Questions

Inspect the login page and perform a bruteforce attack. What is the valid username?

Google https://www.192-168-0-1login.org/router/advantech/advantech-webaccess-browser-based-hmi-and-scada-software/10330/

username:advantech

password:admin

Observe the web application based at subdirectory /question1/ and infer rate limiting. What is the wait time imposed after an attacker hits the limit? (round to a 10-second timeframe, e.g., 10 or 20)

Ans: 40

Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag?

Add X-Forwarded-For: 127.0.0.1 to the POST request login form in Burp and SQL injection authentication bypass payload.

Find the valid username on the web app based at the /question1/ subdirectory. PLEASE NOTE: Use the same wordlist for all four questions.

Use intruder with top-usernames-shortlist.txt on the username field and fuzz

We can see puppet is having different response length so it is likely the answer.

Ans:puppet

Find the valid username for the web application based at subdirectory /question2/.

Brute force using intruder or wfuzz -c -z file,SecLists-master/Usernames/top-usernames-shortlist.txt -d "userid=FUZZ&passwd=dummy" --hs "Invalid credentials." http://161.35.168.118:30615/question2/index.php

Ans: ansible

Find the valid account name for the web application based at subdirectory /question3/

python3 timing.py /home/francis/HTB/SecLists-master/Usernames/top-usernames-shortlist.txt

Check for longest timing

Ans: vagrant

Now find another way to discover the valid username for the web application based at subdirectory /question4/

Send the POST request to intruder via burpsuite and fuzz for the parameters. you will get one of the username already registered.

Ans:user

Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?

grep '[[:upper:]]' rockyou-50.txt | grep '[[:digit:]]' | grep -E '^.{2,13}$'

Ans:ANGEL1

Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

python2 reset_token_time1.py to get flag

Request a reset token for htbuser and find the encoding algorithm, then request a reset token for htbadmin to force a password change and forge a valid temp password to login. What is the flag?

python3 reset_token_time2.py to get flag

Reset the htbadmin user's password by guessing one of the questions. What is the flag?

Download colors.txt wordlist on github

Use the predictable_questions.py script from HTB

change URL and question

python3 predictable_questions.py colors.txt

Login with the credentials "htbuser:htbuser" and abuse the reset password function to escalate to "htbadmin" user. What is the flag?

On the reset password page, send POST request to burp

add in the &userid=htbadmin paramter to the request to change password for htbadmin login to htbadmin for flag

Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?

Change the final decode value to user:htbuser;role:super;time:1678288803 to elevate permissions to super role.

URL encode is the last step.

Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.

HTBPERSISTENT=eJwrLU4tssooSSoF0tZF%2BTmpVsUlpSmpeSXWJZm5qVaGZuaW5kZGhgYGAE4zDkw%3D

Decode the HTBPERSISTENT cookie from URL encoding: eJwrLU4tssooSSoF0tZF+TmpVsUlpSmpeSXWJZm5qVaGZuaW5kZGhgYGAE4zDkw=

Decode again using CyberChef MAGIC:

user:htbuser;role:student;time:1679722100

Check the decode process by MAGIC.

So it decodes From_Base64 first and Zlib_Inflate after.

So reverse engineering would be, Zlib_deflate and To_Base64

user:htbuser;role:super;time:1679722100

Replace session cookie in current session.

PreviousBroken AuthenticationNextNotes

Last updated