neighbour
https://tryhackme.com/room/neighbour
Last updated
https://tryhackme.com/room/neighbour
Last updated
By Jacvbtaylor
"Check out our new cloud service, Authentication Anywhere -- log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn't be able to find any secrets that other people have in their profile, right?"
Using the provided IP and my nmap automation script, an unencrypted http webserver was discovered on port 80.
Upon visiting the site, there is a login page with a username and password field as well as some guidance underneath the login button.
Hitting Ctrl+U on the keyboard opens a new tab with the source code. The source code has a message indcating the guest username and password is guest:guest and to stay away from the admin account.
Using the provided credentials, a guest user login was successful. The URL now indicates /profile.php?user=guest. Surely it can't be as easy as turning guest to admin to get unauthorized access..
After changing guest to admin and requesting the updated URL, the attack was successful. I was now the admin user without knowing the admin password.
Avoid displaying private object references and guessable direct identifiers. This authentication bypass is accomplished by an IDOR vulnerability which does not properly map validation to the user. If the usernames were replaced with a secure hash or other similar token, pivoting accounts wouldn't be accomplished in this manner.
