Mass Cracking Cybrary Accounts

Mass Cracking Cybrary Accounts

TL;DR Cybrary leaks usernames from multiple endpoints, has no restrictions on password strength, has xml-rpc enabled which makes it a good target for password spray attacks. I told Cybrary about this about 8 months ago and they said it’s fine, I understand why they think it’s not an issue. People don’t care much about usernames because one still needs a password to access accounts. They are nice people tho, they offered me some in-site benefits for my efforts which I denied because courses suck ass, I am more of a white paper guy.

Honest TL;DR A 19 year old kid making a big deal out of wordpress misconfigurations and password policy of a famous website.

Enough tl;drs, now, let’s get straight to the point.

Enumerating Usernames

We will be using two endpoints to enumerate usernames,

  • /wp-json/wp/v2/users/ Lists users registered on the website
  • /wp-json/wp/v2/comments/ Lists comments made by users

Both these endpoints support two amazing arguments, per_page and page.

  • per_page Number of results returned for one request (max 100)
  • page Page number of the results (Just like google search results)

Wait a second, why are we using the /comments endpoint when we can enumerate usernames via /users endpoint? Interestingly, Cybrary has only 11,500 users according to the /users endpoint. It’s not possible to list the users after page #115. For the /comments endpoint, the last page is #221 which gives us 22,100 more usernames. Maybe these usernames are of people who create courses, I don’t know.\ Considering the fact that a single user can make multiple comments and a username can appear in both type of results, let’s say we can enumerate 15,000 usernames in total. That’s just 1% of Cybrary’s userbase. What about the rest of the users? Don’t worry, I have one more trick ;)

wordpress-website.com/?author=id

The above endpoint is present in every wordpress installation unless the owner has manually configured his server to block requests to this endpoint with .htaccess or some WAF. Start with replacing id with 0 and then 1, 2, 3, 4 and so on. The request will be redirected to author page of the corresponding id of following form

wordpress-website.com/author/username

So the rest of the users can be enumerated by this method. Now let’s move on to the next step,

Cracking Passwords

Brute-forcing is considered to be the last thing to try because it’s not very efficient. You could spend days trying all combinations of length 10 while the actual password is of 11 characters. That’s probably what Cybrary’s security team thinks as well.\ Okay, here’s a fun fact, Cybrary doesn’t enforce any password policy. So yeah, it’s possible to have a password of even 1 character, there’s no restriction at all .I don’t know what to say about this man, this is just ridiculous.\ Another fun fact, people are fucking dumb. 3–4% people are using 123456 as their password. These 10 passwords were most used by people in 2018:

  • 123456
  • password
  • 123456789
  • 12345678
  • 12345
  • 111111
  • 1234567
  • sunshine
  • qwerty
  • iloveyou

Anyways, instead of attacking one user at a time, we will do something called a Password spray attack. It’s nothing fancy, you just have to try a small amount of passwords on multiple accounts. Obviously we will use the most common passwords to get a better hit rate.\ Approximately 8% people use one of these top 19 most common passwords which means 8 out of 100 or let’s say at least 5 for the sake of uncertainty. We have a good chance of cracking 5 accounts every 100 tries!\ One more thing, Cybrary also has the XML-RPC interface enabled which provides a minimal interface to log into wordpress website and much more. There’s nothing special about it except how fast it is than the normal wordpress login because it’s a lower level interface and returns way less data than the standard wordpress login. It is always located at the root of a wordpress installation (if enabled) in following form

wordpress-website.com/xmlrpc.php

Step by Step guide

  • Enumerate users and their unique IDs via /users and /comments endpoints
  • Store the enumerated data in enumerated.json
  • Enumerate users via ?author= endpoint while skipping the IDs present in enumerated.json
  • Get your Top 10 password list
  • Pick the first password and try it on all the accounts via the xml-rpc interface
  • Do it for all the passwords.
  • ?????
  • Profit!

69

A dedicated hacker can try the Top 100 or Top 1000 to crack up to crack a larger number of accounts which will obviously require more resources. I hope the folks at Cybrary are reading this and they will fix the mentioned issues as soon as possible.

