# Authenticate ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaOvNxtc4q70pyTtRf%2F-MeaQ87-OZGaBD1AU5Y9%2Fimage.png?alt=media\&token=e04dcc06-ae8e-419d-ba96-420d9511fd12) ## Dictionary Attack ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaaMZH51t8O30WU3tP%2F-MebWZKmeKNxbOGMTb16%2Fimage.png?alt=media\&token=526f1bb7-f4b2-4cec-b410-67fcbf4666d9) Lets first visit the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebXMyR2Vm_lE7RiE2u%2Fimage.png?alt=media\&token=08da27e7-fed6-49de-8987-66e8fa671fd0) Now lets capture the request in burp with random credentials ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebXcx1Ywm4-YQp84Vm%2Fimage.png?alt=media\&token=85d6b2d3-fdad-463a-a4b1-32f1ccb2e171) Lets send this to Intruder and go to positions and change some options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebXuGRTdSbJPIrO1WY%2Fimage.png?alt=media\&token=da4f6546-00b3-4f74-8859-cc3dba369bec) Now lets go to payloads and load a password list, and click start attack ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebYTRYdPchAMFs0MPY%2Fimage.png?alt=media\&token=b00d68c8-8760-436c-b20e-c271a29c5645) We have the password, lets login as Jack and get the flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebYgBS9dP1UxxmcYkL%2Fimage.png?alt=media\&token=970d74f9-a2e4-4eb4-82d8-206261eb7c38) Now lets do the same , but for the user Mike. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebZ2mQRFyrEiOLykQm%2Fimage.png?alt=media\&token=7f0addb4-0c14-45b9-9b1d-949a8f9c7ae5) We have the password, lets login and get the flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebZB5c3g3KgjI6aT7I%2Fimage.png?alt=media\&token=5c1f1c1f-ca10-40a0-a59f-d7ca17fb86a0) ## Re-registration ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebZOo_tnwtujoEfQi4%2Fimage.png?alt=media\&token=398688f3-7271-43fd-876c-4ee9bb3751c3) Lets register as Darren, but with a space in front of the name ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebZmPLScL8rFuNlvNI%2Fimage.png?alt=media\&token=ada9fc90-51cc-4545-9ce6-3a638c5d8f70) Now lets login as Darren with a space ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Meb_Yw5Sib1FgXBA3GR%2Fimage.png?alt=media\&token=234acd94-c4d3-458a-b5ab-fbd1801c8ee2) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Meb_d0zM-Lo7t8N9uXQ%2Fimage.png?alt=media\&token=ceeaed11-2e9c-41a6-808c-b411b1471838) Now lets do the same with the username Arthur ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Meb_y86lnhmuo10dT30%2Fimage.png?alt=media\&token=b2dc377d-a1f9-482a-a11e-b87778602971) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Meba1wWRHkFvfBQ3SjF%2Fimage.png?alt=media\&token=f31ed775-91d5-491f-9250-02d6cb85aff7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Meba9AalPzpa1KnW0wE%2Fimage.png?alt=media\&token=f7275eea-9f5e-409b-8b4d-7d90f5c5e156) ## JSON Web Token ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Mebb9DhAMo8ZkZKXOUY%2Fimage.png?alt=media\&token=e6b9b295-2d4f-48fa-96bd-6c63422cd3a6) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebbIAiM-qvIWZG_d1_%2Fimage.png?alt=media\&token=7be2cb8b-1f38-4f5f-a4a6-4b57bbc6a830) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebbQrNkFUkj0r2Jl4-%2Fimage.png?alt=media\&token=757a105d-726c-4024-a9ba-23ab6142311d) Lets follow the steps mentioned above and use admin as the identity Lets first visit the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebbjWB-8-asdS5PRXe%2Fimage.png?alt=media\&token=d77e44e3-2bf3-4526-8843-f36ff5298bc9) Lets type in a username and a password then capture it with burp, hit go after capturing the request and then click Forward, you should see this request (if you don't, click authenticate, forward the request and then click go) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebeNKT0_Ef_MBw1qkt%2Fimage.png?alt=media\&token=6636e67b-4fc8-4c19-88b2-0945fda7b1c5) Now lets decode the first part of the token ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebecrSIAsA0gIo05s-%2Fimage.png?alt=media\&token=151384b3-8a61-41cb-abe1-1b0190304bc2) Lets change "alg" to none and encode it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebencU0gSfvawaQEuz%2Fimage.png?alt=media\&token=8a433c74-4bc7-4ecd-a263-6c637cca4cd0) Lets replace the old one with this one. Now lets copy the second part of the token and decode it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Mebf-e4nFgJMLCD629s%2Fimage.png?alt=media\&token=b643cb8e-a3e8-4e87-861f-39e0b51b6ddd) Lets change the identity to 0 as admins usually have their id's as 0 and then encode and replace the original with it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebfDv8zgcRQpPiz088%2Fimage.png?alt=media\&token=ae71819a-b232-43e1-b649-1f88925a67f7) Now if you send the request you should get the admin flag, if you don't you can copy the token from the room and replace it with the one in the request ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebgAvWzozpnKGYXFFJ%2Fimage.png?alt=media\&token=f6a216d4-bc18-4775-9f0b-b8ac734e95ee) Once we forward the request, we get the flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebgF1qhefgILrtrcgI%2Fimage.png?alt=media\&token=cbf700ba-2663-4edb-af40-8161f4787f93) ## No Authorization ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebgVtzUudqXACR4xp9%2Fimage.png?alt=media\&token=5ef42529-5676-44d0-b81d-f9cb5e1f9115) Lets check the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Mebgj27AjwVmuXDDdCH%2Fimage.png?alt=media\&token=6c5902da-08f4-4151-a777-f98eba839400) Lets create a user called user with a random password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebgrfF6_HPmHvcSTJS%2Fimage.png?alt=media\&token=6c5b9f80-6884-4f27-b1cb-fec49dd97c8a) Lets click Visit Private Space ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Mebgy1YuhJgRO_Rn8NJ%2Fimage.png?alt=media\&token=99852960-c1bf-436f-a2e1-d2c05a3a7867) Looks like we are user 1, lets change it to 0 and see what happens ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-Mebh6OTrwxN6UR3qOwc%2Fimage.png?alt=media\&token=fbc46258-1d5d-4970-93e1-c22390ea6d0d) We have the flag and the password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MebX7OQhLt6STF2c0-e%2F-MebhGH8VWgy2V33daW8%2Fimage.png?alt=media\&token=89a0d904-b7db-4bca-bdd4-835cb190e648)