This video’s a bit more jumpy then previous. Didn’t have time to edit the video to put all the segments together. For example the Oracle Padding attack can take ~5 minutes, normally i’d do some editing magic to speed that up but in this I just multi-tasked. Time jumps below, if you go to the video page on youtube they are links so it’s a bit easier to jump.
00:39 - Basic Web Page Discovery
03:30 - Examining Cookies - Pt1 (Burp Sequencer)
05:05 - Fuzzing Usernames (2nd Order SQL Injection)
07:15 - Examining Cookies - Pt2
07:40 - Cookie Bitflip
12:45 - Oracle Padding Attack - Pt1
15:30 - Rooting the Box
22:50 - Oracle Padding Attack - Pt2
Get user three different ways.
- Registering “admin=”. The program strips “=” signs from the username, my guess is this is because some libraries don’t do padding with Base64. So to avoid an error the = was stripped. No real idea, didn’t dig too deep into it.
- Bitflipping attack - Registering a similar username to admin and just flipping random bits of the encrypted session cookie. Small chance the bit you blindly flip, will give you a session cookie that decrypts to admin.
- Oracle Padding Attack - Any quick explanation I can write, may confuse you more. I’d recommend researching this on your own.
The root is pretty simple, I’m not sure what its called maybe “PATH Hijack”? Essentially, the coder was lazy and used a relative path (cat) vs absolute (/bin/cat). This means if we can place a file called “cat” anywhere before /bin in the $PATH, then the program will execute that file versus the normal “cat binary”.
Hope you enjoy!