Account Takeover

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Authorization Issue

Inapaswa kujaribu kubadilisha anwani ya barua pepe ya akaunti, na mchakato wa uthibitisho inapaswa kuchunguzwa. Ikiwa utagundulika kuwa dhaifu, barua pepe inapaswa kubadilishwa kuwa ile ya mwathiri aliyepewa lengo kisha kuthibitishwa.

Unicode Normalization Issue

1. Akaunti ya mwathiri aliyepewa lengo victim@gmail.com
2. Inapaswa kuundwa akaunti ukitumia Unicode
   kwa mfano: vićtim@gmail.com

Kama ilivyoelezwa katika this talk, shambulio hilo lililotajwa hapo juu pia linaweza kufanywa kwa kutumia third party identity providers:

• Unda akaunti kwenye third party identity ikitumia barua pepe inayofanana na ya mwathiri kwa kutumia herufi za Unicode (vićtim@company.com).
• Mtoa huduma wa third party haapaswi kuthibitisha barua pepe.
• Ikiwa identity provider inathibitisha barua pepe, labda unaweza kushambulia sehemu ya domain kama: victim@ćompany.com na kujisajili kwa domain hiyo ukitumaini kwamba identity provider itaunda toleo la ascii la domain wakati jukwaa la mwathiri litafanya normalize jina la domain.
• Ingia kupitia identity provider hii kwenye jukwaa la mwathiri ambalo linapaswa normalize herufi za Unicode na kuruhusu ufikie akaunti ya mwathiri.

Kwa maelezo zaidi, rejea hati kuhusu Unicode Normalization:

Unicode Normalization

Reusing Reset Token

Ikiwa mfumo unaolengwa unaruhusu reset link itumike tena, jitihada zinapaswa kufanywa ili kupata reset links zaidi kwa kutumia zana kama gau, wayback, au scan.io.

Pre Account Takeover

1. Barua pepe ya mwathiri inapaswa kutumika kujiandikisha kwenye jukwaa, na nywila inapaswa kuwekwa (jaribio la kuithibitisha linapaswa kufanywa, ingawa ukosefu wa kufikia barua pepe za mwathiri linaweza kuifanya isiwezekane).
2. Inapaswa kusubiri hadi mwathiri ajiandikishe kwa kutumia OAuth na kuthibitisha akaunti.
3. Inatarajiwa kuwa usajili wa kawaida utaidhinishwa, kuruhusu ufikaji wa akaunti ya mwathiri.

CORS Misconfiguration to Account Takeover

Ikiwa ukurasa una CORS misconfigurations unaweza kuwa na uwezo wa kuiba taarifa nyeti kutoka kwa mtumiaji ili kumnyakua udhibiti wa akaunti yake au kumfanya abadilishe taarifa za uthibitisho kwa madhumuni yale yale:

CORS - Misconfigurations & Bypass

Csrf to Account Takeover

Ikiwa ukurasa umeathirika na CSRF unaweza kuwa na uwezo wa kumfanya mtumiaji abadilishe nywila yake, barua pepe au njia za uthibitisho ili wewe baadaye uweze kuifikia:

CSRF (Cross Site Request Forgery)

XSS to Account Takeover

Ukigundua XSS katika application unaweza kuiba cookies, local storage, au taarifa kutoka kwenye ukurasa wa wavuti ambazo zinaweza kukuruhusu kuchukua udhibiti wa akaunti:

XSS (Cross Site Scripting)

Same Origin + Cookies

Ukigundua XSS mdogo au subdomain takeover, unaweza kucheza na cookies (kwa mfano session fixation) ili kujaribu kuathiri akaunti ya mwathiri:

Cookies Hacking

Attacking Password Reset Mechanism

Reset/Forgotten Password Bypass

Security-question resets that trust client-supplied usernames

Ikiwa mtiririko wa “update security questions” unachukua kigezo cha username licha ya mtumaji kuwa tayari ameathibitishwa, unaweza kuandika upya data yoyote ya urejeshaji ya akaunti (ikiwa ni pamoja na admins) kwa sababu backend kwa kawaida inaendesha UPDATE ... WHERE user_name = ? na thamani yako isiyo ya kuaminika. Mfano ni:

1. Ingia kwa kutumia mtumiaji wa muda (throwaway user) na rekodi cookie ya session.
2. Tuma username ya mwathiri pamoja na majibu mapya kupitia fomu ya reset.
3. Fanya uthibitisho mara moja kupitia endpoint ya login ya security-question ukitumia majibu uliyoyaingiza ili kurithi vibali vya mwathiri.

POST /reset.php HTTP/1.1
Host: file.era.htb
Cookie: PHPSESSID=<low-priv>
Content-Type: application/x-www-form-urlencoded

username=admin_ef01cab31aa&new_answer1=A&new_answer2=B&new_answer3=C

Anything gated by the victim’s $_SESSION context (admin dashboards, dangerous stream-wrapper features, etc.) is now exposed without touching the real answers.

Enumerated usernames can then be targeted via the overwrite technique above or reused against ancillary services (FTP/SSH password spraying).

Response Manipulation

If the authentication response could be reduced to a simple boolean just try to change false to true and see if you get any access.

OAuth to Account takeover

OAuth to Account takeover

Host Header Injection

1. Host header inabadilishwa baada ya kuanzishwa kwa ombi la password reset.
2. The X-Forwarded-For proxy header inabadilishwa kuwa attacker.com.
3. Host, Referrer, na Origin headers zinabadilishwa kwa pamoja kuwa attacker.com.
4. Baada ya kuanzisha password reset kisha kuchagua kutuma tena barua (resend the mail), zote tatu za hapo juu zinatumiwa.

Response Manipulation

1. Code Manipulation: The status code inabadilishwa kuwa 200 OK.
2. Code and Body Manipulation:

• The status code inabadilishwa kuwa 200 OK.
• The response body inabadilishwa kuwa {"success":true} au object tupu {}.

Teknika hizi za manipulation zinafaa pale JSON inapotumika kwa usafirishaji na kupokea data.

Change email of current session

From this report:

• Attacker anaiomba kubadilisha email yake kwa mpya
• Attacker anapokea kiungo (link) kuthibitisha mabadiliko ya email
• Attacker anamtumia victim kiungo ili apige click
• Email ya victim inabadilishwa kuwa ile iliyoonyeshwa na attacker
• Shambulio linaweza kurejesha password na kuchukua account

This also happened in this report.

Bypass email verification for Account Takeover

• Attacker logins with attacker@test.com and verifies email upon signup.
• Attacker changes verified email to victim@test.com (no secondary verification on email change)
• Now the website allows victim@test.com to login and we have bypassed email verification of victim user.

Old Cookies

As explained in this post, ilihusiana na uwezo wa kuingia kwenye account, kuhifadhi cookies kama mtumiaji aliyethibitishwa, logout, kisha kuingia tena.
Na login mpya, ingawa cookies tofauti zinaweza kuzalishwa, zile za zamani zilirudi kufanya kazi tena.

References

• https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050
• https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea
• 0xdf – HTB Era: security-question IDOR & username oracle

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.