Tools: Pentest tools used in industry.

-

1. Flask-Unsign: A tool to forge flask session cookies

forge

Tool Github Link: https://github.com/Paradoxis/Flask-Unsign

Author's official blog: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce

  • While reading this blog, i had a callback that while solving a HTB box i have seen this before but never tried it. So here it is.
  • This tool can be used to manipulate stateless cookies, like FLask's session management and JWTs are not encrypted rather they are signed which means they are are easily readable and manipulable as long as secret is somehow known.
  • Server accepts the data hash it with a secret and verify the signature it recevied against the signature it produced by hashing.If they match server allows the user to perform action, else not.
  • flask-unsign one such tool which can get the cookie and try to guess the secret which have been used to sign the cookie using a wordlist.
  • You can use either your own wordlist or creator's common secret keys used scrapped from github and stackoverflow.

Installation

  • pip3 install flask-unsign or
  • pip3 install flask-unsign[wordlist] to install default wordlist along with tool.

Rest refer to official github link or run flask-unsin -h for it's usage synatx.

A google search flask-unsign ctf will give you lot of writeups how this have been used in ctfs to forge cookies.

Comments

Post a Comment

Popular posts from this blog

Epsilon - HackTheBox

-
Image
Epsilon Machine(10.10.11.134) Recon: Add epsilon.htb to hosts file. Runing Port Scan we get 3 open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.10.11.134:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-title: Costume Shop Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Port 80 is apache & port 5000 is running python application i.e costume shop. As shown in scan port 80 is 403 Forbidden & have a .git directory that also is 403. Files like . git/config & .git/HEAD are accessible. We will use GitTools tool to dump this g...
Read more

Pandora - HackTheBox

-
Image
Pandora Machine(10.10.11.136) Info: This was an easy machine from HackTheBox, where i first time encountered SNMP. Then we had to exploit PandoraFMS, most interesting part of box, to get further control and PATH hijacking for privilege escaltion. Nothing too fancy still teaches a lot about manual testing. Recon: Starting with port scan, we get two open ports. $ nmap -T4 10.10.11.136 Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-18 21:11 IST Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 85.17% done; ETC: 21:11 (0:00:05 remaining) Nmap scan report for 10.10.11.136 Host is up (0.50s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http $ nmap -A -p22,80 -T4 10.10.11.136 Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-18 21:12 IST Nmap scan report for 10.10.11.136 Host is up (0.38s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (U...
Read more

Driver - HackTheBox

-
Image
  Driver Machine(10.10.11.106) This was an easy windows machine with a chance to explore printnightmare vulnerability and abusing file upload vulnerability to capture NTLM hash of a user whom we force to authenticate to our server. Recon on port scan we get 4 open ports 22/tcp filtered ssh 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:window As...
Read more