Skills Assessment - Broken Authentication

I "un-fucked " the filtering and I got it :partying_face:

ok let us know now about the OTP :joy::joy::joy:

Found it using the new thread : Stuck at New Broken Authentication skills assessment - HTB Content / Academy - Hack The Box :: Forums

nice. will check out. thanks.

still getting absolutely nowhere. got my own account. got g***** account. got to the OTP. no OTP token goes through. can’t bypass the form. can’t find a link between my account and hers. can’t find anything in register. can’t find anything through Burp.

ok so funnily i just had to write this to think that this is gonna be like a lame redirect that needs to be overridden through Burp. stuff that basically never happen in real life.

edit: that was it. done.

Hi all. I read all the comments, and I am a bit lost. In the assessment I got the username and password but when entered the site is asking for OTP to be provided. Is anyone facing the same thing?

1 Like

I have the same issue.
After login in there is no more possibilites to go on.

Did you found something new?

Can you elaborate? I’m still stuck on the unbruteforceable OTP. I tried bypassing the 2fa.php redirect as well by going to profile.php but that doesn’t work.

I’m stuck here too. Can someone point us in the right direction?

as far as i’m aware you can’t brute force the OTP.

in that assignment the exploit comes from the fact that when you go to profile they’re redirecting you to the 2fa page, but they don’t exit the current PHP script and still echo the page, even if you’re not supposed to see it. so what you need to do is capture the request to profile, and read its content. you can just use Burp, make the request to profile, you’ll get a 302 response. you can see the content of the profile page in Burp before it gets redirected to 2fa. or you can also change the 302 to a 200 and see the page in your browser. good luck!

1 Like

Ah, thank you so much, I would have been trying to bruteforce on repeat, but alas it’s no the correct route. Hope this helps others!

yeah sometimes it’s hard to know if you should try another road or if it’s just you using the tools wrongly. tough!

1 Like

After reading the forum thread it make sense - but without it how am I suppose to enumerate usernames (country codes)? I am not sure if I am missing functionality of support or missed some step :confused:

After several weeks of struggling with the skills assessment, I finally managed to obtain the flag. Thanks to the other responses that helped me succeed in finding the user g***** and the password. And maybe the update made the challenge a bit easier since once I had access to one of the active user accounts, I just made some modifications in Burp to get the flag.

For those who haven’t succeeded yet, here are the two major steps “Brute Force and Authentication Bypasses”:

1.Retrieve the password creation criteria and filter the rockyou.txt wordlist according to these criteria.(Thanks dfgdfdfgdfd)
2.Use FFUF for brute force to find the existing user with the xato-net-10-million-usernames.txt wordlist.
3.Use brute force with the filtered rockyou wordlist to find the password.
4.Log in to the found account via Burp.
5.Refer to the Authentication Bypasses to exploit this vulnerability and get the flag.(Thanks Godbout)

I hope this helps and good luck!!!

Before seeing your comment, I was going crazy trying to Fuzz the OTP.
You’ll get logged out after a few wrong tries, so what to do?
The “Weak Brute-Force Protection” talks about “rate limits”.

And to bypass it one needs to use the X-forward-to header to randomized the IP.
So I went to get some .sh to generate an ip word list. And trying to figure out how to
Fuzz the OTP and the X-forward-to positions simultaneously.

The only tool I know is Burp’s Pitchfork intruder mode. But it was so so so slow.
I couldn’t bare it anymore, and here I am found a solution from your comment.

Could you explain how did you find out that they don’t exit the current PHP script?

Thank you in advance!

when you capture (breakpoint) the response in Burp (or other tool), you check the rendering of the response. if they had done a location(...); and die(); right after, then the page would be blank. they didn’t do the die(); so the page is ACTUALLY RENDERED—the PHP script kept going—before you’re being redirected.

1 Like

Thank you!

you’re welcome, friend. good luck.