Skills Assessment - Broken Authentication

user is gl....? her password is in rockyou. maybe you fucked the filtering of rockyou :sweat_smile:

1 Like

I "un-fucked " the filtering and I got it :partying_face:

ok let us know now about the OTP :joy::joy::joy:

Found it using the new thread : Stuck at New Broken Authentication skills assessment - HTB Content / Academy - Hack The Box :: Forums

nice. will check out. thanks.

still getting absolutely nowhere. got my own account. got g***** account. got to the OTP. no OTP token goes through. can’t bypass the form. can’t find a link between my account and hers. can’t find anything in register. can’t find anything through Burp.

ok so funnily i just had to write this to think that this is gonna be like a lame redirect that needs to be overridden through Burp. stuff that basically never happen in real life.

edit: that was it. done.

Hi all. I read all the comments, and I am a bit lost. In the assessment I got the username and password but when entered the site is asking for OTP to be provided. Is anyone facing the same thing?

1 Like

I have the same issue.
After login in there is no more possibilites to go on.

Did you found something new?

Can you elaborate? I’m still stuck on the unbruteforceable OTP. I tried bypassing the 2fa.php redirect as well by going to profile.php but that doesn’t work.

I’m stuck here too. Can someone point us in the right direction?

as far as i’m aware you can’t brute force the OTP.

in that assignment the exploit comes from the fact that when you go to profile they’re redirecting you to the 2fa page, but they don’t exit the current PHP script and still echo the page, even if you’re not supposed to see it. so what you need to do is capture the request to profile, and read its content. you can just use Burp, make the request to profile, you’ll get a 302 response. you can see the content of the profile page in Burp before it gets redirected to 2fa. or you can also change the 302 to a 200 and see the page in your browser. good luck!

1 Like

Ah, thank you so much, I would have been trying to bruteforce on repeat, but alas it’s no the correct route. Hope this helps others!

yeah sometimes it’s hard to know if you should try another road or if it’s just you using the tools wrongly. tough!

1 Like

After reading the forum thread it make sense - but without it how am I suppose to enumerate usernames (country codes)? I am not sure if I am missing functionality of support or missed some step :confused:

After several weeks of struggling with the skills assessment, I finally managed to obtain the flag. Thanks to the other responses that helped me succeed in finding the user g***** and the password. And maybe the update made the challenge a bit easier since once I had access to one of the active user accounts, I just made some modifications in Burp to get the flag.

For those who haven’t succeeded yet, here are the two major steps “Brute Force and Authentication Bypasses”:

1.Retrieve the password creation criteria and filter the rockyou.txt wordlist according to these criteria.(Thanks dfgdfdfgdfd)
2.Use FFUF for brute force to find the existing user with the xato-net-10-million-usernames.txt wordlist.
3.Use brute force with the filtered rockyou wordlist to find the password.
4.Log in to the found account via Burp.
5.Refer to the Authentication Bypasses to exploit this vulnerability and get the flag.(Thanks Godbout)

I hope this helps and good luck!!!