Man this one should have been an expert lab and just a practitioner lab. It was hard to follow but in the end I got it.
@jessloke75444 ай бұрын
1. Initial Setup and Observations Log In and Stay Logged In: Log in with the "Stay logged in" option enabled. Post a comment and observe the requests and responses using Burp Suite. Note the encrypted stay-logged-in cookie. Invalid Email Address Submission: Try submitting a comment with an invalid email address. Observe that a notification cookie is set and includes your email in cleartext. 2. Encryption and Decryption Exploration Burp Repeater Setup: Send the POST /post/comment request to Burp Repeater and rename the tab to "encrypt". Send the GET /post?postId=x request (with the notification cookie) to Burp Repeater and rename the tab to "decrypt". Encrypt and Decrypt Data: Use the email parameter in the "encrypt" request to generate an encrypted cookie. Use the notification cookie in the "decrypt" request to decrypt data and see the output in the error message. 3. Exploiting the Encryption Decrypt Stay-Logged-In Cookie: Copy your stay-logged-in cookie and paste it into the notification cookie in the "decrypt" request. Send the request and note the decrypted format: username:timestamp. Create Administrator Cookie: Copy the timestamp from the decrypted stay-logged-in cookie. In the "encrypt" request, set the email parameter to administrator:your-timestamp (replace your-timestamp with the actual timestamp). Send the request and copy the new encrypted notification cookie. 4. Bypassing the Encryption Prefix Handle Prefix in Decrypted Message: Decrypt the new cookie and observe the "Invalid email address: " prefix. URL-decode and Base64-decode the cookie in Burp Decoder. Adjust for Block-Based Encryption: In Burp Repeater, delete the first 23 bytes from the decoded data. Pad the email parameter with 9 characters to make the data length a multiple of 16, e.g., xxxxxxxxxadministrator:your-timestamp. Encrypt and decrypt the adjusted data to ensure it's valid. 5. Using the Self-Made Cookie Remove Prefix and Finalize Cookie: Delete 32 bytes from the start of the decoded data after ensuring the length is correct. Re-encode the data and use it as the notification cookie. Gain Admin Access: Send the GET / request with the new stay-logged-in cookie (replace the session cookie) in Burp Repeater. Verify that you are logged in as the administrator. Delete User: Browse to /admin and use the delete option to remove the user carlos (e.g., /admin/delete?username=carlos).
@abdulx013 жыл бұрын
Thanks, Sommer, It's just amazing walkthrough
@muudus_tv3 жыл бұрын
Hey Micheal.. I am facing one issue with my Burp Pro. After right clicking on first byte, I am not finding any options for deleting specific number of bytes in decoder.
@muudus_tv3 жыл бұрын
@Alex Hack Is Michael still there ??
@gyanna19473 жыл бұрын
Same for me...someone has achieved it???
@ctfs092 жыл бұрын
same here. did you guys figure out that?
@NassimDhaher2 жыл бұрын
left click to choose the byte, then right click on it and select "Delete selected byte". Not sure about Pro , but in Community I had to choose the bytes one by one while clicking on the shift button.
@NassimDhaher2 жыл бұрын
@@ctfs09 left click to choose the byte, then right click on it and select "Delete selected byte". Not sure about Pro , but in Community I had to choose the bytes one by one while clicking on the shift button.
@jaywandery926910 ай бұрын
The lab was interesting, great explanation also.
@GG-go7jv7 ай бұрын
How did you guess it's url + b64 encoded over a random cypher ?
@daronwolff Жыл бұрын
Thanks, this one was hard!
@ucminhnguyen56103 жыл бұрын
Thank you for video shows the lab solution of "Authentication bypass via encryption oracle". But I dont underdtand: 1. I try to replace the time-stamp parameter to any value, the lab is still successful. So, What does the time-stamp parameter mean? 2. when i change the time-stamp parameter for example xxxxxxxxxadministrator:12345. The length will no longer be a multiple of 16. why does it still work?
@Michael10Sommer3 жыл бұрын
The time-stamp is not included.
