I identified 3 support and 3 admin users. (name.country_code)
I know how htb_sessid works
I found 2 suitable passwords from rockyou. Couldn’t log in with any of them.
When logging in, I always get this: “User valid_user cannot have requested role”
What am I doing wrong/What am I not noticing?
This one was brutal for me, one piece of advice I had is when you figure out a format that regional accounts are in, that format might apply to more than support accounts.
1 Like
I’m already logged in as a support user, but how do I use cookies to escalate privileges?
Wow this was module and especially the skill assessment was tough. But learnt so much from this module and assessment.
Here is a few clues from me to people that are stuck:
-
There is always a hint in the questions like this one crack password using rockyou.txt - so think about that before starting.
-
Create account and think back on what was thought in module
-
always browse around and test the application for functionalities. This case the support function is given you the lead you need.
-
I found valid 10 user accounts (cracked 3 but it was more than enough to figure out the system)
-
Used chatgpt to try to help with scripts and grep - it sucks!!! I got better results googling and manually and that was enough to get a few passwords
-
After that is all about what the last topic taught you about tokens but I used cyberchef and got the system of the cookies/tokens then made a setup in cyberchef that made me create tokens and try many combinations out. (hint in Cyberchef start with URL decode before anything else). Then make the reverse function as shown in module and test with working token to see if you got it right. Then combine users and roles from what you know from the questions in the challenge and module.
-
Be systematic and you will get there.
-
Read all the very cool hints posted here in the blog it will give you the direction.
Again a really fun challenge that taught me a lot and to think out of the box. Thanks for all the comments they guided me on the right track.
2 Likes
The skills assessment was disproportionate to the entire module … it felt more like password attack than “broken authentication”
I have logged in as [support.uk] user got the cookie decoded it and decrypted the md5 which gives suport.uk:support and I changed it to [admin.uk]:admin and made it to a cookie and uploaded but the browser responds with “User cannot have requested role”. Could you suggest me on the right path?
Can anyone help me
1 Like
try sending a test message to the admin user you are suggesting … if it goes through then you need to encode it the same way you found the support cookie. [md5] > [encode] > [encode]
Thanks mate, already solved.
1 Like
Sadly, the Skill Assessment is very disproportionated from the module contents, for me it was more like Password Cracking rather than Broken Authentication.
Do not frustrate if you don’t get it, I think that even for a professional pen-tester this challenge requires a little effort to figure out what to do first.
My insights are:
- Read Username module section (Specially at the end) and Support page of the challenge, try to connect both contents, it helps a lot.
- It is very important to identify Password Policies before executing any brute-force on the login page.
- Once you can log in with any of the found accounts, see the cookies generated and identify the encoding.
- Try to reproduce that encoding.
- Finally, think about username structure and the role requested in the challenge and you’ll get the privileges required to read the flag.
Hey guys. I’m really stuck on this one, and I feel like I’ve tried everything, including everything written here, but still no luck 
So this is what I have so far:
- Understood the hint on the
/s____.phppage and got the username pattern. - Using the
/m____.phpI enumerated usernames and got to 10 existing (and relevant) usernames. Five of them ares____.__and the other five area____.__. - Inferred the password policy by enumerating
/r____.php→ found in total 5 different “rules”. - Using grep I filtered rockyou.txt according to the password policy → ended up with a total of 14 possible passwords.
- Created a python script that brute forces all the possible usernames and passwords on
/login.phpwhile taking in mind the time limit on the page. - Found the cookie pattern with the help of Decodify.
- Created cookies for super users and tried to escalate privileges from a
testuser I registered.
However, I still can’t seem to find a way in…
Any help/hint would be much appreciated!
This Skill assessment is DIFFICULT if right way is not been discovered or hinted
This reply may be long but hope will do the work
Step 1:
Before creating an account, examine the password policy. You will find some parameters.
Step 2:
We have rockyou.txt. Now filter out all the passwords according to the found parameters and store it in a txt file.
Step 3:
Now create an account and after log-in go to support tab and from there go to message.
Step 4:
Download the country codes **ONLY **(aplha-2) from ISO-3166-Countries-with-Regional-Codes/all/all.csv at master · lukes/ISO-3166-Countries-with-Regional-Codes · GitHub and convert them to LOWER CASE and store in a txt file.
Step 5:
From step 3, send a test message and intercept it in BurpSuite and send it to Intruder. Add $$ ONLY to userid as userid=support.$$ and leave the password as feafwefwecfwdwqdw 
as it is. Examine the response which are different. Note it in a separate txt file, you will get 4 to 5 vaild IDs
Step 6:
Now logout and intercept the login page, send to intruder, set anyone of the valid ID and then the password= as $$, load the filtered rockyou.txt list from step 2. You will notice that after 4 attempts, waiting time is 30 sec. Remove the non-valid password for the list, load again and try again. At the end you will find all passwords for 5 support.XX IDs.
Step 7:
Use anyone of the IDs and log in, examine the htb_sessid. Use cyberchef for it to understand the pattern
url decode → from base64 —> you will get a code in some encoded format which is common.
Step 8:
Use the same format to encode admin.XX:admin where XX is what you will find in step 6
Step 9: Paste the encoded value in htb_sessid, refresh the page and DONE
1 Like
This skill assessment is brutal
If anyone needs a hand with this assessment, send a message and I will help where I can.
This is quite a challenging assessment if you go down a rabbit hole. The main tips I can give people that I suffered from is:
-
Do not assume decoding the account you have created cookie will be of use once knowing existing usernames, the steps taken may be the same however there may be more content added onto the string to increase the size of the cookie.
-
Login to a valid account, do not try and dodge logging in otherwise you will not be able to crack a valid cookie.
I think the skill assessment is changed in the latest update.
Yeah, i like it. it much more structured
no idea what you guys are talking about. in my case i need to supply an OTP once logged in as a user. after three tries you’re logged out, so can’t ffuf. the cookie seems useless too. not sure what to do next.
1 Like
i also stuck at same stage did you found tip
nah. seems you can still fuzz without getting kicked out after three tries, but i tried with a sequence from 0001 to 9999 and 000001 to 999999 and none of them work. the OTP field is marked as text so maybe it’s not even a number? but the error messages are too vague, so no idea. the cookie doesn’t seem interesting either. strangely it doesn’t change after you’re logged in but apart from this, wasn’t able to do anything with it.
I tried the rockyou (shortened following the rules) on OTP and got nothing.
I found an existing valid user by the way. Not sure what to do with her (brute forcing her password with shortened rockyou gave nothing)
user is gl....? her password is in rockyou. maybe you fucked the filtering of rockyou 
1 Like