Today I’ll be going through the authentication exercise from web for pentesters 2. This exercise wasn’t to difficult, the hard part was example 2, which I’ll get into later on, but otherwise it’s pretty straight forward. So lets get into it.
For the first example the username is given to you, admin, however the password you have to guess. You could run a password cracker and get it or as it’s a weak password you could easily guess it. The password is admin.
This example was a pain to do and I still haven’t cracked it yet with the script(which is available on my bitbucket account here). However the username and password are in the ruby file for this example, username:hacker password:p4ssw0rd (zero not o).
In the third example you are going to need to use a proxy like burpsuite and owasp ZAP. Once you have that installed and set up, follow the steps below to cracked the exercise.
- Load the page. (Make sure that no parameters are in the url as this screws with the process)
- Load up the proxy.
- Find the user variable in the cookie.
- Make the user variable equal admin
- Submit the request
Boom! you are now admin.
Here you have to run a password cracker. Any online cracker should work, yet to run on this exercise, will update this post once I do.
In this example there is a flaw in the registration process. Here we can create a user with admin privileges with the following steps:
- Click on the register link.
- Create a user with username Admin and any password you want.
This will get you admin rights, the problem lies in the mysql database username comparison.
In the last example we are again exploiting the logic in the register page to get admin privileges.
- Go to the register page.
- Create a user with the username admin with a space after the username and any password.
Boom! you are now an admin XD. The problem lies again in the comparison of the new username and usernames on the database as admin and admin (with a space) are two different users on the system.
Thanks for reading, if you have any questions, comments please leave them below.