5.10 Lab: Authentication bypass via encryption Oracle | 2024

This lab contains a logic flaw that exposes an encryption oracle to users. To solve the lab, exploit this flaw to gain access to the admin panel and delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Log in to Wiener’s Account using wiener:peterGo to home, Turn On the Proxy, and the Intercept Off.Click a Post and Try to add an Invalid Email like test.comNow, go to Http History in Burpsuite.Send /post/comment request to the Repeater, and rename the Tab as Encrypt. (Make sure the request contains notification parameter)Send /post?postId=X request to the Repeater, and rename the Tab as Decrypt.In the Decrypt tab, copy the Stay-logged-in cookie, paste that in notification cookie and send the request. You’ll receive the username wiener with a timestamp in this format: wiener:timestamp . Copy the timestamp and go to the Decrypt tab.In Repeater (Encrypt Tab), Change the value of email as xxxxxxxxxadministrator:TIMESTAMP and send the request.In response to the Decrypt tab, you’ll get a notification value.Copy the value, paste it into Decoder then
Click Decode as URL, then
Click Decode as Base64, then
Select the first 32 Bytes, and
Click Delete BytesLet's Reverse the Process from the output,
Click Encode as base64, then
Click Endode as URL and Copy the ValueNow, turn On the Intercept, click the home button, and capture the request.Then, change the value of / to /admin/delete?username=carlosDelete the Session cookie and change the value of stay-logged in Cookie that we Copied from Decoder and send the request.The above request will delete the user Carlos and the lab will be solved.If the above is not working, you can manually do that with the session cookie or use the below video for reference.