HTB Academy - HTTPS/TLS ATTACKS: Skill assessment

jonathanv · March 12, 2023, 10:58am

Any hints on how to start with the skill assessment?

I’ve tried:

running testssl.sh (which does not run, I guess obvious why)
running all apps in the TLS-Breaker/apps folder
run padbuster

What am I missing?
I would love to make the testssl.sh script work to narrow the search down!

maxz · March 12, 2023, 11:53pm

Did you run padbuster with the proper “-error” switch?

gerbsec · April 25, 2023, 6:45pm

did u figure it out?

osa · June 21, 2023, 7:53am

The testssl.sh run show the next:
Secure Renegotiation (RFC 5746) OpenSSL handshake didn’t succeed

Please tell me how to exploit this vulnerability.

I figure out that the target server uses HHTP.
User credentials are not encrypted in the request.

How can I get admin credentials?

robinas · August 19, 2023, 2:29pm

There is no need to run testssl in this challenge. Visit the site and see it only supports HTTP. Refer to one of the early sections of the module where padbuster is used. You need to make correct usage of the flags, so look through the padbuster help output to see what modifications are needed.

Leonor321 · August 25, 2023, 9:43am

I’m going crazy with this! I’m using padbuster with the user cookie for htb-stdnt and the url with /admin. Then I’m passing the error for an invalid cookie. I don’t know what else to change except for changing the block size or the encoding, but I’ve tried a lot of combinations and it still doesn’t work

robinas · August 25, 2023, 11:28am

so wrong encoding is what I wasted a lot of time on. Its not the default base64, try the next one. Size is also within the normal ones you initially try, its not a strange multiple. Note there is also no difference in size, response code etc between the failed auth and padding error. As you mentioned, you need to pass it the error string, but it needs one more flag to know it should check the body.

Leonor321 · August 25, 2023, 1:58pm

Thank you so much for getting back to me! I can’t believe I was missing the last flag for checking the body xd

Now I’m stuck because I got the token and it says to check the email for more information. But there is no email in the website. I have also tried changing the path to /email and other variations. Any help on that?

robinas · August 26, 2023, 9:29am

Email is a rabbit hole. Use what you already have (/token) when you redeemed the token, can you make it give an error like you got for the /admin endpoint?

Leonor321 · August 28, 2023, 6:18am

Thank you so much, robinas! I had assumed it wouldn’t be the same challenge twice
Now I finally got the flag