To avoid this risk, session tokens should be random, or properly encrypted and signed.
Click Preferences, Advanced, Network, Settings.
Configure your browser to use 127.0.0.1 on port 8080 as a proxy, as shown below.
In Burp, on the Proxy tab, on the Options sub-tab, ensure that Burp is listening on address 127.0.0.1, port 8080, as shown below.
The page should load in Firefox, and Burp should show the requests on the Proxy tab, on the "HTTP history" sub-tab, as shown below.
If a message appears, saying "Your connection is not secure", as shown below, do the steps in the gray box below to import the SSL certificate.
Importing the SSL Certificate
In Firefox, click the Advanced button.Click the "Add Exception..." button.
Click the "Confirm Security Exception" button.
The secure page loads, and Burp shows the requests used to load it, as shown below.
The challenges appear. Scroll down to challenge 3, as shown below.
A "Welcome" page appears, showing you are logged in with uid=5, as shown below.
Enter this username, which is 32 "A" characters:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClick "Log in".
Notice that there are blocks of repeated hex code, as shown below. This is the telltale sign of ECB mode encryption.
On the left, in the "Plain" section, the parameters are shown. They are grouped into blocks of 8 characters. On the right side the hexadecimal encrypted bytes are shown.
In your browser, click the Back button to return to the Challenge 3 login form. Click "Log in".
You get another "Welcome" page, as shown below.
Try logging in a few times and verify these things:
Change the username to some abbreviation of your own name that is five letters long. In my example, I'll use waldo. Click "Log in".
You get another "Welcome" page, as shown below.
Notice these things:
Second, we need to insert that line of text after the line ending with "uid=".
Click "Log in".
The seond line starts with a single random digit. If it's not "1", repeat the process until it is. It took me 12 tries to get the image below.
When you have a line of text beginning with "1&", proceed to the next section.
Click the last POST request to https://attack.samsclass.info to select it.
In the lower pane of Burp, on the Request tab, you can see that the POST request sends the username and password to the server, as shown below.
In the lower pane of Burp, on the Response tab.
The server sets a cookie named "blob", as shown below.
The blob is encoded with Base64, using the characters A-Z, a-z, 0-9, and two more: %2b for "+" and %2f for "/".
We need to manipulate this blob to log in as a different user.
In Burp, click the Decoder tab.
On the right side of Burp, click the "Smart decode" button. The "%2b" and "%2f" characters are highlighted with red, and the normal Base64 blob appears in a new box below, containing "+" and "/" characters.
In the second group of buttons, click "Decode as...". In the drop-down menu, click Base64, as shown below.
A third box appears, containing hex values, as shown below.
Compare these hex values to the "hex" shown in Firefox. The bytes we need are in the second half of the first row in Burp, as shown below.
Click in the ninth byte in the third row, press backspace twice to delete its contents, and type in the values from the first row.
Carefully copy the second 8 bytes in the first row into the third row, as shown below.
In the third section, on the right side, click "Encode as...", Base64, as shown below.
A line of Base64 text appears in a new section, as shown above. The problem with this blob is that it contains "+" characters which will be interpreted as the end of parameter values--those characters must be URL-encoded.
Burp doesn't seem to have an option to only URL-encode some of the characters, but it can URL-encode them all.
On the right side, click "Encode as...", URL, as shown below.
A new section appears, containing a long blob of URL-encoded text, as shown below.
Highlight this entire row and copy it to the clipboard, using "Command+C" on a Mac, or "Ctrl+C" on a PC.
In Firefox, click the Back button to return to the Challenge 3 login form.
Click "Log in".
In Burp, on the Proxy tab and the Intercept sub-tab, a POST request to https://attack.samsclass.info appears, as shown below.
If it doesn't, click the Forward button until it does.
Click the Forward button agaim.
A GET request to https://attack.samsclass.info appears. Double-click the blob of data, delete it, and paste in the data you copied earlier, as shown below.
In Burp, click the "Intercept is on" button to allow traffic to flow through.
Your Web browser should now show you logged in with "your name" and uid=1, as shown below.
This is privilege escalation--you are now user #1, which is typically the administrator.
W 530.1: Flag (15 pts)
The flag is the word covered by a green rectangle in the image below.
W 530.2: Encrypted A's (10 pts)
Find the ciphertext produced when this form encodes a string of eight "A" characters.The answer is sixteen hexadecimal characters, like this:
11aa22bb33cc44ddThat 16-character string is the flag.
W 530.3: Horizontal Privilege Escalation (25 pts)
Authenticate to the server with a different valid uid.Hint: there's an old script left on the server named token4debug.php
When you succeed, the flag will appear, as shown below.
W 530.4: Vertical Privilege Escalation (25 pts)
Authenticate to the server with a uid of one (administrator).
When you succeed, the flag will appear, as shown below.
Updated 6-13-2020
Sam Bowne
