[Authentication Bypass]
For this day, we're going to explore the Auth bypass section of THM'S JRPT-Path.
-
-w
selects where the "name.txt" is located in local machine. since I am using my arch, using thelocate name.txt
command was important. -
-X
specifies the request method , 'GET' is the default. - According to THM, _The
-d
argument specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword. We've set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request. _ - The
-H
argument is used for adding additional headers to the request. In this instance, we're setting theContent-Type
so the web server knows we are sending form data. -
-u
will specify the URL we're requesting -
-mr
the text on the page we are looking for to validate we've found a valid username.
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.95.150/customers/login -fc 200
TASK 4
An important lesson here is that a PHP code using '===' means that the code is looking for the exact equivalent of the URL it is checking. One way to bypass it is to change the letter casing.
"will not have their privileges checked and have the page displayed to them, totally bypassing the authentication checks."
The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, so if we add another parameter to the POST form, we can control where the password reset email gets delivered.
I then created a new account, and with that new account, I sent the request of "resetting email" to the account I newly made
I now then got a hold of a URL where the user can update their password (from the luigi@/customer.acmeitsupport.thm dashboard)
After changing robert's password to 1234, I found the flag.
TASK 4 COOKIE TAMPERING
There were important hashing methods that was mentioned: md5, sha-256, sha-512, and sha-1. Cracking it could be done by useful websites like crackstation or base64encode.
concepts/important tools: ffuf , cookie, crackstation, hashing, base64
Top comments (0)