Authentication Vulnerabilities - Lab #10 Offline password cracking | Long Version

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number 10 in the authentication module titled offline password cracking alright before we continue with the video I'd like to announce that this video is part of a course that I offer on my Academy now you might be wondering why would I buy a course that is made available for free on YouTube well there are four reasons why you might want to do that number one is that you gain Early Access to recorded material as soon as I record new videos I make them available through my course right away whereas on YouTube they'll only be released on a weekly schedule reason number two is that you gain access to a Discord Channel where you can ask questions the Discord channel is divided into topics that we cover in the course and if you run into any issues you get to ask questions about anything related to the course material reason number three is that you no longer have to deal with YouTube ads or sponsor messages and last but not least reason number four is you get to support me any revenue generated from this course will go back into maintaining the academy in creating more videos and courses that will be made available for free on my YouTube channel so if you're interested in buying the course make sure to check out the link in the description and that is it let's go back to our video if you do not have an account on the web Security Academy you can get one by visiting the URL portugal.net web security and clicking on the sign up button I already have an account and I am logged in so to access the exercise I'm going to click on Academy select all labs do a search on authentication labs and select lab number 10 titled offline password cracking all right let's get started this lab stores the user's password hash in a cookie the lab also contains an xss vulnerability in the comment functionality to solve the lab obtain Carlos's stay logged in cookie and use it to crop his password then log in as Carlos and elise's and delete his account from the my account page and then you're given a credentials for a regular user account and then the victim's username alright so the target goal over here is to obtain Carlos's stay logged in cookie which contains his password hash and then crack the hash and log in using the username and password that you obtained for the Carlos user all right let's access the lab now notice over here this is the built-in browser in verb and so all of my requests are already being passed in my proxy I am using the professional version however this lab doesn't require you to use a professional version so everything that I do you can perform using the Community Edition alright so the first thing that we're going to do is log in using the regular account that we were given and just look at how the authentication function is performed so the password was Peter and then we have a stay logged in functionality so that's it login it performs a post request right over here which takes in the username the password and then the flag for the stay logged in parameter saying that it's on and if you look over here it sets two cookies the stay logged in cookie and the session cookie now the stay logged in cookie over here doesn't look random to me so it looks like it's encoded so what I'm going to do is I'm just going to copy this and go to decoder put it in here and then click on the code AS base64 and here we go so definitely not random it contains the user's username and then a colon and this looks like an md5 hash to me so what I'm going to do is I'm going to copy this and then I'm going to go to crackstation.net I'm going to put the hash in here and then say I'm not a robot and select all the traffic lights hit verify and then click on crashes and here we go so it tells you that this is an md5 hash and uh the plain text password of this hash is Peter okay so first disclaimer is you should never put real world hashes so client hashes in an online application because that's considered a breach of information however because this is an exercise I'm using a Croc Station instead of using hash catches because it's easier now the issue over here is the implementation for how the user can continue to stay logged into the application is done incorrectly so the cookie over here contains the user's password hash and if there's ever an xss vulnerability in the application what an attacker could do is attempt to steal this cookie over here and if we go back to proxy you could see the Cookie doesn't have the HTTP only flag so any JavaScript in the application can access the cookie so that's exactly what we're going to do we're going to try and attempt to access Carlos's uh cookie so let's click on log out and look for a place in the application where we have an xss vulnerability so let's click on view post and here we go so over here you've got reflected input so anything that you put in the comment field and possibly even the name field gets reflected in the application so this is the perfect place to test for an access vulnerability now the first place I'm going to test for is the comment field so we're just going to test for a really simple exercise vulnerability so alert one and then slash script which just pops a window with an alert that has one in it and then we're just going to say test over here email is going to be test at test.ca and then website is HTTP www.test.ca and we're going to post a comment and then we're going to go back to the blog and see if our access vulnerability worked and it did so you get an alert that has the integer one in it so the comment field is definitely vulnerable to access us so the next thing that we're going to do is enter an access payload over here that steals the session cookie of any user of the system that visits this blog