Skills Assessment - Broken Authentication

Hi,
Im kinda stuck with the Skills Assessment - Broken Authentication

image1398×192 11.5 KB

What I know and tried:
*2 account discovered from support page
*the cookie is hashed and encoded but when I tried to do fixation of the cookie, it results to error (as the image above)
*find password as matches the criteria of password
grep '^[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]$' | grep '[[:punct:]]' | grep -E '^.{20,}$'
*use the matched passwords to bruteforce (with rate limit) the 2 account found. But doesn’t work.

My questions:
*Should I use dirb to bust directories to find the admin panel ?
*Would I be able to find admin panel when I am not logged in?
*Should I use X-Forwarded-For ? I tried but doesn’t work either.

Our other accounts remain unchanged, you can continue to contact any department by adding your country code as usual.

Should I permutate the short-username list with _country or country codes?

Help me, im stuck

Hi,

with this question you are already on the right track

Hi, Thanks for reply.

would I be able to bruteforce the permutate usernames through support page? or does it use special techniques like timing the response?

there is a page where you can write a message to (existing) users. This could be suitable for your preferred approach.
if you still need help, feel free to contact me via dm

import itertools
import numpy


# file that contain user:pass
userpass_file = "country_codes.txt"

# file that contain user:pass
userpass_file1 = "top-usernames-shortlist.txt"

output = []

with open(userpass_file1, "r") as fh1:
    for fline1 in fh1:
        with open(userpass_file, "r") as fh:
            for fline in fh:

                fline = fline.strip()
                concatUser = fline1.strip() + fline.strip()
                output.append(concatUser)

    output = numpy.array(output)
    print(output)

    with open("shortlist_permutation_country_codes.txt", "w") as outfile:
        outfile.write("\n".join(output))

i tried this permuation, even with underscore username( _ )countryCode but still doesnt work.
I cant find any other users aside from guest and support

to those who are still finding their way:

thanks @onthesauce and @toshikomi for pointing me on the correct direction.

I am not able to escalate the privleges of support related user. @dfgdfdfgdfd

did you found valid users other than guest and support ?

i did found valid users which is similar to support.

filter the rockyou.txt as per password policy.
then use that passwords to bruteforce known usernames.

Already did. Got the correct password. But now, I am not able to navigate after this.

Inspect the cookie after you logged in and you will be on your way

I decoded the cookie. Main thing is I am not able to predict the role or may something else I am missing.

try some basic role names. and also, you need some elevated accounts.
did you manage to get other usernames aside from support accounts?

No other username found other than mentioned above. Also, I tried some basic role name like admin and more but didn’t work

use my permutation code above

But correct it first by fixing the proper syntax for usernames

Two files required for permutation:

seclists/Usernames/top-usernames-shortlist.txt
country_codes.txt

you should be getting more username aside from support usernames.

Once you create an account the support page gives you a big clue.

When you filtered how did you avoid the “Too many attempts”

Use the provided script found in the module about rate limit.
dont forget to update the script to fit in your usage

Ok I modified the script for the different cc for admin now I’m going to run it. The hardest part was modifying the script because I was overthinking the submit part smh!