Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While testing, Sam Curry noticed that his modem was compromised. All requests being sent through it were being forwarded to a different domain. Years later, he decided to investigate the Cox ISP for security issues and get to the bottom of it.

The first struggle was being hit with a login page. Without any business account they reviewed some JavaScript to find a bunch of routes. There were over 100 at /api/cbma alone. Curous about this device related functionality, they figured it was behind a reverse proxy on another host. How do you tell though? Using a route to /api/cbma/example (invalid route) would return a 500 while other routes wouldn't. Seeing diffs between routes is a clear indicator of a reverse proxy.

After reverse engineering some headers for authentication (many of which were just hardcoded), they were able to make some requests as an anonymous user. At this point, they wanted to find the API documentation for extra hidden routes. Since it was using spring, they knew they could look for swagger files at /swagger-ui/index.html.

For whatever reason, the page wasn't loading and was caught in an infinite loop, which he found via looking at the network traffic in the browser. First, the routing was going through the HOST of the page instead of the actual URL. After figuring this out, they got 500s because of weird Nginx rules. So, they added a URL encoded slash at the end of the request which didn't hit the specific rule in Nginx but still returned the wanted data. Neat!

Based on the Swagger file, they decided to use Burp Intruder to fuzz the endpoints to see which ones required authentication. For whatever reason, they had a perfect 50/50 split. Why is this? For a reason that the author didn't understand, by making multiple requests the authentication wasn't required! So, it was possible to interact with arbitrary endpoints as an authenticated user. Weird!

Sam used this to access their own modem at home. Additionally, they could update business accounts to retrieve PII, MAC addresses and other things. There's still more to the craziness though.

Any hardware modifications to other devices required a special encrypted value. From reversing the JavaScript, they found a key that was being used. The device pin happened to be encrypted with this; so, this made for some easy testing. Encrypting for the device parameters wasn't as easy though; it required a bunch of information like mac address, account number and other things.

Since Sam didn't know how to get an account ID of an arbitrary user, they decided to remove some of the values and provide garbage for the others. Luckily for him, the only necessary parameter was the MAC address! To test this, they updated their modem settings to change the SSID and it worked! They had the ability to change settings of arbitrary modems.

Sam was satisfied with his research. He thought this was the likely vulnerability that the hacker in his network had found. So, they reported the bug to the ISP, who swiftly took everything down and patched it. In a twist, Cox said that this functionality was added in 2023, while the exploitation of his device had happened in 2021. Regardless, an awesome post on discovering and exploiting weird functionality with sick recon techniques.