Skills Assessment - Broken Authentication

oli310 · February 25, 2023, 2:11pm

I identified 3 support and 3 admin users. (name.country_code)
I know how htb_sessid works
I found 2 suitable passwords from rockyou. Couldn’t log in with any of them.
When logging in, I always get this: “User valid_user cannot have requested role”
What am I doing wrong/What am I not noticing?

dougthonus · March 7, 2023, 12:09pm

This one was brutal for me, one piece of advice I had is when you figure out a format that regional accounts are in, that format might apply to more than support accounts.

boxth · April 20, 2023, 11:09am

I’m already logged in as a support user, but how do I use cookies to escalate privileges?

JoeSuarez · April 20, 2023, 11:43am

I can provide you with some general guidance on how to address the Broken Authentication vulnerability in the context of user enumeration and finding valid user accounts.

User Enumeration: User enumeration refers to the process of identifying valid user accounts on a website or application. In the context of Broken Authentication, this vulnerability may allow an attacker to enumerate user accounts by exploiting weaknesses in the authentication mechanism. To address user enumeration, you can consider the following steps:

Implementing account lockout mechanisms: If an attacker is attempting to enumerate user accounts by repeatedly trying different usernames or passwords, you can implement account lockout mechanisms that temporarily or permanently lock user accounts after a certain number of failed login attempts.

Using generic error messages: Avoid providing specific error messages that reveal whether a username or password is valid. Instead, use generic error messages that do not provide any indication of the validity of the entered credentials.

Randomizing response times: By randomizing the response times for invalid login attempts, you can make it more difficult for an attacker to enumerate user accounts using timing attacks.

Finding Valid User Accounts: Once you have identified potential usernames through enumeration or other means, you may want to verify if these usernames correspond to valid user accounts. Here are some approaches you can consider:

Password reset functionality: If the website has a password reset functionality, you can attempt to trigger the password reset process using the identified usernames. This can help you determine if the usernames correspond to valid user accounts.

Contacting the website administrator: If you believe you have identified valid usernames but cannot verify their authenticity through the website itself, you can contact the website administrator or support team and report your findings. They may be able to confirm if the identified usernames correspond to valid user accounts.

It’s important to note that any actions taken to identify and verify user accounts should be conducted in a responsible and ethical manner, adhering to all applicable laws and regulations. Always seek proper authorization before attempting any security testing on websites or applications.

Cyberstorm · April 23, 2023, 7:12am

Wow this was module and especially the skill assessment was tough. But learnt so much from this module and assessment.

Here is a few clues from me to people that are stuck:

There is always a hint in the questions like this one crack password using rockyou.txt - so think about that before starting.
Create account and think back on what was thought in module
always browse around and test the application for functionalities. This case the support function is given you the lead you need.
I found valid 10 user accounts (cracked 3 but it was more than enough to figure out the system)
Used chatgpt to try to help with scripts and grep - it sucks!!! I got better results googling and manually and that was enough to get a few passwords
After that is all about what the last topic taught you about tokens but I used cyberchef and got the system of the cookies/tokens then made a setup in cyberchef that made me create tokens and try many combinations out. (hint in Cyberchef start with URL decode before anything else). Then make the reverse function as shown in module and test with working token to see if you got it right. Then combine users and roles from what you know from the questions in the challenge and module.
Be systematic and you will get there.
Read all the very cool hints posted here in the blog it will give you the direction.

Again a really fun challenge that taught me a lot and to think out of the box. Thanks for all the comments they guided me on the right track.

muskypirate · August 18, 2023, 3:52am

The skills assessment was disproportionate to the entire module … it felt more like password attack than “broken authentication”

suryateja · September 8, 2023, 1:21pm

I have logged in as [support.uk] user got the cookie decoded it and decrypted the md5 which gives suport.uk:support and I changed it to [admin.uk]:admin and made it to a cookie and uploaded but the browser responds with “User cannot have requested role”. Could you suggest me on the right path?

Can anyone help me

muskypirate · September 9, 2023, 9:03am

try sending a test message to the admin user you are suggesting … if it goes through then you need to encode it the same way you found the support cookie. [md5] > [encode] > [encode]

suryateja · September 11, 2023, 4:39pm

Thanks mate, already solved.

Qu4rtz · September 23, 2023, 6:52pm

Sadly, the Skill Assessment is very disproportionated from the module contents, for me it was more like Password Cracking rather than Broken Authentication.

Do not frustrate if you don’t get it, I think that even for a professional pen-tester this challenge requires a little effort to figure out what to do first.

My insights are:

Read Username module section (Specially at the end) and Support page of the challenge, try to connect both contents, it helps a lot.
It is very important to identify Password Policies before executing any brute-force on the login page.
Once you can log in with any of the found accounts, see the cookies generated and identify the encoding.
Try to reproduce that encoding.
Finally, think about username structure and the role requested in the challenge and you’ll get the privileges required to read the flag.

dana404 · October 21, 2023, 3:46pm

Hey guys. I’m really stuck on this one, and I feel like I’ve tried everything, including everything written here, but still no luck
So this is what I have so far:

Understood the hint on the /s____.php page and got the username pattern.
Using the /m____.php I enumerated usernames and got to 10 existing (and relevant) usernames. Five of them are s____.__ and the other five are a____.__.
Inferred the password policy by enumerating /r____.php → found in total 5 different “rules”.
Using grep I filtered rockyou.txt according to the password policy → ended up with a total of 14 possible passwords.
Created a python script that brute forces all the possible usernames and passwords on /login.php while taking in mind the time limit on the page.
Found the cookie pattern with the help of Decodify.
Created cookies for super users and tried to escalate privileges from a test user I registered.

However, I still can’t seem to find a way in…
Any help/hint would be much appreciated!