📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  1. Hacking
  2. Exploitation

Cryptography

PreviousSerialization AttacksNextJWT

Last updated 1 year ago

CBC

In CBC, the data is encrypted and sent in the following format

When it comes to encryption, INITVECT is used to XORed against the clear text data, before being encrypted

When it comes to decryption, INITVECT is XORed against the decrypted data.

Using this knowledge, we can tamper with the value of INITVECT and alter the result of the XOR operation.

For example, if we sign up for an account and get a cookie that is CBC encrypted like this

N1wRSJ90zuJZjBXcCBps5b9WWbZv0%2BcU

And we know that it's being decrypted at the backend to assign our roles based on the decrypted value, we can take over accounts by tampering with INITVECT so that after the decryption and XOR operation is done, we can assume the role of another account.

If the IV is ABCDEFGH, and we sign up for an account BDMINISTRATOR then we know that A XOR B will be equals to I which is the first byte of the cipher used to encrypt the block

Now if we want to change the result of the XOR operation to become ADMINISTRATOR, knowing that the first byte of the cipher is still the same I, we must figure out what value to set for the first byte of the IV

By substituting away I, we get an equation that A ^ B ^ A will give us what we need to put in as the new first byte of the IV

As another example, if we sign up with an account called mdmin, and the old first byte of the IV is Z, and we want to change m to a to give us admin, we can calculate what to change the first byte of the IV by doing m ^ Z ^ a