Skills Assessment - Broken Authentication

That was pretty helpful and I managed to find one two more users like this using the message page (after having created a user). However I fail to tamper the cookie as I am a bit blocked…the cookie seems to be a hash of something. I am really wondering how to proceed.

Got it! Nice escalation of multiple steps!

Nice glad you got it!

This module is killing me! Any tips on the word-list to use to enumerate the user on the final assessment? I found where to enumerate the user, it looks like guest is the only other user aside from the one I created that I can find so far…

There is another one that you can see “manually” on the website. Once logged in, just read the site contents…
As already mentioned… Skills Assessment - Broken Authentication - #2 by onthesauce

Hi, I created my thread. Can you help me?

Question can you combined two wordlist when searching for a wordlist? When create a login they ask for the following:

-20 word min
-Start with a capital letter
-End with a digit

Do the other users passwords have the same requirements?

Can you please suggest how did you tampered cookie. I am also stuck at cookie. Which encoding algo u used?

Hey! Have you got the username? How did you enumerate them? I used a lot of different wordlists but I always end up with the two known usernames…

Hi!! In the support page you can find the way to enumerate usernames, and a clue about how the usernames are made.
Then, review the end of the brute forcing usernames section to get an idea about the naming convention.
If not clear enough, DM me :wink:

Hi, i got all support users and their passwords but i cant find any admin panel or flag. any hints please :slight_smile:

Once you can log in with the support account, you have to work on cookies to elevate privileges.

1 Like

I think im only at one step of getting it, but i cant figure out what “role” you need to put on the cookie, I tried with: root, admin, administrator, htbadmin, super, superuser, sun… I dont know if that thing about “following the sun” has something to do…

Hi, I have found 5 new users with 3 valid passwords. I also found how htb_sessid is made so I was able to create my own sessid with different roles but nothings seems to works with those users. I am a bit stuck on with this assessment. Someone could give a hint about next step? thank you

I was just trying with the wrong accounts. Keep looking for other accounts!

same for me.
Anyone have a hint?

Hi @onthesauce ,

Can I get some help with this module please. I have a few usernames obtained from message.php, I decoded the cookie, which ends up as just the username, but changing the cookie always gives the message - the requested role is not available for this user.


I identified 3 support and 3 admin users. (name.country_code)
I know how htb_sessid works
I found 2 suitable passwords from rockyou. Couldn’t log in with any of them.
When logging in, I always get this: “User valid_user cannot have requested role”
What am I doing wrong/What am I not noticing?

This one was brutal for me, one piece of advice I had is when you figure out a format that regional accounts are in, that format might apply to more than support accounts.

1 Like

I’m already logged in as a support user, but how do I use cookies to escalate privileges?