post over here so no way we're gonna do that is we're going to say script and then close the script right over here and inside of that we're going to say document.location is equal to and that would be set to our exploit server so if you're not familiar with a cross-site scripting vulnerability there's a ton of online resources on it it's essentially a client-side vulnerability that allows you to inject malicious client-side code usually JavaScript in the application to potentially perform harmful actions in this case the harmful action that we're performing is stealing the user's cookie so any user that visits the post it'll attempt to steal the cookie and send it to our exploit server so this is the exploit server that the application has provided for us and so we're going to use that so we're going to say every time anyone visits this page in the application I want you to visit my exploit server and when you do that I want you to grab the cookie of the user and append it to my exploit server and that's essentially it so on the exploit server we're going to have access logs that check every time someone does a request to the exploit server so every time anyone visits this page it'll perform a request to this link over here and then append the cookies of the user to the link so let's just say test.test.ca over here and then the website HTTP www.test.ca just in case it does any validation on the format so let's click post comment now let's go to our exploit server and then go down go to the access log and over here so far it doesn't look like anyone clicked on anything let's look at the access log okay so so far no one has clicked let's reload it again and here we go so it looks like we've got more resources let's look again and no one clicked so I don't know how often that robot runs but it should run every couple of seconds which means that my exploit didn't properly work so let's go back to the lab and View Post click ok and look over here so it looks like it it did see it as JavaScript so if we go over here and then go to document.location and I know what my issue is over here so I wrote this incorrectly which is why it's not working so let's copy this again paste it in here and the issue was with this it should be a single quote and a single quote and then again let's just say test and over here test test dot CA and then the website is HTTP test.ca and post comment now this should work let's go to the exploit server and then go down go to access log and see if the user will click on will view the page and so far I'm not seeing any cookies from the user okay so again let's go back to the exploit server and this is how real hacking works you have to keep customizing your exploit so let's click on view post click ok go down and view the content over here so we've got two document.lo location this is the incorrect one and then we have a second one and I know where my issue is over here I made another mistake so let's copy this hopefully this is the last mistake I made okay so this should be over here so the idea is you've got your exploit server over here and then from there you add a document.cookie I was just missing one single quote hopefully this should work so test test dot CA and then http .ca post comment and then we go to the exploit server go to access log and see if that worked and here we go it did work so you can see over here it called the endpoint slash exploit from the IP address 10.0.3.6 that's the IP address of the user that visited the post which looks like it's an internal IP address you can see over here that user had two cookies so there's a secret cookie which I'm not sure what that is because I didn't see it when I logged in with my regular user and then there's a second cookie which is the stay logged in cookie now this is the cookie that I care about so I'm going to copy it and I'm going to close this close this go to crackstation and actually before we go to crack station let's go to decoder put it in here and you could see it decodes it to Carlos and then the md5 hash of Carlos so we're gonna copy that put it in here say I'm not a robot crack caches and you could see the password of the Carlos user is Once Upon a Time so now we have both the username and the password of the user so let's close this and this and then go to my account put in the username which is Carlos and then the password which is Once Upon a Time Hit login and here we go we access the Carlos account and if we reload we should see the congratulations you solved the lab and actually we don't see it because I think we need to delete the account so let's delete the account say once upon a time and then click on delete account and here we go so it says congratulations you solved the lab all right so we successfully completed the exercise by exploiting the vulnerability manually now we usually script the exploit in Python but because this requires an exploit server and it was a combination of two vulnerabilities we won't be scripting the exploit in the next Lab we'll look at another case of a broken authentication vulnerability if you liked the video hit the Subscribe and share button so that the video reaches a wider audience also make sure to check out my course if you're interested in seeing more videos like this one thank you and see you in the next video

Info

Channel: Rana Khalil

Views: 1,729

Rating: undefined out of 5

Keywords: security, web security, owasp, open web application security project, portswigger, web security academy, python, offensive security, bug bounty, scripting, burp, burp suite, oswe, offensive security web expert, black-box penetration testing, white box pentesting, peneration testing, pentesting, broken authentication, authentication, authentication vulnerabilities

Id: N8ML3bp36Hc

Channel Id: undefined

Length: 13min 27sec (807 seconds)

Published: Sun Sep 17 2023