📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
      • Random
Powered by GitBook
On this page
  • Dictionary Attack
  • Re-registration
  • JSON Web Token
  • No Authorization

Was this helpful?

  1. TryHackMe
  2. Walkthroughs: Easy

Authenticate

PreviousXXENextInjection

Last updated 3 years ago

Was this helpful?

Dictionary Attack

Lets first visit the webpage

Now lets capture the request in burp with random credentials

Lets send this to Intruder and go to positions and change some options

Now lets go to payloads and load a password list, and click start attack

We have the password, lets login as Jack and get the flag

Now lets do the same , but for the user Mike.

We have the password, lets login and get the flag

Re-registration

Lets register as Darren, but with a space in front of the name

Now lets login as Darren with a space

Now lets do the same with the username Arthur

JSON Web Token

Lets follow the steps mentioned above and use admin as the identity

Lets first visit the webpage

Lets type in a username and a password then capture it with burp, hit go after capturing the request and then click Forward, you should see this request (if you don't, click authenticate, forward the request and then click go)

Now lets decode the first part of the token

Lets change "alg" to none and encode it

Lets replace the old one with this one.

Now lets copy the second part of the token and decode it

Lets change the identity to 0 as admins usually have their id's as 0 and then encode and replace the original with it.

Now if you send the request you should get the admin flag, if you don't you can copy the token from the room and replace it with the one in the request

Once we forward the request, we get the flag

No Authorization

Lets check the webpage

Lets create a user called user with a random password

Lets click Visit Private Space

Looks like we are user 1, lets change it to 0 and see what happens

We have the flag and the password