BROKEN AUTHENTICATION module | HTB Academy

I just skipped it. I tried every combo of htbstudent with every permutation of epoctime, tried switching them, tried putting a colon in between them, switching them. I wrote multiple python scripts doing random things like taking the date.date() and datetime.datetime(…).timestamp() * 1000. I can’t get it to work.

Use a python script! “now = round (time.time () * 1000)” is the right way and don’t forget the + -1 second for the htbadmin token!

I solved it! The key is to brute-force every possible timestamp within that 2 seconds

You have misunderstood how the token for “htbadmin” is generated. When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Some one solve Broken Authentication Skill Assessment?

Thanks! The only problem is that the time displayed on the page is the exact same time as the header (which is why i used it). I’ll look through the rest of my code for the other problem Type your comment> @OceanicSix said: > You have misunderstood how the token for “htbadmin” is generated. > > When you click on “create reset token for htbuser”, let’s say the timestamp at this moment is T, then the server generates the token for "htbadmin"using timestamp within the range of [T-1000, T+1000] > > Therefore, you are supposed to use the time displayed on the webpage instead of the current timestamp. > > PS. There is another issue within your code that could stop you find the correct token. I will leave it for you to figure out for now

Question 1 key is not using the time printed, but converting it to your own local time

1 Like

I’m stucking “Default Credentials”

question
“”"
Inspect the login page and perform a bruteforce attack. What is the valid username?
“”"

hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 46.101.23.188 -s 31420 http-post-form “/:Username=^USER^&Password=^PASS^:F=<button type=“submit””

I don’t know what the problem is.

Error List or parameter?

Does anyone give me a hint?

Thanks

“CRTL + U” to view page source, and googling the title information!

Working on it but not resolved for a few days. Just found that there are some old accounts as mentioned in “Support” page. Just guess the old accounts have less security control and will going to try it. If you have resolved the question. Do you mind to PM me some hints?

Thanks a lot.

I got the password for some support account but when I login with those account I did not see any admin panel access. I just see one difference mentioned that there is no ticket assigned to the support… using small directory brute force there is no extra folder or page found…believe this is the right direction

We completed this module, if you guys need a help for it, just text me

2 Likes

Working on the final assessment here.
I figure that there is an account username that can be targeted.
So I prepared a list of passwords from rockyou.txt that fit the password criteria (20 characters, starting with uppercase, ending with digit, etc).
Bruteforcing the password does not work tho due to timeout.

Did you manually tried all the passwords?

I found some other high privilege user. With the cookie format of support, I can change my cookie to make myself as privilege user to get the flag

Hi All - Looking for help in pointing me in the right direction for the skills assessment at the end of this course.

I have worked out the cookie encoding and fuzzing the m****** page I can only find accounts for guest and support.

I can alter the cookie so that I can be “support” but this always directs me to the error page indicating that “support” cannot log on with that role.

Are there other users that I’m missing? I cannot find any old accounts that are mentioned on the support page and stuck at where to try next.

Any pointers?

first, we have to understand the service on this page, try to enumerate manually, read all content, and understand what it said.
next, we have to try the functions on it, the important point is to understand this service!

2 Likes

cracked it…thanks Satellite!

Could someone hint me with the “Broken Authentication” , “Bruteforcing Usernames” section ./question2/ Broken Authentication Login - User inference!?
I can find yet neither pre-filled input nor the ‘failed_login’ cookie, just the “Invalid credentials” in responds.
I have fuzzed the “Username”, “wronguser”, both of them with Burp intruder and manually using top-usernames-shortlist.txt - nothing interesting. Perhaps I have overlooked smth? Response source is not seems to be unusual.

I still can’t get this, I’ve found 4 accounts and cannot cookie them (cannot have requested role). I’ve tried all combinations of ffuf against r*.php and m*.php but no working hit. Any other hint? thanks

use the dictionary that is mentioned in this section (bruteforcing username)