This is one of those labs that I return to periodically and then abandon after half an hour whilst scratching my head........Does anyone have any pointers about how to approach this?Which fields need to be populated in the webform? & which Test Contact Key is used? The one that's prepopulated: acb1730c-c3dc-4c1a-ad3d-207216370defor the one in the briefing: e2e6555a-64a5-43ed-984e-1d342780b72fmany thanks in advance - Gus

so, base for this hack is this --> https://www.assetnote.io/resources/research/gaining-access-to-ubers-user-data-through-ampscript-evaluationtry for the message:Message: %%[ SET @firstName = Lookup('driver_partners', 'firstname', 'partner_uuid', "5....") ]%% Hi there I'm %%=V(@firstName)=%% and I created this tool.btw, you'll find all the nessesairy messages to solve the lab in the log. maybe you need to use cyberchef and urldecode.

yes, you found me. I have solved all labs so far in IL :)

wow - that's an awesome score - I do, I will be in touch. thanks Steve

I'm close to that mark... steven, but I'd like to know your secret to not lose the illusion. Not so much to lose interest but to not get bored: of course in a few days there will be a new threat, a new lab, a new CVE but... what motivates you to be a little more curious? :). For many more labs conquered!.

Bluesman, honestly, it’s tough to pin down what exactly drives me. I’ve got this deep curiosity for all sorts of tech stuff, and it’s like I’m a sponge soaking up every bit of knowledge I can get my hands on. With IL, it's a mix of the challenge and the thirst for knowledge. Some labs took me 6 months to crack. At first, I had no idea where to even start. I needed to level up my knowledge just to figure it out. Around the 250-300k points mark, I hit up KieranRowley and asked how many points I’d need to hit the top rank. After that, it was simple: just finish everything, beat the system, and 'outsmart' the staff at IL and beat the system.I’m also active on the IL Reddit to help others out. My rule is to guide people to their answers, but I never just give them the solution. What I’ve learned is that security, from the perspective of an attacker, has become a commodity. Exploiting known CVEs is almost too easy now. It’s crazy, and honestly, it’s a wake-up call. People need to realize how easy it is to get pwned and how important security awareness really is.

Threat Research: AMPscript Analysis | Immersive Community

steven
Silver I
2 months ago
have you seen the briefing?
- GusC
  Bronze III
  2 months ago
  Hello - I have - do you have any other pointers ? thanks - G
netcat
Silver I
2 months ago
You have the issue that the response is always ""?
And also curl with the address or local IP just gives a HTTP 500?
And if you enter an invalid endpoint, it's still ""?
Same here.
steven
Silver I
30 days ago
Ok, I have solved the lab again...
so, lets start...
first get the ip address: how? count which is the most ip address used...
something like this will give you some data:
grep -i - * | awk '{print $8}' | sort | uniq -c | sort
once you have the ip address, check again...
ml-user@ampscript-evaluation:~/Desktop/logs$ grep "n.n.n.n" * api.log.1:2019-01-17 09:37:23,026 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/ api.log.1:2019-01-17 09:37:23,117 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/preview?…. business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[ api.log.1:2019-01-17 09:37:33,644 - [INFO] - AMPS_test_bed - Processing message from n.n.n.n: %%[ api.log.1:2019-01-17 09:37:33,690 - [INFO] - AMPS_test_bed - n.n.n.n authenticated successfully with contact key abcdefgh-ijkl-mnop-qrts-uvwxyz123456
--> abcdefgh-ijkl-mnop-qrts-uvwxyz123456 will be what you want... that's the lookup key and the test contact key
also note the URL used...:
http://web-hook.imlcabs.iml/preview?….business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[
if you check the data, you'll even see the 'Message' used.
if you do your query (the log will tell you what you need to enter), you'll get an aswer/result like:
{"result":"Hi there I'm DARTH_VADER_YOUR_MASTER and I created this tool.\r"}
(of course it's not Darth Vader) :)
and when you dig further in the log.. around line 940... you'll find the last mesage to re-use and count...
- GusC
  Bronze III
  30 days ago
  Hi Netcat - yes thats exactly what I mean, I click on "preview" on the page web-hook.imlcabs.iml and I get "" unders JSON etc.
  Thanks Steven - I had already got Q5 and Q6 - I'm stuck on how to populate the web application to pull back the name of the attacker, using the key 5*** - do you have some info around that?
  - steven
    Silver I
    28 days ago
    so, base for this hack is this --> https://www.assetnote.io/resources/research/gaining-access-to-ubers-user-data-through-ampscript-evaluation
    try for the message:
    Message: %%[ SET @firstName = Lookup('driver_partners', 'firstname', 'partner_uuid', "5....") ]%% Hi there I'm %%=V(@firstName)=%% and I created this tool.
    btw, you'll find all the nessesairy messages to solve the lab in the log. maybe you need to use cyberchef and urldecode.

Forum Discussion

Threat Research: AMPscript Analysis

Related Content

Threat Research: Cobalt Strike C2 – SIEM Analysis - Question 4

Threat Research: Dependency Confusion Q8

Malicious Document Analysis: Dropper Analysis

Help with "Log Analysis: Web Log Analysis"

Malicious Document Analysis: Dropper Analysis

Recent Discussions

Derrick's Doughnut Admin

PowerShell Deobfuscation: Ep 8 help

Foundational Static Analysis: API Analysis

Digital Forensics: BitLocker Encrypted Drive

[AWS]IAM: Tagging