neighbour

https://tryhackme.com/room/neighbour

NEIGHBOUR WRITEUP

By Jacvbtaylor

       Used openvpn and Kali Linux 
                 https://tryhackme.com/room/neighbour
         completed Nov 12, 2022

"Check out our new cloud service, Authentication Anywhere -- log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn't be able to find any secrets that other people have in their profile, right?"

STEP 1: Recon

Using the provided IP and my nmap automation script, an unencrypted http webserver was discovered on port 80.

NMAP

Upon visiting the site, there is a login page with a username and password field as well as some guidance underneath the login button.

Login

Hitting Ctrl+U on the keyboard opens a new tab with the source code. The source code has a message indcating the guest username and password is guest:guest and to stay away from the admin account.

Soruce Code

STEP 2: Login

Using the provided credentials, a guest user login was successful. The URL now indicates /profile.php?user=guest. Surely it can't be as easy as turning guest to admin to get unauthorized access..

Guest

Step 3: Attack

After changing guest to admin and requesting the updated URL, the attack was successful. I was now the admin user without knowing the admin password.

Admin

Remediation:

Avoid displaying private object references and guessable direct identifiers. This authentication bypass is accomplished by an IDOR vulnerability which does not properly map validation to the user. If the usernames were replaced with a secure hash or other similar token, pivoting accounts wouldn't be accomplished in this manner.