User/Team Impersonation on HackTheBox by Catriona

This write-up is about a simple bug that I found on HackTheBox.

##Summary
This bug allows an attacker to impersonate any user and team on HackTheBox and it could lead to reputation damage of the victim by posting threads against someone or against to HackTheBox or posting/giving out flags.

##Description
I noticed that HackTheBox supports UTF-8 characters, not just Latin characters but Cyrillic characters as well.

Cyrillic characters can be used to impersonate someone online but it’s mostly used for Internationalized Domain Name (IDN) and they called it Homograph Attack.

##Recon
Checking the list of Hall of Fame, I found a user named @owodelta (Login :: Hack The Box :: Penetration Testing Labs) as the target for this attack.

Luckily, his/her team Cyclone (Login :: Hack The Box :: Penetration Testing Labs) can be impersonated as well.

I also noticed that HackTheBox Forums uses the username from the platform which means, it is possible to impersonate him/her on forums.

##Exploitation? No. Procedure.
Using the cyrillic letter е, I created an account with username owodеlta.

FAKE ACCOUNT

REAL ACCOUNT

Then I submitted root flags of machine to achieve the Hacker rank and create a team with name Cyclonе.

FAKE TEAM

REAL TEAM

Next step I did was connecting it to HackTheBox Forums.

FAKE ACCOUNT

Then, I commented to my thread on Forums ([Crypto] About Ebola Virus key - Challenges - Hack The Box :: Forums)

Fake User is still accessible by clicking this link: https://forum.hackthebox.eu/profile/owodelta

Real User is this one: Profile - owodelta - Hack The Box :: Forums

##Remediation
HackTheBox team quickly responded to my email. They told me that they are implementing a filter when creating / updating users / teams, which will ensure not only uniqueness of the name (which we already enforce obviously), but also enforce uniqueness of the username when transliterated to the Latin character set. This means users can still register using Cyrillic characters, but cannot register or update their name when it will conflict with an existing user.

##Timeline
1st of Jan, 2019 7:25 AM - I reported the bug via email.
1st of Jan, 2019 7:41 AM - @g0blin (James Hooker) responded to my email.
1st of Jan, 2019 8:01 AM - I thanked them for quick response and told them to keep me updated.
1st of Jan, 2019 8:37 AM - @g0blin gave me an overview of their mitigation for the bug.
1st of Jan, 2019 8:39 AM - I’ve sent an email to apologize for making him work during holidays.
1st of Jan, 2019 9:15 AM - He said No problem - It was a nice find! and rewarded me with a unique badge and 1 month VIP Access.
1st of Jan, 2019 9:22 AM - I just thanked him hehe
2nd of Jan, 2019 2:42 PM - The fix has been deployed to production.
3rd of Jan, 2019 1:52 AM - I confirmed that the bug is no longer working but told him that I cannot delete the test account on Forums.
3rd of Jan, 2019 4:18 PM - @g0blin said he will handle the deletion of the test account.

P.S.: I informed the real owodelta about this over Slack.

That’s all ^.^
Here is my profile folks: Login :: Hack The Box :: Penetration Testing Labs

Thanks for the report and writeup @CatrionaGray! We appreciate you helping to keep HTB a safe environment for all! :slight_smile:

Very nice work @CatrionaGray

Thank you, @g0blin and @3mrgnc3!! I just published it here to inform other users about this.

Very interesting bug, well done

@CatrionaGray Nice :slight_smile:

konnichiwa

Haha! Hello, @owodelta ! :blush:

nice

Nice! Good looking out.

Thanks, @H4tt0r1, @devilswolf, @peek, and @albertojoser. You guys might bypass this bug haha.

Evil person for making the good guys working during the holidays ! Well done though :bleep_bloop:

Interesting find! Good job

Nice!!!

Good job!

Thanks @ashr, @r3no, and @ferreirasc. I’m pretty sure you guys can find a bypass hehe.

Type your comment> @ajdumanhug said:

Thanks, @H4tt0r1, @devilswolf, @peek, and @albertojoser. You guys might bypass this bug haha.

how to past that challenge

Happy 1 Year! haha