$$ \text {An iCSI CTF (RED22)} $$

IP Address: 172.25.200.200

Port: 9033

Want to run this Docker container locally?

docker run -d -p 9033:80 --name flag-red22 --restart always joshbeck2024/ctf-har-hijack-okta-plunder-flag-red22

Before working through this lab, take a minute to read [this article.](https://thehackernews.com/2023/11/oktas-recent-customer-support-data.html#:~:text=It further noted that the,used for session hijacking attacks.)

Overview: In September and October 2023, attackers obtained credentials that granted them access to Okta's customer support resources.

• Okta, known for its identity and access management services, is a prominent player in this sector.
• Service clients could upload .har (HTTP Archive) files to a support portal for various purposes.
• .har files typically contain confidential data, including session tokens.
• The .har files submitted to Okta's portal were not stripped of sensitive data, such as valid access tokens. This oversight allowed attackers to infiltrate Okta's customer resources.
• Notably, this breach affected services such as 1Password, BeyondTrust, and Cloudflare, with attackers leveraging session data in .har files to access restricted resources.
  • Interesting Note: [This article](https://www.cybersecuritydive.com/news/1password-okta-breach/697636/#:~:text=“After a thorough investigation%2C we,-facing%2C” Canahuati said.) suggests that 1Password’s security team was on the ball. They caught the breach immediately and determined that the infrastructure breach occurred not at 1Password but with Okta.

In this lab, you’ll exploit information within .har files to get a feel for how the discovery of these files may be leveraged to access protected resources.

Setup:

We’ll explore this website using Burp Suite and the built-in browser this time.

• Rusty on your Burp-Suite Setup: Click Here for Directions

Click on the ‘Register’ link on the front page: