Story of A Massive Hack. Hacking almost every user of an organization
So this writeup is all about Hacking an entire organization which valuation is more than 4 BILLION. Before continuing on the topic , Account takeovers are one of my most favorite exploitation. While i go for testing a web application i will always try to exploit each and every possibility of Account Takeovers.
Let’s Begin. So there is this org which has more than a dozen web applications running, a few hosted internally , but rest of them publicly accessible. Before Testing i was told this company has their own internal IT security teams and there sit geeks. That always gives you a little extra motive , in your mind all that is running is no matter what and how many geeks there are , i am still gonna hack. I started Hacking on Multiple web applications and was mostly focused on critical bugs like SQLI, LFI, RFI, File Uploads etc. Luckily With a little bit of work and with the charm of SSRF i successfully exploited Admin functionalities in 4–5 applications. I was able to access Admin functionalities and i couldn’t believe when i found session mismanagement. Anyway not going in Deep about how i exploited Privilege escalation and accessed Admin functions with SSRF. The focus here will be on ATO.
So There is one Application which according to the organization is of less business Criticality , But According to Hackers….Its the most Critical Web application. Before Exploring the web application i tried to understand how the network works and if the multiple web applications are related, which obviously were. The Best Part, suppose there is a user who has a or user ID and he has got access to multiple Applications , and guess what for every application he has access to , His User ID and passwords are same. Just One Word….Bingoooooo!!!.
Let’s move to the Gangsta Web Application now. So this web application suppose https://xyz.com has tons of functions , but i fell in love with only one functionality ..LoL. It was Reset Password. The web Application itself was built great , was using LDAP and was secure very much. So remember earlier i told a single user has access to multiple applications and the user Id getting created was of 8digits. So the reset password function here is not for this application itself (xyz.com) , But it is for those users who have access to multiple applications within the org. So if a user wants to reset his password it will be applicable on all of the application he has access to. If he forgets his password then he has to come in this application , login here and then will have to go to the reset password function to reset the password for other applications. Isn’t That a great opportunity for Hackers…HahaHaha…just an evil laugh.
Just a note. At one Point i left hacking cause i tried many times but couldn’t exploit for ATO. But that one thing was still in my mind. No matter which geek has built this web application, I am a Hacker and I will always be 2 fuckin steps ahead of developers.
So the reset functionality was like this → Put your email address , click on reset password , you will receive a random token generated on your mail, which you have to put in old password field. then you have to put a new password and then confirm the new password again and that's it. Initially i started with Host Header injection , was able to change the host but did not get the token. manipulated the response as well , no luck. the only options remaining there for me was tempering the JSON. I could clearly see a parameter Uname used for email address. so changed it a few times like , i used a different email to receive the token, It did not work. then trying different JSON formats and finally one worked. let’s say the victim(user) has email as victim@gmail.com and the hacker as Hacker@gmail.com. In Uname param i gave it as victim@gmail.com & hacker@gmail.com and finally it did work, Got a token in my inbox , and i was on the top of the world. But it was like the electrons …couldn’t stay there for long came back to my ground state soon. The token was invalid and was not working. as i put it in the old password field it said invalid token. Bhai dil se bura lagta hai bhai please bhaii!!!. After grinding for aniother day i noticed something and said how could i missed this. So basically there were two parameters Uname and Uemail. Intially i thought both are same having email in both parameters.
So i again manipulated both the params and gave the initial payload as earlier . victim@gmail.com & hacker@gmail.com. Boom this time i received two tokens , fuck ye koi majak chal raha hai. I tried both tokens and one of them worked. i moved forward and changed the password successfully. The moment i saw the response of the server in my burp , written the password was changed successfully i was again on the top, But this time i went as a hacker not electron. have to stay there.
So if i could reset password without email of the user why can’t i try for other users. here is the coolest thing. as i told the user ID was of 8 numbers. I generally brute forced the last 4 digits of a random user. let’s say the user ID is 33423456. I bruteforced the last 4 digits e.g 3456 and to my surprise the user ID i had were all valid. 99%.
For confirmation while resetting the password i changed the User Id PARAM. Ohh i case i forgot to Add except the two email paramas there was user Id param too. i changed the user id to a random one changing the last two digits, But here comes the Biggest problem, What about email Id?? i dont have the valid email Id. i almost quit hacking at this time , and then again the other day i thought of giving it a try.
thius time i made it too easy to hack the entire organization. instead of the two email addresses i just gave my email address in both feild. i.e only the email address which belongs to the hacker. Hacker@gmail.com. And it did work like a charm. i fuckin received two tokens on my mail without having the users email.
Life is all about problems, you have to be strong and not ready to quit. Guess what?? There is another problem waiting for me. this ones is huge. To change a user password the user must be logged in this web application, which was not the case here. i could only log in as me. can’t login as other user. the tokens i have received are valid only if i use them in that particular user account, which is not possible here. fuckkkkkkk…..Akkhir kab krega mai massive account takeover. Again next day i sat having no hope, but i sat.
surfing for a while as i was logged in as me, i generated the tokens put them in the old password feild put the new password , then clicked on reset password.
But don’t know why i intercepted this request this time. the request of confirming the reset password. I almost jumped of my chair , when i saw the user Id again in the confirmation request. This means i can change the user id the last moment of the request. i changed the user id with that of the victim user id and forwarded the request. And Just One word
- High five, low five! Down low, too slow! I think our work here is done.
So in short
1- I put a random user id when i sent the reset password token. so the token generated was for that user id. then when i submitted that token and clicked on confirm and intercepted the request, i again changed the user Id , from mine to that of victim. And it worked the password got changed for that user.
As earlier i told i had thousands of valid User Id brute forced i tried a few more and every one ofd them Worked.
Thanks for reading this for now AND PLEASE IGNORE SPELLING MISTAKES and if you find it even a little bit interesting please let me know over twitter.
@Sudhans42246878 (init5).
