Follow us on Twitter!
Don't judge the unknown - Grindordie
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 24
Members Online: 1

Registered Members: 82832
Newest Member: SerMSYS
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Page 1 of 2 1 2 >
Author

Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 02-07-10 17:59
After I logged in to HBH, I got my cookies from javascript:alert(document.cookie)

I deleted all my cookies using FireCookie, and refreshed the page. As expected, I was logged out.

Then I typed javascript: void(document.cookie="info from step 1") and refreshed the page. Nothing happened. Why isn't it that simple?

Edited by on 02-07-10 18:08
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 02-07-10 19:00
Im not sure, but I guess you miss a session. Just my 2 cents for what it's worth.


Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 02-07-10 19:38
PHPSESSID is there in the cookie. I don't understand what's going on.
Author

RE: Stealing and using my own cookie on HBH

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 02-07-10 19:42
Maybe you took too long and the session expired. Maybe HBH destroys sessions when IPs connect without (valid) cookies.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 02-07-10 19:45
I did it immediately. Why don't you try it yourself? It just takes a minute.
Author

RE: Stealing and using my own cookie on HBH

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 02-07-10 20:07
gregorian wrote:
I did it immediately. Why don't you try it yourself? It just takes a minute.


Okay let me just!-

Oh wait, no.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 02-07-10 21:26
Remember, I never clicked log out. I merely deleted the cookies and created them again.
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 01:42
HBH got hacked with some hashes put in cookies a fair few years ago. After that a post was made saying that extra protection was added. (This happened YEARS ago so details are scetchy!)

One extra layer is that if your ip changes you need to log back in. This obviously doesn't apply in your case but there are likely more. Perhaps your browser isn't using the cookie? Tried using something like wget and loading a cookie like that?

The timed challenges require you to use cookies so actually ignore what I said earlier no clue why it's not working for you.




Edited by on 03-07-10 01:44
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 03:45
wolfmankurd wrote:
The timed challenges require you to use cookies so actually ignore what I said earlier no clue why it's not working for you.

Well, for the timed challenges, I would allow my program to login, and then receive the cookies so that wouldn't be a problem. I was reading about stealing cookies using XSS, but if I can't use the cookie, what's the point?

I want to know if there is something wrong with what I did. No matter what the security measure, not being able to use my own cookie makes me feel like I can do nothing.
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 08:27
I remember doing exactly the same 1 or 2 years ago,it worked then.The "log in if IP changes" security was there at the time.
LOL,I knew little about cookies then,I seem to have sent a bug report and a forum post about that:angry:.

ADDED:
I think that HBH not merely checks the cookies but also the Cookie attributes;like expiry time,path,domain etc;I don't think merely copying the cookie would allow these to be copied as well.That way,it can detect if the given cookie is set by the site or thrown together by the user.




Edited by on 03-07-10 08:45
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 08:48
I was also thinking the same thing. The IP thing is also not completely secure because XSS tunneling might take place.
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 10:07
Just used tamper data;saw the headers sent to HBH.

Aim:Find out why a simple cookie copy doesn't allow one to log back in.

Software:Tamperdata addon in Firefox,Paint(print screen).(I have really bad memory)
Observations:

1.)When I clear my cookies and refresh,I was not logged off(as could be seen in the online users data in HBH).This means that upon sending a header from an IP without having the necessary cookie;I am not automatically logged out.

2.)As expected;upon deleting the cookies and refreshing;HBH asked for a password.


3.)The only element that changes when I delete all my cookies and refresh is,obviously,the "Cookies" element.(so I copied the cookie from the header)

4.)Now;I put on start tamper and refreshed;this time adding the cookie element.Wonder of wonders!!I was back in.

5.)Next;I deleted the cookies again;and refreshed;and put on tamper.

6.)I noticed 5 things:
a.)The first time;there is NO "Cookie" element.
b.)The second time;there IS a "Cookie" element;but with the data
changed(my 'guest cookie').
c.)Now;I again saw that I had NOT been logged out,refreshed with tamper on and changed the cookie data to the 'user cookie' value.
d.)YAY!I was back again;but on reloading without tamper;I was again out.
e.)In both the cookies,PHP session ID value is THE SAME.
Conclusion:
1.)When you delete your cookies and refresh;you are(somehow) detected by HBH as a guest and assigned a 'guest cookie'
2.)When you copy back your cookie and refresh,due to some reason,HBH still detects you as a guest and you are,sadly,NOT BACK IN.Unless you manually modify the HTTP request(header).
3.)I am a total idiot and need to learn more about cookie systems,but maybe someone else may give an explanation.

