Authenticate

Dictionary Attack

Lets first visit the webpage

Now lets capture the request in burp with random credentials

Lets send this to Intruder and go to positions and change some options

Now lets go to payloads and load a password list, and click start attack

We have the password, lets login as Jack and get the flag

Now lets do the same , but for the user Mike.

We have the password, lets login and get the flag

Re-registration

Lets register as Darren, but with a space in front of the name

Now lets login as Darren with a space

Now lets do the same with the username Arthur

JSON Web Token

Lets follow the steps mentioned above and use admin as the identity

Lets first visit the webpage

Lets type in a username and a password then capture it with burp, hit go after capturing the request and then click Forward, you should see this request (if you don't, click authenticate, forward the request and then click go)

Now lets decode the first part of the token

Lets change "alg" to none and encode it

Lets replace the old one with this one.

Now lets copy the second part of the token and decode it

Lets change the identity to 0 as admins usually have their id's as 0 and then encode and replace the original with it.

Now if you send the request you should get the admin flag, if you don't you can copy the token from the room and replace it with the one in the request

Once we forward the request, we get the flag

No Authorization

Lets check the webpage

Lets create a user called user with a random password

Lets click Visit Private Space

Looks like we are user 1, lets change it to 0 and see what happens

We have the flag and the password

Last updated