Hackthebox: I know Mag1k is based on Oracle padding attack. Padding Oracle is based on decryption of the cipher text based on existing cipher information. Padding Oracle allows you to decrypt the encrypted code.Moreover, we can also encrypt arbitrary code without having the encryption key. This leads to having access to sensitive information.  Let’s start with the Walkthrough:

The login page doesn’t have much info. I tried sqli on the username and password field but it is not vulnerable. So the next thing to do is to register.


Once you login after registering you will see your own profile. Not much there to do.
So I fired up burpsuite to see what are the requests. The only thing that will catch your eyes are the iknowmag1k cookie information.

If you look closely, it is URL encoded and after decoding it will give a value of base64. But if you decode base64, it will give a gibberish text.
“k:g@aDQT\nDRp”.

Googled a bit and found the Cookie can be padded. Gets me to the Oracle padding attack.
Some characters are padded with the read strings and we can use tool called padbuster in kali to get decrypt this string.

I used padbuster and it gave me the actual text that was padded and encrypted.
padbuster Iknowmag1k

It gave me this output:
padbuster iknowmag1k

Now, I know what data is transferring in the form of cookies and I can create my own arbitrary cookie information. So, I encrypted the below string with the help of padbuster to get me the admin profile.
{“user”:”jojo”,”role”:”admin”} 
That is all  it takes!
padbuster iknowmag1k

The output of the above command gave me the cipher text for the same.

padbuster iknowmag1k

Now all I had to do is pass it as the iknowmag1k value and there you go!

padbuster iknowmag1k

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: