We covered broken authentication, session hijacking and information disclosure as part of HTB OWASP TOP 10 track both HackTheBox Baby auth and baby nginxatsu.

Baby Oauth Challenge

The challenge description, “who needs session Integrity these days,” hinted at vulnerabilities related to session hijacking or weakly encoded cookies. I started by creating a new user account (“test” with password “test123”) to understand the authentication mechanism. Using Burp Suite, I intercepted the login request to examine the session parameters, and I noticed a PHP session ID cookie.

Using CyberChef, I identified that the cookie was Base64 encoded. Decoding the cookie revealed it was simply “username=test”. This indicated a weakness: the cookie was directly derived from the username and used weak encoding. I then encoded “admin” using Base64 to create a new cookie. By replacing the original cookie with this new “admin” cookie in Burp Suite and forwarding the request, I successfully gained admin access and retrieved the flag.

Baby Nginx Challenge

Similar to the first challenge, I started by registering a new user (“test” with password “test123”). I intercepted the login request with Burp Suite. This time, the token appeared to be encrypted, not just encoded, so I moved on from trying to manipulate it directly.

The application presented a page to generate Nginx configuration files. After generating a configuration, I noticed a comment in the generated file: “we sure hope so that we don’t spill any secrets within the open directory /storage”. Navigating to the /storage directory, I found a compressed backup file, which I downloaded.

After extracting the archive, I found an SQLite database file. Using SQLite Browser, I examined the tables and found a “users” table containing usernames and hashed passwords. I identified the hash type as MD5 using an online hash identifier. I then used John the Ripper to crack the admin user’s password hash. With the cracked password (“admin1”), I logged in as admin and obtained the flag.

Technical Commands

  • wget https://support.microsoft.com/en-us/windows/zip-and-unzip-files-8d28fa72-f2f9-712f-67df-f80cf89fd4e5
  • ls
  • tar zxvf [filename.tar.gz]
  • cd database
  • sqlitebrowser
  • nano pass.txt
  • john hash.txt
  • john --format=raw-md5 hash.txt

Video Walkthrough

, , , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles