Stuck at New Broken Authentication skills assessment

HTB Content Academy
23

i got it its 302 found but when I change it to 200 OK it says invalid otp

24

where is it being requested from? Look at the URI.
Have your created another account? Where is that URI?

26

Hi @Raafat , did you solve the skill assessment?

I am struggling here as well. Tried to enumerate users with ffuf on /login.php.

ffuf -w /opt/useful/seclists/Usernames/xato-net-10-million-usernames.txt -u http://<TARGET IP>:<PORT>/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Invalid credentials"

link: Hack The Box - Academy

Much appreciated for any hint.

-bf
----------------------------------------------- UPDATE ------------------------------------------------------------

You know, when they say that doing the same thing over and over again is the sign of insanity. But not at HTB, after running exactly the same command I have successfully found the user. One thing was different though, in -d payload I used generic password in format requested by the website… More updates are coming.

27

I did not understand. What can I do with the status code? I tried all the possibilities but found nothing. Any hint please!

28

All codes? OK. (hint hint)

29

Just got the flag a few hours ago. The advices I can give you are:

  • Pay attention to the errors you are getting when trying to login
  • If you think you are on the good track, but the commands/tools are not working just reset the machine
  • Try to write a list with the chapters of the Broken Authentication module, just to have an overview of what was presented in the module, and try to somehow follow that.
  • If you are stuck, let me know and maybe I can give you a direction.

Good luck!

30

change the -fr “Invalid credentials” with -fs for content length. I used 4353 and got 2 usernames.

31

To be honest I intercept it and manilulate but I still stuck on it.
All request return to /2fa.php again and again

32

pls help me, I stuck at /2fa.php

33

Hint : use Authentication bypass via direct access. When trying to know the web appv, you’ll understand that users registered by you don’t have to provide an OTP code. Instead you’re redirected in <flag_page>.php. There, you can try to use auth bypass via direct access :upside_down_face:

34

you dont do that, open up Burp suite instead and tamper with HTTP requests

35

That was really helpful Thanks Guys

36

This was very difficult for me. After many tries, i could solve it manipulating 2 subsequent requests.

37

I hope this will be helpful

  • Analyze Errors codes on login
  • Big Hint: New registered doesn’t have to fill out OTP
  • User Enumeration and Brute force Username & Password
  • Play with URI and use Repeater in Burp

Happy Hacking!