Want to be a part of the elite club of CyberHeroes? Prove your merit by finding a way to log in!

CyberHeros Room by TryHackMe and Cmnatic .

Task 1 - CyberHeros

Want to be a part of the elite club of CyberHeroes? Prove your merit by finding a way to log in!

Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.

Navigate to the following URL using the AttackBox: http://MACHINE-IP

Check out similar content on TryHackMe:

• Authentication Bypass
• Authenticate

Ok, so let's jump across to the webpage

Not much there, let's click Login

Trying some simple sqli to test but keep getting a failure...

hmmm, ok let's be smart and jump into the source code to see if it is posting to anywhere else...

    <section id="hero" class="d-flex flex-column justify-content-center align-items-center">
      <div class="hero-container">
        <br><br><br><br>
        <div class="">
          <div class="form">
          <h4 id="flag"></h4>
            <form id="todel"class="">
              <div class="section-title">
                <h2>Login</h2>
                <h4>Show your hacking skills and login to became a CyberHero ! :D</h4>
              </div>
              <input type="text" id="uname" placeholder="username"/>
              <input type="password" id="pass" placeholder="password"/>
            </form>
            <button id="rm" onclick="authenticate()">login</button>
          </div>
        </div>
      </div>
    </section>

From the above we can see it is calling the javascript function authenticate() so let's take a look at that which is a bit further down the page.

  <script>
    function authenticate() {
      a = document.getElementById('uname')
      b = document.getElementById('pass')
      const RevereString = str => [...str].reverse().join('');
      if (a.value=="[REDACTED]" & b.value==RevereString("[REDACTED]")) { 
        var xhttp = new XMLHttpRequest();
        xhttp.onreadystatechange = function() {
          if (this.readyState == 4 && this.status == 200) {
            document.getElementById("flag").innerHTML = this.responseText ;
            document.getElementById("todel").innerHTML = "";
            document.getElementById("rm").remove() ;
          }
        };
        xhttp.open("GET", "[REDACTED]"+a.value+"_"+b.value+".txt", true);
        xhttp.send();
      }
      else {
        alert("Incorrect Password, try again.. you got this hacker !")
      }
    }
  </script>

Oh, this looks easy...... looks like the username and password are static in the javascript...

      if (a.value=="[REDACTED]" & b.value==RevereString("[REDACTED]")) { 

So the username is a.value but the password is b.value but reversed.... CyberChef to the rescue ...

Using these 2 values we are then able to complete the login process...

Just one more thing......

You do not even need to log in, you can simply build the URI of the xhttp.open and go direct to the text file once you know the username/password.

xhttp.open("GET", "[REDACTED]"+a.value+"_"+b.value+".txt", true);