Any hints on how to start with the skill assessment?
- running testssl.sh (which does not run, I guess obvious why)
- running all apps in the TLS-Breaker/apps folder
- run padbuster
What am I missing?
I would love to make the testssl.sh script work to narrow the search down!
Did you run padbuster with the proper “-error” switch?
The testssl.sh run show the next:
Secure Renegotiation (RFC 5746) OpenSSL handshake didn’t succeed
Please tell me how to exploit this vulnerability.
I figure out that the target server uses HHTP.
User credentials are not encrypted in the request.
How can I get admin credentials?
There is no need to run testssl in this challenge. Visit the site and see it only supports HTTP. Refer to one of the early sections of the module where padbuster is used. You need to make correct usage of the flags, so look through the padbuster help output to see what modifications are needed.
I’m going crazy with this! I’m using padbuster with the user cookie for htb-stdnt and the url with /admin. Then I’m passing the error for an invalid cookie. I don’t know what else to change except for changing the block size or the encoding, but I’ve tried a lot of combinations and it still doesn’t work
so wrong encoding is what I wasted a lot of time on. Its not the default base64, try the next one. Size is also within the normal ones you initially try, its not a strange multiple. Note there is also no difference in size, response code etc between the failed auth and padding error. As you mentioned, you need to pass it the error string, but it needs one more flag to know it should check the body.
Thank you so much for getting back to me! I can’t believe I was missing the last flag for checking the body xd
Now I’m stuck because I got the token and it says to check the email for more information. But there is no email in the website. I have also tried changing the path to /email and other variations. Any help on that?
Email is a rabbit hole. Use what you already have (/token) when you redeemed the token, can you make it give an error like you got for the /admin endpoint?
Thank you so much, robinas! I had assumed it wouldn’t be the same challenge twice
Now I finally got the flag