I’m stucking “Predictable Reset Token” section !
Who can guide me to practice it, please ? Thanks
question 1: Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of ±1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the “Check” button. What is the flag?
Hint: Convert the displayed date to epoch time in milliseconds and use it in the script you will create.
I know the token will be generate by “username and time” then hash by md5, like the Apache OpenMeeting bug. CVE-2016-0783
but I convert datetime to epoch time, and I’m still get wrong token !
I’m banging my head against the wall with this one. I need serious help. I made an md5 hash of the username + the time in epoch in miliseconds just like the hint says and it doesn’t match the displayed token. Does anyone have a hint?
I just skipped it. I tried every combo of htbstudent with every permutation of epoctime, tried switching them, tried putting a colon in between them, switching them. I wrote multiple python scripts doing random things like taking the date.date() and datetime.datetime(…).timestamp() * 1000. I can’t get it to work.
You have misunderstood how the token for “htbadmin” is generated. When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now
Thanks! The only problem is that the time displayed on the page is the exact same time as the header (which is why i used it). I’ll look through the rest of my code for the other problem Type your comment> @OceanicSix said: > You have misunderstood how the token for “htbadmin” is generated. > > When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] > > Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. > > PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now
Working on it but not resolved for a few days. Just found that there are some old accounts as mentioned in “Support” page. Just guess the old accounts have less security control and will going to try it. If you have resolved the question. Do you mind to PM me some hints?
I got the password for some support account but when I login with those account I did not see any admin panel access. I just see one difference mentioned that there is no ticket assigned to the support… using small directory brute force there is no extra folder or page found…believe this is the right direction
Working on the final assessment here.
I figure that there is an account username that can be targeted.
So I prepared a list of passwords from rockyou.txt that fit the password criteria (20 characters, starting with uppercase, ending with digit, etc).
Bruteforcing the password does not work tho due to timeout.