Authenticate is a TryHackMe CTF. Focusses on a few types of authentication exploitation.

Dictionary attack

The room requires you to use Burp Suite.
Start Burp Suite.
Connect to Burp proxy.
Turn off Burp proxy intercept.
Navigate to victim host on port 8888.

After navigating to home page, turn the proxy intercept back on.
Input some random credentials into the login form.
Capture a request.

Send the POST /login request to Intruder.

Manipulate the request such the username is jack and we identify the payload area in the password field.


Goto Payload tab and load in /usr/share/wordlists/rockyou.txt as password list.
Start the attack.

Allow attack to run.
Will see the password 12345678 returns a different response.

HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 221
Vary: Cookie
Set-Cookie: session=eyJ1c2VyX2lkIjoxfQ.X3ej_A.sdwlnIZGKBKbBYGfMCVC1DEGXkw; HttpOnly; Path=/
Server: Werkzeug/0.16.0 Python/3.6.9
Date: Fri, 02 Oct 2020 22:04:44 GMT

<p>You should be redirected automatically to target URL: <a href="/logged">/logged</a>.  If not click the link.

Which acknowledges a succesful login.

Following this, we can login using the found credentials.
Which reveals the flag.


Now we can try this for user mike.
Though, this time I swapped out rockyou for fasttrack.
A smaller list that doesn't take a long time to load.

A successful login occurs at password payload 12345.

<p>You should be redirected automatically to target URL: <a href="/logged">/logged</a>.  If not click the link.

And after logging in as mike, we get the second flag.



This section takes advantage of an exploit where we register as a user that already exists. For example, darren exists, so we will register as darren, with a space prefixing the username.

Once registered, login to obtain flag.
Remeber to prefix the username with a space.


And lets do the same for arthur too.
Arthur's flag is as follows.



We will exploit JWT tokens in this section.

Don't do like me.
Make sure you switch to port 5000.
I spent an hour or so trying to decode the session cookie on 8888 --.

When you get to the site on port 5000. You'll see an authenticate form.
Use credentials user:user. You'll see a popup saying 'Welcome ~'.

After this, a Session Cookie with name session will be stored. For example:

We can decode this in Burp.
Paste the code into Burp's Decoder.
Decode as Base64.


Add this the Access Token in Local Storage.
Replacing the first two sections.
Leave the last section.

Edit the identity integer.
Hit Go.
And you'll find admin!


After hitting Go the following is returned.

Welcome admin: 92498880383088033228


Switch the port 7777.

Hit Create User, progress to Private space.

The URL bar will show:

Fuzz the integer and find superadmin's password.
Hello superadmin!

Your password:

Your secret data:
Here's your flag: 72102933396288983011

Leave a Comment

Your email address will not be published. Required fields are marked *