API Attacks - Broken Authentication

Hi there,

I’ve been block with the 4th section of the module API Attacks for quiet a while now. I have tried to brute force the user password for MasonJenkins@ymail.com and also OTP token with different word lists, no luck at all so far.

Also tried to modify phone number for user htbpentester3@hackthebox.com and try the reset password to see what the OTP token looks like but that doesn’t seem to work either.

Any help would be very appreciated.

Hi,
If I remember correctly, you don’t need to brute-force the password. You use the default credentials entered in the section. Then you send a request to Manson’s email-otp. Then an otp token is created on the server. This is the moment when you have to use fuff to brute-force to get the code. You can use the SecLists/Fuzzing/4-digits-0000-9999.txt list or create your own with the ‘seq’ command. This section does a poor job of explaining what otp might look like. Finally, all that is left is to reset all the required parameters in the body.

Thanks! Managed to get the flag, was really not straight forward no way of knowing what the OTP looks like

This method didn’t work. I was able to update the password using a different approach. First, I obtained the customer ID for Mason, and then I updated his password using the PATCH /api/v1/customers/current-user. However, when trying to log in with the new password, I couldn’t retrieve the payment method.

I tried using your method, which involves using the password provided in the example (“pentester3”), but it neither enabled OTP via SMS nor OTP via email. I also tried brute-forcing the password.

Additionally, I attempted to brute-force the OTP while passing the correct endpoint for the password reset, but that didn’t work either.

seq -w 0000 9999 >> OTP77.txt

ffuf -w /home/htb-ac-1327390/OTP77.txt:OTP -u SERVER/api/v1/authentication/customers/passwords/resets -X POST -H “Content-Type: application/json” -d ‘{“Email”: “masonjenkins@ymail.com”, “OTP”: “OTP”, “Password”: “123456”}’ -fr “true” -t 100

I also tried using the format with uppercase letters, but it didn’t work either. MasonJenkins@ymail.com

1 Like

you have spelling errors in the command, if you want it corrected, write me a private message. To avoid spoilers for others

This is a terribly designed module. Are there anymore hints you can provide without giving it away. I can’t seem to figure out how to set up my ffuff bruteforce, and I have no clue what the OTP is supposed to look like

1 Like

The fact that you used wordlist:OTP and still “OTP:OTP” in your parameters makes it harder for ffuf. Instead, you can use the word FUZZ in place of the OTP

1 Like

OTP in this case is any 4 digit number(like 0123 or 4961 etc). Dont name wordlist just like your parameter - thats true what @jaywandery said.
Also be sure u use correct name of parameters. I already got few private messages, from other users that miswrite one of it.

1 Like

the lab presumes the otp to be a 4 digit code.
use ffuf with the /api/v1/authentication/customers/passwords/resets endpoint. But first you must initiate for the OTP to be sent via a different endpoint.

still struggling, but its become a lot more obvious on what I need to do…still haven’t figured it out but I think I’m getting closer

ffuf -w 4-digits-0000-9999.txt:FUZZ -u http://94.237.62.168:54021/api/v1/authentication/customers/passwords/resets -X POST -H “Content-Type: application/json” -d ‘{“Email”: “MasonJenkins@ymail.com”, “OTP”: “FUZZ”, “NewPassword”: “PLZ999”}’

looks like some quote problems

1 Like

for anyone else who looks at this in the future, my only tip, don’t copy and paste.

If you still can’t figure it out, just reach out to gurtoc lol

I cant seem to get FUFF to work and couldnt figure out how to download the wordlist to my VM for parrot OS in the HTB instance. Any advice? I couldnt get past the previous module in API hacks and I believe I was close but couldnt find what the flag was. Any advice?

I am really struggling with this can someone please help me? I have been spinning in circles when it comes to FUFF I believe.

1 Like

tbh i struggled with this for like 5 hours. The fix for me was to just use the burp intruder and use the intruder as bruteforcer.

In reality, you only need to understand the logic of the API in the authentication section. We authenticate with the user that they give us to be able to access the endpoints. Then you see that there are two points that, as the clue indicates, create an OTP code and send it through different channels. At the endpoint to reset the password, the email is needed, which we already have, the OTP that can be Fuzzed, and the new password. Normally, the OTP is a 4-digit number, so we already have everything to access and change the password.