Skill Assessment
Question
You are tasked to perform a security assessment of a client’s web application. For the assessment, the client has not provided you with credentials. Apply what you have learned in this module to obtain the flag.
Obtain the flag.
Attempt
First I tried to log in to the website using admin:admin. This failed but the request body showed the parameters:
username=admin
password=admin
Since the login page showed ‘unknown username or password’, I decided I should choose other ways than brute-force.
Then I tried to register a new account Mario:Luigi. The website showed the password policy:
Password does not meet our password policy:
- Contains at least one digit
- Contains at least one lower-case character
- Contains at least one upper-case character
- Contains NO special characters
- Is exactly 12 characters long
This could be used for brute-forcing so I created a custom wordlist:
grep '[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '^[[:alnum:]]{12}$' > 12letters_wordlist.txt
But nonetheless I proceeded with registering a new account with Mario:0123456789Ab. With these credentials, I logged in to /profile.php and I got a PHP session ID m1ejg5571mojnlad5krp1fajh8. It didn’t look like url, hex, or base64 encoding so I guessed it was just a random string. The URL was just http://94.237.62.184:32564/profile.php and didn’t show any parameters.
So I just tried to fuzz the password with the username admin:
ffuf -u http://94.237.62.184:32564/login.php -w ./12letters_wordlist.txt -d "username=admin&password=FUZZ" -t 50 -fr "Unknown username" -X POST -H "Content-Type: application/x-www-form-urlencoded"
This returned nothing.
Upon trying the username Mario I registered, the error message said Invalid credentials. This means the page shows a different error message when the username exists and thus admin doesn’t exist.
I started user enumeration:
ffuf -u http://94.237.62.184:32564/login.php -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d "username=FUZZ&password=Luigi" -t 50 -mr "Invalid credentials" -X POST -H "Content-Type: application/x-www-form-urlencoded"
Note that -X POST -H "Content-Type: application/x-www-form-urlencoded" is strictly needed. curl automatically sets this kind of thing when you add data with -d but ffuf doesn’t.
Found the user gladys. Now fuzz the password:
ffuf -u http://94.237.62.184:32564/login.php -w ./12letters_wordlist.txt -d "username=gladys&password=FUZZ" -t 50 -fr "Invalid credentials" -X POST -H "Content-Type: application/x-www-form-urlencoded"
Since -fr and -mr use regex, make sure to use correct cases and also if you add . escape it. Found the password `dWinaldasD13.
They also had 2FA in place, and since there’s a limit on OTP attempts, I couldn’t brute-force it. Also I had no clue about how many digits they used.
But I intercepted the request with zap and changed the request to the endpoint from /2fa.php to /profile.php. The response showed leaked data and found the flag.
<div class="heading">
<h1 class="display-5 title">Welcome gladys!</h1>
<br />
<div class="cards">
flag here
You can also change the status code in the response from 302 to 200 to prevent redirection and you’ll get the leaked page in the browser.