Skills Assessment - Broken Authentication

I identified 3 support and 3 admin users. (name.country_code)
I know how htb_sessid works
I found 2 suitable passwords from rockyou. Couldn’t log in with any of them.
When logging in, I always get this: “User valid_user cannot have requested role”
What am I doing wrong/What am I not noticing?

This one was brutal for me, one piece of advice I had is when you figure out a format that regional accounts are in, that format might apply to more than support accounts.

1 Like

I’m already logged in as a support user, but how do I use cookies to escalate privileges?

I can provide you with some general guidance on how to address the Broken Authentication vulnerability in the context of user enumeration and finding valid user accounts.

User Enumeration: User enumeration refers to the process of identifying valid user accounts on a website or application. In the context of Broken Authentication, this vulnerability may allow an attacker to enumerate user accounts by exploiting weaknesses in the authentication mechanism. To address user enumeration, you can consider the following steps:

Implementing account lockout mechanisms: If an attacker is attempting to enumerate user accounts by repeatedly trying different usernames or passwords, you can implement account lockout mechanisms that temporarily or permanently lock user accounts after a certain number of failed login attempts.

Using generic error messages: Avoid providing specific error messages that reveal whether a username or password is valid. Instead, use generic error messages that do not provide any indication of the validity of the entered credentials.

Randomizing response times: By randomizing the response times for invalid login attempts, you can make it more difficult for an attacker to enumerate user accounts using timing attacks.

Finding Valid User Accounts: Once you have identified potential usernames through enumeration or other means, you may want to verify if these usernames correspond to valid user accounts. Here are some approaches you can consider:

Password reset functionality: If the website has a password reset functionality, you can attempt to trigger the password reset process using the identified usernames. This can help you determine if the usernames correspond to valid user accounts.

Contacting the website administrator: If you believe you have identified valid usernames but cannot verify their authenticity through the website itself, you can contact the website administrator or support team and report your findings. They may be able to confirm if the identified usernames correspond to valid user accounts.

It’s important to note that any actions taken to identify and verify user accounts should be conducted in a responsible and ethical manner, adhering to all applicable laws and regulations. Always seek proper authorization before attempting any security testing on websites or applications.

Wow this was module and especially the skill assessment was tough. But learnt so much from this module and assessment.

Here is a few clues from me to people that are stuck:

  • There is always a hint in the questions like this one crack password using rockyou.txt - so think about that before starting.

  • Create account and think back on what was thought in module

  • always browse around and test the application for functionalities. This case the support function is given you the lead you need.

  • I found valid 10 user accounts (cracked 3 but it was more than enough to figure out the system)

  • Used chatgpt to try to help with scripts and grep - it sucks!!! I got better results googling and manually and that was enough to get a few passwords

  • After that is all about what the last topic taught you about tokens but I used cyberchef and got the system of the cookies/tokens then made a setup in cyberchef that made me create tokens and try many combinations out. (hint in Cyberchef start with URL decode before anything else). Then make the reverse function as shown in module and test with working token to see if you got it right. Then combine users and roles from what you know from the questions in the challenge and module.

  • Be systematic and you will get there.

  • Read all the very cool hints posted here in the blog it will give you the direction.

Again a really fun challenge that taught me a lot and to think out of the box. Thanks for all the comments they guided me on the right track.

2 Likes

The skills assessment was disproportionate to the entire module … it felt more like password attack than “broken authentication”

I have logged in as [support.uk] user got the cookie decoded it and decrypted the md5 which gives suport.uk:support and I changed it to [admin.uk]:admin and made it to a cookie and uploaded but the browser responds with “User cannot have requested role”. Could you suggest me on the right path?

Can anyone help me

1 Like

try sending a test message to the admin user you are suggesting … if it goes through then you need to encode it the same way you found the support cookie. [md5] > [encode] > [encode]

Thanks mate, already solved.

1 Like

Sadly, the Skill Assessment is very disproportionated from the module contents, for me it was more like Password Cracking rather than Broken Authentication.

Do not frustrate if you don’t get it, I think that even for a professional pen-tester this challenge requires a little effort to figure out what to do first.

