Used openvpn and Kali Linux
https://tryhackme.com/room/neighbour
completed Nov 12, 2022
"Check out our new cloud service, Authentication Anywhere -- log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn't be able to find any secrets that other people have in their profile, right?"
STEP 1: Recon
Using the provided IP and my nmap automation script, an unencrypted http webserver was discovered on port 80.
NMAP
Upon visiting the site, there is a login page with a username and password field as well as some guidance underneath the login button.
Login
Hitting Ctrl+U on the keyboard opens a new tab with the source code. The source code has a message indcating the guest username and password is guest:guest and to stay away from the admin account.
Soruce Code
STEP 2: Login
Using the provided credentials, a guest user login was successful. The URL now indicates /profile.php?user=guest. Surely it can't be as easy as turning guest to admin to get unauthorized access..
Guest
Step 3: Attack
After changing guest to admin and requesting the updated URL, the attack was successful. I was now the admin user without knowing the admin password.
Admin
Remediation:
Avoid displaying private object references and guessable direct identifiers. This authentication bypass is accomplished by an IDOR vulnerability which does not properly map validation to the user. If the usernames were replaced with a secure hash or other similar token, pivoting accounts wouldn't be accomplished in this manner.