Disclaimer: I am not responsible for the shit you do with this information.

Read more
21 things you can do with XSS

21 things you can do with XSS

Simply put, XSS is an underrated vulnerability. Well, there are a couple of good reasons:

  • It’s a client side vulnerability
  • White hats just need that popup for POC (most of the times)
  • Most of the blacks hats don’t know enough JS to make money out of XSS

I mean you can literally impersonate the user, its amazing. There are a lot of things you can do with XSS which will also make you look cool on the internet. I don’t know much but I have listed a few things here to give you an idea.

  • Ad-Jacking - If you manage to get stored XSS on a website, just inject your ads in it to make money ;)
  • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
  • Session Hijacking - HTTP cookies can be accessed by JavaScript if the HTTP ONLY flag is not present in the cookies.
  • Content Spoofing - JavaScript has full access to client side code of a web app and hence you can use it show/modify desired content.
  • Credential Harvesting - The most fun part. You can use a fancy popup to harvest credentials. WiFi firmware has been updated, re-enter your credentials to authenticate.
  • Forced Downloads - So the victim isn’t downloading your malicious flash player from absolutely-safe.com? Don’t worry, you will have more luck trying to force a download from the trusted website your victim is visiting.
  • Crypto Mining - Yes, you can use the victim’s CPU to mine some bitcoin for you!
  • Bypassing CSRF protection - You can make POST requests with JavaScript, you can collect and submit a CSRF token with JavaScript, what else do you need?
  • Keylogging - You all know what this is.
  • Recording Audio - It requires authorization from the user but you access victim’s microphone. Thanks to HTML5 and JavaScript.
  • Taking pictures - It requires authorization from the user but you access victim’s webcam. Thanks to HTML5 and JavaScript.
  • Geo-location - It requires authorization from the user but you access victim’s Geo-location. Thanks to HTML5 and JavaScript. Works better with devices with GPS.
  • Stealing HTML5 web storage data - HTML5 introduced a new feature, web storage. Now a website can store data in the browser for later use and of course, JavaScript can access that storage via window.localStorage() and window.webStorage()
  • Browser & System Fingerprinting - JavaScript makes it a piece of cake to find your browser name, version, installed plugins and their versions, your operating system, architecture, system time, language and screen resolution.
  • Network Scanning - Victim’s browser can be abused to scan ports and hosts with JavaScript.
  • Crashing Browsers - Yes! You can crash browser with flooding them with….stuff.
  • Stealing Information - Grab information from the webpage and send it to your server. Simple!
  • Redirecting - You can use javascript to redirect users to a webpage of your choice.
  • Tab-napping - Just a fancy version of redirection. For example, if no keyboard or mouse events have been received for more than a minute, it could mean that the user is afk and you can sneakily replace the current webpage with a fake one.
  • Capturing Screenshots - Thanks to HTML5 again, now you can take screenshot of a webpage. Blind XSS detection tools have been doing this before it was cool.
  • Perform Actions - You are controlling the browser, can’t you feel the power? Got XSS on a social media site? You can send messages, modify information and…..you get the idea.

Next time you find an XSS vulnerability, try submitting an exploit to steal data or stuff as a POC. I am not a bug hunter and I don’t know if that will get you paid more but I think it should.

Have a nice day, stay hydrated ^_^

Read more
CORS, SOP & crossdomain.xml For Dummies

CORS, SOP & crossdomain.xml For Dummies

Things were really simple when webpages were static. Write some text, add images, add links and serve it to your users.
Then JavaScript came into existence and it made webpages dynamic.

Read more
Learn SQL for SQL Injection in 10 minutes

Learn SQL for SQL Injection in 10 minutes

Hi there! This article is focused on whats important and I hope you have read my introductory article about SQL and SQL injection . So lets go!

As we know, data is stored in databases . A server can have many databases. Databases contain tables and tables contain data in the form of rows and columns .

Read more
How I became a hacker and more...

How I became a hacker and more...

I don’t want to make it any longer by adding some introductory part so lets get straight to the point. Okay wait, I just want to tell you something, I am a noob. Let’s go now!

Read more