Exploitation
Last updated
Was this helpful?
Last updated
Was this helpful?
From our past enumeration, the password appears to be hashed. When we find a hash we could try to crack it, however, this could take a long time. Before we crack it, lets see if there are any vulnerabilities in the way the application handles passwords on the client side. Right clicking the source we will note the following:
The password is taken from the password field and hashed using sha1.(client side)
Hashed password is HMAC-ed using a salt value taken from the parameter salt field. (client side)
The HMAC-ed password gets sent to the server with the salt value. It probably verifies the hashed password was HMAC-ed with the correct salt value
Directory traversal vulnerability does not give the plaintext password but it does give us an already hased password.
Instead of cracking the password, we can calculate the cfadminPassword.value and use an intercepting proxy to bypass the client side calculation. To calculate the cfadminPassword value use the console in your browser Developer Tools to run the follwing JS code.
This cryptographicaly hashes the hashed password we found with the salt value. This is equivalent to what the form does when you hit the login button. To conduct the attack, we have to caluculate the HMAC of the password(which we already did as above) Then set the intercept on Burp and submit a login request.
This can be referred to passing the hash. we were able to login as administrator without knowing the administrator password.
What we essentially did is:
Bypass any client side scripts that hash and then hmac the password and instead did it by ourselves and sent the request directly to the server. If you had the plaintext password we wouldn't have to do all this.
Salt values change, keep that in mind.
