Walkthrough: Account Enumeration (AT&T's iPad breach)

Tools Used:
When you first click the "Your" iPad link under SCOPE for the challenge, you are greeted with a screen like this:



Note that the email field is pre-filled with "your" personal email. If you interact with it, you'll note it's different from mere placeholder text (like the "Password" placeholder text) - but is rather an actual, pre-filled value.

Let's open up Chrome's Developer Tools.



Navigate to the Network tab within the Developer tools.



Now refresh the page. You'll see several network calls populate within the Dev Tools - and one in particular sticks out, the prefill api call!



Clicking on that api call shows you the full information behind the request, including the full URL string.



We can see in the url string `https://php1.hackthe.company/challenge1/prefill.php?ICC_ID=2654633` that an ICC_ID value is being passed to the api call. What if we copy/paste this url into our browser, but change the ICC_ID to a different number?



As you can see, we get an error message: "Invalid user agent - only iPads allowed." A user agent is a header that is sent on a request identifying the device/browser being used. The application apparently detected that we were not requesting this information from the iPad.

If you look back at our inspection of the request earlier, you'll see this user agent string is being passed, which identifies the source of the request as an iPad:
"X-User-Agent: Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1"

So we cannot merely visit the url in our browser, we have to ensure this header is passed on the request. There's a ton of ways to do so - one way is to simply right click the request in the Chrome Dev Tools, and click Copy -> Copy as fetch:



Paste the string into the DevTools javascript console and execute. You'll see a new entry popup in the Network tab, which is the request you just executed - it uses the exact same headers as the original request, and so passes the iPad user agent check!



To confirm, let's click the new request we just generated in the Network tab, and click the "Preview" panel - we should see our email returned.



Now remember the goal of this challenge? "A whitehouse person was one of the first people to obtain an iPad - the flag is their email address." Looking at this ICC_ID value, it just looks like an incrementing number... if we're trying to find one of the first people to obtain an iPad, they will likely have a small ICC_ID value.

So let's take our cloned request, and edit the ICC_ID value in the url. Let's start by changing the value to 1 and working our way up:



As we work our way up, we eventually come across ID 13 which has a whitehouse.gov email address! There's our flag!