I’m stucking “Predictable Reset Token” section !
Who can guide me to practice it, please ? Thanks
question 1: Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of ±1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the “Check” button. What is the flag?
Hint: Convert the displayed date to epoch time in milliseconds and use it in the script you will create.
I know the token will be generate by “username and time” then hash by md5, like the Apache OpenMeeting bug. CVE-2016-0783
but I convert datetime to epoch time, and I’m still get wrong token !