Authentication Bypass

In this assignment, you will:

  1. Perform black-box vulnerability discovery on a web app
  2. Exploit multiple vulnerabilities to authenticate to the app

Authentication Bypass

Authentication bypass vulnerabilities arise when – as the name implies – an attacker is able to circumvent an intended authentication procedure in order to assume the identity of a trusted user. This vulnerability class encompasses a wide variety of attack techniques, including account brute force attacks, credential stuffing, offline password cracking, session cookie exfiltration, and more.

You have been tasked with exploiting a vulnerable login-protected web app hosted at http://auth.nëu.lol:port, where port = 7979 + group. Unfortunately, the source code for the app is not available. Instead, you have been provided with limited intelligence on the target.

  • Leaked string: 5bvN50CO6NyI79iAjTJPm35GOVh13kjM8L//MuK4HIc=
  • Account brute-forcing defenses are deployed and active
  • Login page takes a parameter c
  • Valid accounts: root, peter
  • There are four registered accounts
  • There are at least three vulnerabilities

Submission Instructions

  1. Upload a tgz archive to Canvas containing the following files:
    • A README.md describing
      • The vulnerabilities you found (two for full credit)
      • The secrets you obtained
      • How your exploits work
      • How you would patch the exploits you found
    • The source code for your exploits
  2. Extra credit. As above for three vulnerabilities.

© 2022 wkr