Hackxor challenge help

[Dudeman02379]

Has anyone else tried this challenge? http://hackxor.sourceforge.net/cgi-bin/index.pl
I'm having a hell of a time with a particular part. I've spent hours and now I just want to understand the solution but I can't find any walkthroughs anywhere. I don't want the answer to the whole challenge but just the one part I am stuck on. I did see the hints on their website but it didn't help. I'm just out of ideas and I know I would gain more knowledge at this point by not banging my head against the wall anymore. Thanks!


EDIT: Ugh my eyes feel like they are going to bleed because I've been starting at my screen trying to get this working for so long! My XSS foo is not up to par apparently. Or I am just going about this all wrong. If anyone can provide any help I am specifically stuck on part 3 of the challenge.

[albinowax]

Where are you stuck?

(I intentionally haven't released a public walkthrough since I don't want to provide an easy way out, but I'm happy to help people who are truly stymied)

[Dudeman02379]

I'll try to respond without any major spoilers. I have gotten to GGHB. I've identified a valid email address. Now I was trying to use XSS through a message to hijack their email session. I was successful in having them send me an email with their session cookie before I realized that wouldn't do me any good (hence the hint on your website!). Short of password brute forcing I'm out of ideas.
BTW this is an exceptional program you have put together. It's really unique in the way it presents the challenges and makes you think outside the box while giving you a story to follow along. Well Done!

[thorin]

I'll try to respond without any major spoilers. I have gotten to GGHB. I've identified a valid email address. Now I was trying to use XSS through a message to hijack their email session. I was successful in having them send me an email with their session cookie before I realized that wouldn't do me any good (hence the hint on your website!).

POTENTIAL SPOILER Good news, you were indeed barking up the correct tree. Try setting your session cookie to the value of their session cookie...

[albinowax]

Spoilers

You need to extract data from a couple of accounts on gghb; the one of the person you're tracking, and the admin's. Naturally, hacking the admin's account is more difficult. You can actually hijack the first person's account using pure csrf, but session riding via xss as suggested by thorin should work fine too.

Some accounts are locked to specific IP addresses so you can't log into them even if you know the password or have the jsessionid. When this is the case, you need to write some xss to achieve your goal directly. A good place to start is xss that extracts the html source of the page.

[Dudeman02379]

POTENTIAL SPOILER Good news, you were indeed barking up the correct tree. Try setting your session cookie to the value of their session cookie...

Thanks it's good to know I was approaching the problem the right way. I was setting my session cookie using burp but there were other problems. The cookie for the page where emails are rendered/read is different than the login/inbox cookie. The inbox is actually a different domain so I couldn't get the right cookie even using iframe tricks. I am probably missing something dumb. I wont be able to try again until mondsay because I will be on vacation until then. I guess at least knowing I wasn't way off can get me to focus on the problem.

[thorin]

Hmmm I haven't done the challenge yet myself, but I'm guessing you may need to read up on (don't laugh) cookie tossing....

This paper might be a good start https://media.blackhat.com/bh-ad-11/..._WebApp-WP.pdf there's also a video of their presentation around too...

[albinowax]

I think I see the problem. You're trying to hack wraithmail, which is extremely difficult if not impossible. As you observed, the xss is isolated on the wraithbox domain, so it can't be used to hijack wraithmail accounts. To make progress you need to find vulnerabilities in gghb.


Cookie tossing is a fine technique and definitely worth reading up on, but it won't help you here.

[Dudeman02379]

I think I see the problem. You're trying to hack wraithmail, which is extremely difficult if not impossible. As you observed, the xss is isolated on the wraithbox domain, so it can't be used to hijack wraithmail accounts. To make progress you need to find vulnerabilities in gghb.


Cookie tossing is a fine technique and definitely worth reading up on, but it won't help you here.

ok so I guess I need to use the wraithbox xss to gain access to gghb somehow? Or should I just maybe play with the gghb login screen a little more to see if I can find any vulns?

I will check out cookie tossing. It sounds interesting.

[Dudeman02379]

Spoilers

You need to extract data from a couple of accounts on gghb; the one of the person you're tracking, and the admin's. Naturally, hacking the admin's account is more difficult. You can actually hijack the first person's account using pure csrf, but session riding via xss as suggested by thorin should work fine too.

Some accounts are locked to specific IP addresses so you can't log into them even if you know the password or have the jsessionid. When this is the case, you need to write some xss to achieve your goal directly. A good place to start is xss that extracts the html source of the page.

I've been checking this thread from my phone and somehow missed this post earlier. So csrf is an option? That's pretty cool for this type of challenge. Also it sounds like maybe wraithmail isn't the only email domain. Like I said before i'm away right now so I won't get a chance to try anything new for a few days.