TryHackMe: Authentication Bypass a Walkthrough
This is a step-by-step walkthrough of TryHackMe’s Authentication Bypass room, with screenshots.
Task 1: Brief
Question 1: No answer needed
Task 2: Username Enumeration
Question 2: What is the username starting with si***
Per THM: simon
Make sure to make the file valid_usernames.txt (here I used usernames.txt, but it will work either way).
Use cat usernames.txt (or valid_usernames.txt) to reveal the usernames associated with this site.
The screenshot below is what this file looks like in nano. As you can see there is a lot of extra information. We are going to have to account for this in the next task.
Question 3: What is the username starting with st***?
Per THM: steve
Question 4: What is the username starting with ro****?
Per THM: robert
Task 3: Brute Force
For the following question, I had a lot of problems figuring it out. After researching in the forum, I found that some adjustments needed to be made to the usernames.txt file to make the ffuf command work.
First, I deleted my original usernames.txt file (or in your case, it might be the valid_usernames.txt file). I used nano to create a new usernames.txt file and added the names: admin, steve, simon, and robert into it.
Then, I ran the code to brute force the passwords combined with the known usernames, using this command:
ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d “username=W1&password=W2” -H “Content-Type: application/x-www-form-urlencoded” -u http://[machine_IP_address]/customers/login -fc 200
With the altered file, I was able to finally find the working password and username.
Question 5: What is the valid username and password (format: username/password)?
Per THM: steve/thunder
Task 4: Logic Flaw
Open up the Acme IT site at: http://[MachineIP]/customers/reset
Enter the email address robert@acmeitsupport.thm into the email field and click “Check Email”. This will send the reset request.
Copy and paste the first curl command into the command line in your terminal.
Create an account, per the instructions. Then run the second curl command, using your created email address:
You will want to replace {username} with the username you created.
Then log in using your new credentials.
Once logged in, click on Support Tickets, where you will see an open ticket. Click on the 3 to open the ticket.
You will see a reset link to reset Robert’s password.
Copy and paste that link into the browser’s URL bar, which will take you to the page below.
Click on Support Tickets. This will show one open ticket, click on the “1” to view the ticket.
This will reveal the flag.
Question 6: What is the flag from Robert’s support ticket?
Task 5: Cookie Tampering
Question 7: What is the flag from changing the plain text cookie values?
Copy and paste the first curl command into the command line. This will render the result: Not Logged In.
Copy and paste te second curl command into the command line.
This will log you in as a user.
Next, use the curl command in the screenshot below
This will log you in as an admin and reveal the flag.
Question 8: What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?
You can navigate to crackstation.net and enter the hash. Click the “I’m not a robot” box. Click “Crack Hashes”. This will give you the value of the hash.
Question 9: What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?
For this, I went to CyberChef and entered the base64 code. This will reveal the flag. Note: there are many ways to go about decoding this.
You can also create a file with nano and enter the base64 code into it.
Then use base64 -d [name of file containing base64 code]
Question 10: Encode the following value using base64 {“id”:1,”admin”:true}
For this, I googled a way to decode base64. I entered the above string and click encode.
Thank you for reading. If you think I bring you value, please clap and subscribe for more content.
