THM Advent Of Cyber Day 1
The Advent of Cyber is back with its 3rd sequel! So, for the people who don’t know what Advent of Cyber is, let me tell you that it is an exciting 25 days event by TryHackMe (https://tryhackme.com/), which is one of the best platforms to learn and upskill yourself in the field of Cyber Security. All 25 days come with different challenges of different components of Cyber Security(Web exploitation, Networking, OSINT, Cloud Hacking, Defensive Blue Teaming). This challenging event is free and brought up in the excitement of Christmas and with the motive to spread cyber awareness among people.
Not just you would learn, but there are a lot of prizes worth more than $18000, as well as a certificate of completion after completing your 25 days of the challenge. So don’t miss this gold mining chance and join this event. Here is the link to THM Advent of Cyber 3, do join this room https://tryhackme.com/room/adventofcyber3 and start hacking!
In this blog I will be sharing my experience as well as walkthrough of Day 1 challenge.
So, without wasting time lets start with our day-1 challenge discussion.
So the day 1 challenge’s name is “Save the Gifts” which is of the Web Exploitation Category. So the day-1 story goes like this…
The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It’s a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!
This Challenge is on IDOR, which stands for Insecure Direct Object Reference. IDOR vulnerability comes under Broken Access Control of OWASP top 10 vulnerabilities. The Authentication process or the logic of accessing something on the web is broken, i.e., not built properly, then it is known as Broken Access Control. Let’s understand this with an example, assume that you are a regular user on some xyz.com website. If I am a hacker and I find that there is a broken access control vulnerability on that website, then I can enter into your account by sending some malicious request to that web, breaking the authentication logic, and taking unauthorized access to your account and data.
A user gets a unique identity whenever that user sends a request to a website to login into his account. Now, if the website is vulnerable to IDOR and does not authenticate the user identity properly, then I being a hacker, can manipulate the object(unique identity) and send it as a malicious request to the website so that, in response, I can log in into that particular user’s account using his unique identity.
I hope that you have got a basic idea of IDOR. Now let’s have deep dive into it with its types and understanding the challenge.
So, the details can be passed to the website through 3 different ways:
In this we are requesting the web with a URL which consists :
1. Protocol: https://
2. Domain: website.thm
3. Page: /profile
4. Query Component: id=23
So here we can see, the id of the user is getting disclosed in the URL, and the current user has an identity number 23. What if we change the value of id? Can we get into any other user’s account?
2. Post Variables:
Sometimes these types of details are there in the content of the forms of the website, which we can view using the developer tools (by inspecting in this case) like this,
changing the value parameter from 123 to any other value can result in changing the password of any other user, resulting in account takeover.
Cookies are responsible for storing our session information which consists of some details about the user. So that the next time the same user interacts with the website, it can load the user’s content faster. But these cookies are stored locally and can be manipulated by anyone. Further, these manipulated cookies can be sent to that website as a request to take unauthorized access or perform any malicious activity.
In the above screenshot, the cookie is storing some values in which one of the parameters, “user_id” has some value. If someone manipulates its value as shown in the screenshot (the value is changed from 9 to 5), the user with id=9 can access the data of the user with id=5 by manipulating the cookie in the request sent to the website. We can access our cookies using the developer tools available in our browser.
IDOR is a very severe vulnerability with initial severity of level P3 and can also reach to P2 level if there is an admin account takeover or website takeover. PayPal paid $10,500 to a security researcher as a bounty in return for his report of IDOR in PayPal.
Now lets get into the challenge!
We are given with a website initially like this.
Now all the products are deformed by the attacker as he breached into the Inventory Management System of the Best Festival Company and done malicious activities. We have to find the attacker, get into his account and revert all the malicious activities done by the attacker.
when we click on the “Your Activity” tab we see this page.
now in the URL https://inventory-management.thm/activity?user_id=11, we can see that user_id hold value 11. That means it is vulnerable to IDOR and we can get into others activity page by changing the user_id.
- Changing user_id=1, we get,
So, it was easy, we entered the activity of Santa and got his position:
2. Changing user_id=3, we get,
We entered in the activity page of McStocker and his position is:
3. changing user_id=9, we get,
We enter the Attacker’s account, whose name is Grinch and holds the Position of Mischief Manager.
There are some malicious activities done by Grinch and we have to Revert all to bring everything to normal.
After reverting all the changes done by Grinch, our Final flag will pop up on the screen.
I hope you all have understood what do is meant by IDOR and how we can exploit this vulnerability. Moreover, we can prevent this vulnerability by Proper authentication and User Input Sanitization.
If you want to learn more about IDOR you can go and join this room https://tryhackme.com/room/idor, as well as study from https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.
I hope you enjoyed my way of explanation and definitely would have learned something from this article. Follow me to read and learn more about Cyber Security. I’ll be soon coming up with another article on further challenges of this event, till then
BE SAFE AND HELP OTHERS SECURE!