# Authenticate ![](/files/-MeaQ87-OZGaBD1AU5Y9) ## Dictionary Attack ![](/files/-MebWZKmeKNxbOGMTb16) Lets first visit the webpage ![](/files/-MebXMyR2Vm_lE7RiE2u) Now lets capture the request in burp with random credentials ![](/files/-MebXcx1Ywm4-YQp84Vm) Lets send this to Intruder and go to positions and change some options ![](/files/-MebXuGRTdSbJPIrO1WY) Now lets go to payloads and load a password list, and click start attack ![](/files/-MebYTRYdPchAMFs0MPY) We have the password, lets login as Jack and get the flag ![](/files/-MebYgBS9dP1UxxmcYkL) Now lets do the same , but for the user Mike. ![](/files/-MebZ2mQRFyrEiOLykQm) We have the password, lets login and get the flag ![](/files/-MebZB5c3g3KgjI6aT7I) ## Re-registration ![](/files/-MebZOo_tnwtujoEfQi4) Lets register as Darren, but with a space in front of the name ![](/files/-MebZmPLScL8rFuNlvNI) Now lets login as Darren with a space ![](/files/-Meb_Yw5Sib1FgXBA3GR) ![](/files/-Meb_d0zM-Lo7t8N9uXQ) Now lets do the same with the username Arthur ![](/files/-Meb_y86lnhmuo10dT30) ![](/files/-Meba1wWRHkFvfBQ3SjF) ![](/files/-Meba9AalPzpa1KnW0wE) ## JSON Web Token ![](/files/-Mebb9DhAMo8ZkZKXOUY) ![](/files/-MebbIAiM-qvIWZG_d1_) ![](/files/-MebbQrNkFUkj0r2Jl4-) Lets follow the steps mentioned above and use admin as the identity Lets first visit the webpage ![](/files/-MebbjWB-8-asdS5PRXe) Lets type in a username and a password then capture it with burp, hit go after capturing the request and then click Forward, you should see this request (if you don't, click authenticate, forward the request and then click go) ![](/files/-MebeNKT0_Ef_MBw1qkt) Now lets decode the first part of the token ![](/files/-MebecrSIAsA0gIo05s-) Lets change "alg" to none and encode it ![](/files/-MebencU0gSfvawaQEuz) Lets replace the old one with this one. Now lets copy the second part of the token and decode it ![](/files/-Mebf-e4nFgJMLCD629s) Lets change the identity to 0 as admins usually have their id's as 0 and then encode and replace the original with it. ![](/files/-MebfDv8zgcRQpPiz088) Now if you send the request you should get the admin flag, if you don't you can copy the token from the room and replace it with the one in the request ![](/files/-MebgAvWzozpnKGYXFFJ) Once we forward the request, we get the flag ![](/files/-MebgF1qhefgILrtrcgI) ## No Authorization ![](/files/-MebgVtzUudqXACR4xp9) Lets check the webpage ![](/files/-Mebgj27AjwVmuXDDdCH) Lets create a user called user with a random password ![](/files/-MebgrfF6_HPmHvcSTJS) Lets click Visit Private Space ![](/files/-Mebgy1YuhJgRO_Rn8NJ) Looks like we are user 1, lets change it to 0 and see what happens ![](/files/-Mebh6OTrwxN6UR3qOwc) We have the flag and the password ![](/files/-MebhGH8VWgy2V33daW8) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/authenticate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.