Note:
The cookie CHANGES.

My 'User Cookie':
Code
PHPSESSID=p7nkd5dpnaotllt5avnm7n52g5; __utma=240219034.2032896968.1278145890.1278145890.1278145890.1; __utmb=240219034.3.10.1278145890; __utmc=240219034; __utmz=240219034.1278145890.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fusion_visited=TRUE; fusion_user=35152.40b2c209f9175ac23dc3d1968835c1b5; fusion_lastvisit=1278145880





My 'Guest Cookie':
Code
PHPSESSID=p7nkd5dpnaotllt5avnm7n52g5; __utma=240219034.1799399259.1278146261.1278146261.1278146261.1; __utmb=240219034.4.10.1278146261; __utmc=240219034; __utmz=240219034.1278146261.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fusion_visited=TRUE




As can be seen;The PHPSESSID remains the same;though most of the remaining part changes and fusion_user and fusion_lastvisit are deleted.

ADDED:

Sorry,I know that the format looks like a lame report and no actual reasons/conclusions have been offered.Can someone please contribute reasons/conclusions?:)




Edited by on 03-07-10 10:12
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 10:19
Given the guest cookie, that makes sense if you assume that HBH allows you to access if your cookie and ip matches the cookie and ip on the server Every time we access HBH, with a different cookie with the same IP, it updates the server cookie.
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 10:30
@gregorian:
Well,if we assume that the online users script is correct;that would mean that HBH allows multiple cookies from the same IP.Hey,maybe if someone can automate this and set it up across many computers,one can use a DDOS attack.Worth thinking about.We can no longer hide behind the assumption that since a cookie is so small,it would take too many cookies to crash the server;remember,computers are getting faster every day.

Note:just checked to see if any SCRIPT modifies the copied cookie.Used Noscript and turned off javascript in options,cookie is still getting modified.

ADDED:
We still don't know how our copied cookie is getting modified.




Edited by on 03-07-10 10:33
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 15:40
Regarding multiple cookies from the same IP, instead of doing all this, to verify it, I used a simpler strategy. Login from IE and FF. One of them will get signed out. That shows you can't have multiple sessions from the same IP. Simple, isn't it?
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 18:52
Actually, I never said log in. You can only log in once to your account; even if you change the IP. What I meant was, since each guest is assigned a different cookie ( as is evident from the no. of guests script ) .Why not make LOADS of guest cookies. Though I am sure HBH has a way of countering this, it might be a vulnerability in some other sites.


Author

RE: Stealing and using my own cookie on HBH

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 03-07-10 19:05
onejerlo wrote:
Actually, I never said log in. You can only log in once to your account.


Really? Back in the day I exploited the user account system to complete challenges (and score points) twice.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Stealing and using my own cookie on HBH


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-07-10 19:44
That's interesting spyware. How did you do it? If I log into IE, I'm signed out of FF. I suppose you took advantage of a flaw back then. But even if that's the case, I don't understand how you did it.

I visualised the completion of a challenge as a switch that can be turned on once. Using race conditions is impractical. Could you elaborate?
Author

RE: Stealing and using my own cookie on HBH

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 03-07-10 20:03
gregorian wrote:
That's interesting spyware. How did you do it? If I log into IE, I'm signed out of FF. I suppose you took advantage of a flaw back then. But even if that's the case, I don't understand how you did it.

I visualised the completion of a challenge as a switch that can be turned on once. Using race conditions is impractical. Could you elaborate?


Well no, you shouldn't be logged out, I can login from IE, chrome and FF simultaneously. And the exploit was to submit the right answer twice, each from different session, at the same time, if I remember correctly.

and onejerlo: didn't read whole of the 'analysis' post, but the main problem with the assumptions you make is that, when you appear in members online, you are logged in. This area is updated once certain time, like a cron job, so you may be listed there, although you've already logged out.

just my 2 cents


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: Stealing and using my own cookie on HBH

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 03-07-10 21:20
clone4 wrote:
And the exploit was to submit the right answer twice, each from different session, at the same time


Right on the ball.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Page 1 of 2 1 2 >