This write-up is about a simple bug that I found on HackTheBox.
##Summary
This bug allows an attacker to impersonate any user and team on HackTheBox and it could lead to reputation damage of the victim by posting threads against someone or against to HackTheBox or posting/giving out flags.
##Description
I noticed that HackTheBox supports UTF-8 characters, not just Latin characters but Cyrillic characters as well.
Cyrillic characters can be used to impersonate someone online but it’s mostly used for Internationalized Domain Name (IDN) and they called it Homograph Attack.
##Recon
Checking the list of Hall of Fame, I found a user named @owodelta (Login :: Hack The Box :: Penetration Testing Labs) as the target for this attack.
Luckily, his/her team Cyclone (Login :: Hack The Box :: Penetration Testing Labs) can be impersonated as well.
I also noticed that HackTheBox Forums uses the username from the platform which means, it is possible to impersonate him/her on forums.
##Exploitation? No. Procedure.
Using the cyrillic letter е
, I created an account with username owodеlta
.
FAKE ACCOUNT
REAL ACCOUNT
Then I submitted root flags of machine to achieve the Hacker rank and create a team with name Cyclonе
.
FAKE TEAM
REAL TEAM
Next step I did was connecting it to HackTheBox Forums.
FAKE ACCOUNT
Then, I commented to my thread on Forums ([Crypto] About Ebola Virus key - Challenges - Hack The Box :: Forums)
Fake User is still accessible by clicking this link: https://forum.hackthebox.eu/profile/owodelta
Real User is this one: Profile - owodelta - Hack The Box :: Forums
##Remediation
HackTheBox team quickly responded to my email. They told me that they are implementing a filter when creating / updating users / teams, which will ensure not only uniqueness of the name (which we already enforce obviously), but also enforce uniqueness of the username when transliterated to the Latin character set. This means users can still register using Cyrillic characters, but cannot register or update their name when it will conflict with an existing user.
##Timeline
1st of Jan, 2019 7:25 AM - I reported the bug via email.
1st of Jan, 2019 7:41 AM - @g0blin (James Hooker) responded to my email.
1st of Jan, 2019 8:01 AM - I thanked them for quick response and told them to keep me updated.
1st of Jan, 2019 8:37 AM - @g0blin gave me an overview of their mitigation for the bug.
1st of Jan, 2019 8:39 AM - I’ve sent an email to apologize for making him work during holidays.
1st of Jan, 2019 9:15 AM - He said No problem - It was a nice find!
and rewarded me with a unique badge and 1 month VIP Access.
1st of Jan, 2019 9:22 AM - I just thanked him hehe
2nd of Jan, 2019 2:42 PM - The fix has been deployed to production.
3rd of Jan, 2019 1:52 AM - I confirmed that the bug is no longer working but told him that I cannot delete the test account on Forums.
3rd of Jan, 2019 4:18 PM - @g0blin said he will handle the deletion of the test account.
P.S.: I informed the real owodelta about this over Slack.
That’s all ^.^
Here is my profile folks: Login :: Hack The Box :: Penetration Testing Labs