My insights are:

  • Read Username module section (Specially at the end) and Support page of the challenge, try to connect both contents, it helps a lot.
  • It is very important to identify Password Policies before executing any brute-force on the login page.
  • Once you can log in with any of the found accounts, see the cookies generated and identify the encoding.
  • Try to reproduce that encoding.
  • Finally, think about username structure and the role requested in the challenge and you’ll get the privileges required to read the flag.

Hey guys. I’m really stuck on this one, and I feel like I’ve tried everything, including everything written here, but still no luck :frowning:
So this is what I have so far:

  1. Understood the hint on the /s____.php page and got the username pattern.
  2. Using the /m____.php I enumerated usernames and got to 10 existing (and relevant) usernames. Five of them are s____.__ and the other five are a____.__.
  3. Inferred the password policy by enumerating /r____.php → found in total 5 different “rules”.
  4. Using grep I filtered rockyou.txt according to the password policy → ended up with a total of 14 possible passwords.
  5. Created a python script that brute forces all the possible usernames and passwords on /login.php while taking in mind the time limit on the page.
  6. Found the cookie pattern with the help of Decodify.
  7. Created cookies for super users and tried to escalate privileges from a test user I registered.

However, I still can’t seem to find a way in…
Any help/hint would be much appreciated!

This Skill assessment is DIFFICULT if right way is not been discovered or hinted
This reply may be long but hope will do the work

Step 1:
Before creating an account, examine the password policy. You will find some parameters.

Step 2:
We have rockyou.txt. Now filter out all the passwords according to the found parameters and store it in a txt file.

Step 3:
Now create an account and after log-in go to support tab and from there go to message.

Step 4:
Download the country codes **ONLY **(aplha-2) from ISO-3166-Countries-with-Regional-Codes/all/all.csv at master · lukes/ISO-3166-Countries-with-Regional-Codes · GitHub and convert them to LOWER CASE and store in a txt file.

Step 5:
From step 3, send a test message and intercept it in BurpSuite and send it to Intruder. Add $$ ONLY to userid as userid=support.$$ and leave the password as feafwefwecfwdwqdw :rofl: as it is. Examine the response which are different. Note it in a separate txt file, you will get 4 to 5 vaild IDs

Step 6:
Now logout and intercept the login page, send to intruder, set anyone of the valid ID and then the password= as $$, load the filtered rockyou.txt list from step 2. You will notice that after 4 attempts, waiting time is 30 sec. Remove the non-valid password for the list, load again and try again. At the end you will find all passwords for 5 support.XX IDs.

Step 7:
Use anyone of the IDs and log in, examine the htb_sessid. Use cyberchef for it to understand the pattern
url decode → from base64 —> you will get a code in some encoded format which is common.

Step 8:
Use the same format to encode admin.XX:admin where XX is what you will find in step 6

Step 9: Paste the encoded value in htb_sessid, refresh the page and DONE

1 Like

This skill assessment is brutal :rofl:

If anyone needs a hand with this assessment, send a message and I will help where I can.

This is quite a challenging assessment if you go down a rabbit hole. The main tips I can give people that I suffered from is:

  • Do not assume decoding the account you have created cookie will be of use once knowing existing usernames, the steps taken may be the same however there may be more content added onto the string to increase the size of the cookie.

  • Login to a valid account, do not try and dodge logging in otherwise you will not be able to crack a valid cookie.

I think the skill assessment is changed in the latest update.

Yeah, i like it. it much more structured

no idea what you guys are talking about. in my case i need to supply an OTP once logged in as a user. after three tries you’re logged out, so can’t ffuf. the cookie seems useless too. not sure what to do next.

i also stuck at same stage did you found tip

nah. seems you can still fuzz without getting kicked out after three tries, but i tried with a sequence from 0001 to 9999 and 000001 to 999999 and none of them work. the OTP field is marked as text so maybe it’s not even a number? but the error messages are too vague, so no idea. the cookie doesn’t seem interesting either. strangely it doesn’t change after you’re logged in but apart from this, wasn’t able to do anything with it.

I tried the rockyou (shortened following the rules) on OTP and got nothing.
I found an existing valid user by the way. Not sure what to do with her (brute forcing her password with shortened rockyou gave nothing)