HTB Academy - HTTPS/TLS ATTACKS: Skill assessment

Any hints on how to start with the skill assessment?

I’ve tried:

  • running testssl.sh (which does not run, I guess obvious why)
  • running all apps in the TLS-Breaker/apps folder
  • run padbuster

What am I missing?
I would love to make the testssl.sh script work to narrow the search down!

1 Like

Did you run padbuster with the proper “-error” switch?

2 Likes

did u figure it out?

The testssl.sh run show the next:
Secure Renegotiation (RFC 5746) OpenSSL handshake didn’t succeed

Please tell me how to exploit this vulnerability.

I figure out that the target server uses HHTP.
User credentials are not encrypted in the request.

How can I get admin credentials?

There is no need to run testssl in this challenge. Visit the site and see it only supports HTTP. Refer to one of the early sections of the module where padbuster is used. You need to make correct usage of the flags, so look through the padbuster help output to see what modifications are needed.

1 Like

I’m going crazy with this! I’m using padbuster with the user cookie for htb-stdnt and the url with /admin. Then I’m passing the error for an invalid cookie. I don’t know what else to change except for changing the block size or the encoding, but I’ve tried a lot of combinations and it still doesn’t work :confused:

1 Like

so wrong encoding is what I wasted a lot of time on. Its not the default base64, try the next one. Size is also within the normal ones you initially try, its not a strange multiple. Note there is also no difference in size, response code etc between the failed auth and padding error. As you mentioned, you need to pass it the error string, but it needs one more flag to know it should check the body.

1 Like

Thank you so much for getting back to me! I can’t believe I was missing the last flag for checking the body xd

Now I’m stuck because I got the token and it says to check the email for more information. But there is no email in the website. I have also tried changing the path to /email and other variations. Any help on that?

Email is a rabbit hole. Use what you already have (/token) when you redeemed the token, can you make it give an error like you got for the /admin endpoint?

3 Likes

Thank you so much, robinas! I had assumed it wouldn’t be the same challenge twice :man_facepalming:
Now I finally got the flag :smiley:

3 Likes

I am able to decode the user cookie, but when I try to recreate a plain text cookie I get issues.
command:
padbuster http://IP/admin “cookie” 16 -encoding 1 -cookies “user=cookie” -usebody -error ‘Decryption failed’ -plaintext ‘{“user”: “admin”, “role”: “admin”}’
Results:
Cookie does not work at /token endpoint. any ideas?

Did you specify port #? You can dm if you need help

yes port number is there

Could anyone assist in decrypting the token? I’ve checked all my padbuster flags. Setup post, added cookies for authentication, added the error message, checked the encoding, tried sizes 8 and 16, added -noencode, proxying through burp and just watching requests.

I get the farthest with block size 8, but after a while I always get No matching response on [Byte xxx].

The attack also takes forever, so I’m constantly using up the full 90 min session of the box.

Does it sound like I missed something?

I have used block size 8 to decrypt the token and got the flag. Do you still have problems?