Broken Authentication - Predictable Reset Token // question 2

Hello everyone. Have problems with question 2 in “Predictable Reset Token” Broken Authentication module. I can’t understand how to login as htbadmin (htbuser is ok, it’s very easy)

I think I tried everything:
php_mt_seed script to find something with mt_rand() - no results
Maybe this temp password = some hash, but not

Noticed that temp password value uses “0-9” and “a-f” values, but this didn’t help me

Please give me some hint. Thank you

you have to understand how the reset password token is generated. Then tamper it with the htbadmin user. Once you got it just bypass the login (look at inspect page).

This token is always the same, but I can’t still understand how it’s generated

you have to decode the base64 string which is given by the htbuser reset password. Tamper it with htbadmin:<rest_of_string_here>:<…>, then encode it again to hex -->base64, copy the cookie in order to bypass login.

1 Like

Thanks. Did it without cookie

Hey there I have some problem with this question. I decode the Token from Htbuser but I don’t now where can the new token put in.

I put new token in password field with htbadmin username

It’s also helping to try to encode back already decoded token, to be sure that resulting value is the same as given by “Show temporary passowrd for htbuser”. And then encode token for the htbadmin using the same approach.