@ucminhnguyen56103 жыл бұрын
@@Michael10Sommer sorry? I still do not understand
@elmagnifico0073 жыл бұрын
@@ucminhnguyen5610 This is what you delete which must be a multiple of 16
@FMisi7 ай бұрын
Tuffest practitioner lab. Now iss easy, but it was hard to wrap my head around it
@ackblerg Жыл бұрын
this one was so hard to understand took me all morning - the trick is that the encryption output has padding bytes (added to the end) so that it will always be a multiple of 16.
@red_team674711 ай бұрын
But if that is the case why we need to many any changes. It will be enough to erase the "invalid email address" message. Padding bytes will be addeed at the end. Could you explain how did you figure it out thghis one?
@paulojr13842 жыл бұрын
why first we delete 23 first bytes but the real is to delete 32? very apreciate about to learn how to get this numbers. is a very rich content anyway, tnx a lot
@MasakiKyosuke Жыл бұрын
It looks like the algorithm behind is what we can call "block cipher algorithm" (like aes), and it does not use padding (that would add characters automatically), so you need to have fixed size data to encrypt, which must be a multiple of 16 in length. He didn't know this information at first, so he tried to suppress "Invalid email address: " (you can count it's 23 characters). But after getting the error, he understood it needs to be a multiple of 16 in size, so he need characters to have a multiple of 16 (that's what we can call "padding", it's adding characters to "full fill the last block"). And for that you have 2 choices: - Get rid of 7 characters (impossible, it would erase characters in "administrator") - Pad with 9 characters (you can easily understand that 7 + 9 = 16). To help you, when you are in decoder tab in decoded format, one line = 16 bytes, so to have a multiple of 16, you need only full lines.
@ayarana Жыл бұрын
@@MasakiKyosuke Why is the code decoded as base64? I understand the reason for decoding it as URL, but I still don't understand the reason for using base64
@MasakiKyosuke Жыл бұрын
@@ayarana it is a common thing to use base64 when you encrypt something. Because the result of the encryption could give you non-printable characters that could not be used as a string in the URL even if the URL is encoded. The last RFC about this tells that headers should only use US-ASCII characters, and only the reserved characters are encoded (' ' to '%20', '/' to '%2f' etc ...). Don't take this sentence as a general truth, the RFC often changes, it could be false in the future!
@ackblerg Жыл бұрын
@@MasakiKyosuke it is adding padding when encrypting to get to a result that is a multiple of 16 bytes - the error is when trying to decrypt something that is not a multiple of 16 bytes. By adding extra characters to the portion that will be removed so that its a multiple of 16, the remainder will still be a multiple of 16 (including any additional bytes that were used for padding - that will be removed once decrypted)
@Jeckwilke2 жыл бұрын
dope lab
@JuanBotes2 жыл бұрын
tuff one wow
@jessloke75444 ай бұрын
can follow but i won't be able to use this technique in my real life ever....there are lot of the assumption there...which i have no clues on it.
@wreakygaming74293 жыл бұрын
i dont want to be rude but You confuse me alot
@cair0_3 жыл бұрын
me 2
@NassimDhaher2 жыл бұрын
It is a difficult lab.
@leopan8835 Жыл бұрын
useless video, the BurP Suite has a different interface and options, so there is not point in using it, also many questions here are not answered.
@fernandovelazquez21462 жыл бұрын
Man this crap is not practicioner at all. Hence I have read enough pentest reports and BB writings to conclude this thing will not be common at all in the wild. When things started to get messy I just skipped it. Maybe one day I will be bored and I want some CTF,
@LMeasy5 ай бұрын
maybe it just me but seems like there is no explanation at all in these videos, just manually saying what to click which is not a characteristic of a good lesson. the "why" part is missing so it is useless I am not sure if this teaching style is effective, seems like teaching nothing, just encouraging repeating actions which is really useless
@huyha3684 Жыл бұрын
Finally, I got it. I can't believe it's at the Practitioner level. 🥲