Stuck at New Broken Authentication skills assessment


I am stuck at the Broken Authentication module at HTB Academy.

When I spin up a machine I get a “MetaDoc” named website. I am trying to brute force usernames and passwords but no avail.

I tried the X-Forwarded-For header but nothing happens.

Any help?

Just follow the module carefully. You will get both a username and a password

It was by pure luck that I found a username (startig with g right?) and I got the password. I am stuck the OTP. I am brute forcing a million OTPs and it isn’t getting me anything.

Yeah. This is the same step I’m stuck at.

Any luck with the OTP?

Hi, there. Just finished the module. The hint I can give you about the OTP step is: not always is about brute forcing. Capture the requests and try to figure out what you can do.

Another hint could be: create a valid user and login to see what happens.

1 Like


I am still stuck at enum the username. I have tried so many different user(names) lists but none is available. Can you give me a hint where to start? I follow the module again and still no luck. Thank you.

Thank you. I have already solved it. It is indeed as you say. I didn’t pay attention to the original uri when I created a user and navigating to from the user I found using bruteforce.


Use names wordlist on Pwnbox on the login form.

Its important to make notes and try every method learned from the module.
Its not always bruteforce method. there’s another method to bypass authentication

Thank you so much Raafat!!

I could not get it done on my Kali. It was just so slow and kept stopping at enum the Username at the record 800-900. After using the Pwnbox like you suggest. I was able to get the Username. Then the password. I finally finished the module.

Thank you all!

(post deleted by author)