Lazy Video by IppSec

This video’s a bit more jumpy then previous. Didn’t have time to edit the video to put all the segments together. For example the Oracle Padding attack can take ~5 minutes, normally i’d do some editing magic to speed that up but in this I just multi-tasked. Time jumps below, if you go to the video page on youtube they are links so it’s a bit easier to jump.

00:39 - Basic Web Page Discovery
03:30 - Examining Cookies - Pt1 (Burp Sequencer)
05:05 - Fuzzing Usernames (2nd Order SQL Injection)
07:15 - Examining Cookies - Pt2
07:40 - Cookie Bitflip
12:45 - Oracle Padding Attack - Pt1
15:30 - Rooting the Box
22:50 - Oracle Padding Attack - Pt2

Get user three different ways.

  • Registering “admin=”. The program strips “=” signs from the username, my guess is this is because some libraries don’t do padding with Base64. So to avoid an error the = was stripped. No real idea, didn’t dig too deep into it.
  • Bitflipping attack - Registering a similar username to admin and just flipping random bits of the encrypted session cookie. Small chance the bit you blindly flip, will give you a session cookie that decrypts to admin.
  • Oracle Padding Attack - Any quick explanation I can write, may confuse you more. I’d recommend researching this on your own.

The root is pretty simple, I’m not sure what its called maybe “PATH Hijack”? Essentially, the coder was lazy and used a relative path (cat) vs absolute (/bin/cat). This means if we can place a file called “cat” anywhere before /bin in the $PATH, then the program will execute that file versus the normal “cat binary”.

Hope you enjoy!

Wow… My method was different, since I don’t possess the same knowledge. Good to see things from a different perspective though, learned a lot! Thanks. <3

Simply Brilliant!

Is it possible to do same things about Auth cookies in owasp zap ? I’m trying to resolve some challenge with the same problem and i cannot figure out how to make bit flipping and padding attack does not work because the auth cookie in my case has different length …
Thanks for video I’ve learned lot of good stuff !