Jump to content
Sign in to follow this  
  • entries
    5
  • comments
    2
  • views
    8,448

My account (And the fucking blog option) was (and is) broken.

Sign in to follow this  
Hastabrand

581 views

So my account was broken

account.PNG

What now?

well the first step is of course to understand what went wrong. Looking at the error message at the bottom of my screen:

[[Template core/front/global/footer is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]]

So this looks bad, but nothing too bad right? Surely I could just manually change the theme, considering that's what the error message is mentioning, right?

Error.PNG

looks like luck isn't on my side, and I can't exactly just go "Change the theme'", which is usually located at the bottom of the page. Damn.

I could surely just write a message to @PirateCaptain and get this fixed right? Buut then again on second though:

Last.PNG

Maybe not.

 

So this means taking matters in to my own hands!:pcpirate:

First step is of course to Logout, then log back in. Considering how websites store data, it's worth figuring out weather or not data, such as themes, is stored locally or in the cookies.

Cooks.PNG

The cookies does not look like the contain any theme related data or data outside of regular security/authentication data, and flushing the browser cache did nothing either, leaving only one option!
Reversing the network protocols!

Now I spent a good amount of time writing bots and scripting network requests. Primarily for CTF related matters, but also at times for personal reasons. Forums tend to be a tad bit annoying to script however, due to their security related matters.  For example every request has a time stamp in the header request, different session cookies, sometimes JavaScript challenges as well, making it tedious and annoying to script, but definitely not impossible!

Now considering I couldn't change the theme on my own account, I decided to make a new temporary account (thanks to @SomeUsernameLol)

But giving myself a break, I decided to simply just use the developer tools in firefox to capture the network of the "change theme" under my temporary account:

ianhaz.png

Looking at the network request made when changing theme, 3 things are apparent.

1. It's a POST network request

2. it contains the cookies (like every request does, but noteworthy anyway)

and 3. it has a csrfKey!

However looking from the earlier screenshot with the cookies, there is no direct value containing the csrfKey, and neither is itapparent in the source code. Bummer.

 

Now finding the csrfKey is the next difficult thing to do. Since my account was broken, the majority of it's functionality was down as well. This meant no posting in threads, no settings, no voting, changing anything and so on. Basically all functionality was down, except for one! the MONEY one:moneyfly: !!

Turns out, one of the only things working in my account was the store page (coincidence? I think not).

But looking aside from this suspicious coincidence, this meant that there must be binding information in those requests (due to the nature of purchasing things that has to go to your account).

Next thing to do was getting the CSRF!

Checkout.PNG

 

Now that we have everything we need, we can just copy the cookies and the csrfkey over to the previous request from the temporary account and be done, right?

tgefwt.png

 

as it turns out, you can't.

 

So due to the nature of the security implemented in most forums, tokens are either bound to a timestamp, and or are single time use. This means, that you can't just copy the cookies and call it a day, which means that we have to get a fresh set of network requests (ideally containing the CSRF token, just to make sure all the cookies are there).

To do so, we fire up burp suite and go back to the :moneyfly:store page:moneyfly:, and capture the request.

What makes BurpSuite different from regular network requests, is that BurpSuite allows us to make a Man in the Middle attack, meaning we can fabricate a legit networking request, change out a few things and bam, it's done!

Now to do so, we configure firefox to use 127.0.0.1:8080 as proxy, and capture the packge.

unknown.png?width=930&height=557

 

Looking at the HTTP history, I marked out the POST request to change the theme with red, and send it to the intruder.

xdbmhq.png

 

Now, we send the request again, and under intercept, we copy the data from intercept over to the repeater tab, replacing the identifying information!

op9882.png

 

Now all there was left was simply to press go, and voila! Theme now got changed in the broken account, and I regained access to shitpost, using the prettiest theme of them all!

unknown.png?width=1118&height=557

Sign in to follow this  


0 Comments


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Stop being a peeping tom and join the community.... we got cookies

Join the crew now

Sign in

Already part of the crew? Board right here

Sign In Now
×