.
RESULT: The flag was captured.
The third one, we reference the second result.
When we reviewed the code structure of page edit section, “delete” option has a different value, as a hash.
We check three the most known hashes MD5, SHA1, SHA256 and the hash looks like a MD5, because of character length.
When we decrypt[2] that hash, it shows us the same numbered-ID of “edit”.
At this point, we try to crypt the another user ID, and use it in our delete ID value.
RESULT: The flag was captured.
Fourthly, we reviewed the code structure of the section of “What’s on your mind?”.
We see, there is an account value to related to our account while sending a post, and we changed that value.
RESULT: The flag was captured.
The fifth one of the results, we take a look our account the section of “settings”.
There is an option to change username and password, and we know that the account information is a unique value and its related to users session as cookie.
Then we reviewed the code structure of this section and the password value is seeing as clear text.
From “Cookie” area in the “Network” tab, there is a cookie ID and its look like a hash value.
So that we decrypt this value, it shows us our account ID value.
We know that, there is “admin” and “user” account, we crypt the one of their ID and we use Cookie Quick Manager[3] to change this value with our cookie value, refresh the page and click “Home”.
RESULT: The flag was captured.
Sixth, we use the same technique for another user.
RESULT: The flag was captured.
Finally, we use Burp Suite to figure it out and reference Mr. Mehmet İnce’s[4] [5] Burp Suite Education[6] on Mr. Can Değer’s[7] Twitch stream[8].
We click, one of our post title to see details and then open FoxyProxy[9] to redirect network traffic to Burp Suite.
In Burp Suite, click “Proxy” tab, we directly in the area of “Intercept”, and then with CTRL+I combination to redirect “Raw” data to “Intruder”
In the “Intruder” section click “Positions” area and choose the ID value.
From “Payloads” section, we change the “Payload Type” as “Numbers”, in the “Payloads Sets”, then define the “From”, “To”, “Steps” values from “Payload Options”.
Then we click “Start Attack” and ID values will change automatically. In this way, “Request” and “Response” results will be listed, and then we order by “Length” to see if there is a diffent value or not. Then we review the “Response”
RESULT: The flag was captured.
REFERENCES
1. Everything You Need to Know About IDOR (Insecure Direct Object References), Ayşe Bilge Gündüz, https://medium.com/@aysebilgegunduz/everything-you-need-to-know-about-idor-insecure-direct-object-references-375f83e03a87, https://github.com/aysebilgegunduz
2. MD5Online, https://www.md5online.org/
3. Cookie Quick Manager, https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
4. Mehmet İnce, https://github.com/mdisec
5. mdisec, https://www.twitch.tv/mdisec
6. Burp Suite Eğitimi, https://www.twitch.tv/videos/580024014
7. Can Değer, https://github.com/lunizz
8. LuNiZz, https://www.twitch.tv/lunizz
9. FoxyProxy, https://addons.mozilla.org/tr/firefox/addon/foxyproxy-standard/
