C 108: Hash Extension (30 pts extra)

What you need

Purpose

To practice performing a length extension attack.

Logging In

In a Web browser, go to

https://samlols.samsclass.info/141/md5.htm

Log in with the default username and password, as shown below.

You log in as Joe, as shown below.

MD5 Authentication

This page uses a MD5 hash and a secret for authentication.

When joe logs in, a cookie is set with this data:

7ce753aff208275b53c32096f6cb8822|username=joe
The start of that cookie is the MD5 hash of this string, where secret is a 12-letter secret phrase that stays on the server and is not visible to the user.
secretusername=joe
Our goal is to forge an authentation cookie and log in as administrator.

Installing Burp

If you don't already have it, get Burp from:

https://portswigger.net/burp/communitydownload

Capturing the Login Traffic

Launch Burp.

Click Next. Click "Start Burp".

Click the Proxy tab.

Click the blue "Intercept is on" button, so it changes to "Intercept is off", as shown below.

Click the "Open Browser" button.

In the new browser that opens, go to

https://samlols.samsclass.info/141/md5.htm

Log in with the default username and password.

In Burp, on the Proxy tab, click the "HTTP history" sub-tab.

Find the GET request that loaded the welcome page, highlighted in the image below.

Repeating the Request

Right-click that GET request line and click "Send to Repeater".

Click the Repeater tab.

On the Repeater tab, notice the cookie value, highlighted in the image below.

Highlight the cookie value, as shown above. Right-click the highlighted value and click "Send to Decoder".

Click the Decoder tab.

At the top right, in the "Decode as..." box, click and select URL.

URL-decoded text appears in a lower pane, as shown below.

This data includes two items we need to forge the hash: the original signature and the data.

Installing hash_extender

On your Linux machine, in a Terminal, execute these commands: 
sudo apt update
sudo apt install git build-essential libssl-dev -y

git clone https://github.com/iagox86/hash_extender.git
cd hash_extender
make

./hash_extender
You see a help message, as shown below.

Forging a Cookie

On your Linux machine, in a Terminal, execute this command. Notice that the first two parameters came from the Burp Decoder page. 
./hash_extender -d "username=joe" \
  -s 7ce753aff208275b53c32096f6cb8822 \
  -a "&username=administrator" -f md5 -l 12 \
  --out-data-format=html
as shown below.

Preparing the Attack

In Burp, on the Repeater tab, carefully replace the cookie value using the "New signature" and "New string" values you got, as shown below.

Don't delete the "%7C" character between the two values.

C 108.1 Flag (15 pts)

In Burp, click the Send button.

Click the Response tab.

Scroll to the bottom to see the flag, outlined in green in the image below.

C 108.2 Flag (15 pts)

Log in here:

https://samlols.samsclass.info/141/md5a.htm

Authenticate as administrator to see the flag.

Sources

Hash Length Extension Attack

Posted 10-6-22 by Sam Bowne
Minor corrections 10-12-22