THM Authentication Bypass
Вставка
- Опубліковано 22 жов 2021
- This is the next box in the series of Junior Pentesting learning path. This teaches basic authentication bypass techniques. Great box a lot of fun!
Patreon to help support the channel! Thank you so much!
/ stuffy24
Hacker Discord
/ discord - Наука та технологія
Get 20% OFF @manscaped + Free Shipping with promo code STUFFY24 at MANSCAPED.com! #ad #manscapedpod
I have been stuck on task 3 for ages man, i dont think i would of ever found a solution for that task if it wasn't for this video, thanks man.
No problem man! Sometimes these boxes get wonky that's when it helps to know what they are trying to accomplish and use a different method !
Needed help w task 3 but smooth sailing after that, this stuff is becoming a lot easier to understand. Thanks for all your help.
That's awesome! It's great to see that progress !
I had been stuck at task 4 for the last 2 hours man, trying to understand whats really happening behind the scenes. You explained it so well!! Thank you so much man
Thank you! I'm definitely trying to help anyone that needs because I've been there and hell still get stuck on stuff all the time ! Glad to see it's helping!
thank you dude I was worried and disappointed with task 3.
Your explanation made my day thank you!
Thank you man means a lot!
In reference to the FFuF command that THM sets for you on tast 3: I think the reason it was not accepting the input is that when you created the valid_usernames.txt file, you stored the entire output from the FFuF command from task 2. For the prescribed command in task 3 to work, the text file should only contain the four usernames, and none of the metadata that was created by the command in task 2. To fix, simply create a new text file with the 4 usernames listed over 4 lines, and use that as Wordlist 1/W1.
Good catch!
@@stuffy24 Thanks! The video was very helpful too, thank you!
Yea.. That's why some people were making valid_password file with that four names only.. Not saving entire ffuf commands as output
I finally got it to work with this way. I was editing the text file but there much have been some hidden formatting that caused the error. All my outputs with the filter removed had a random 'steve' in there. Either way, thanks for the tip and the video OP
@@danmiller7709 I know this is such a late reply so i'm sorry! Strange, I initially tried it with a text file only including the four usernames and still got an error :/
Thank you for making this :) very helpful for me since i also got stuck on the brute force section
Thank you for the helpful video. Please keep doing this.
Thank you man !!
Awesome explaination. I was so lost on the logic flow and was not understanding that I needed to make an account what was not robert lmao.
Thanks dude!
Of course! It doesn't just come easy to me either!
Thanks so much for explaining your method/logic. Very helpful to noobs like myself
Thank you man! I try to explain it as if the person has no prior knowledge because when i was learning the basics it was hard to find good explanations!
@@stuffy24 It's very much appreciated.
Someone give this man a nobel peace price cuz I was gon break my screen for task 3!
got stucked on this, thanks to you
Hopefully you mean unstuck lol
Thanks this video is so helpful.
Thank you! Looking to finish the series soon but as you guys probably know a huge attack was poc this weekend and I have been swamped with it
Thank you!!! :-)
Thanks Man
Good job bro.
Thank you bro, I was stuck for BruteForce
Thank you :)
Anyone trying this now, current version of Kali has SecLists directory all lowercase which you will need to change if copy/pasting from thm.
Thank you!
Thank you very much stuffy24 for the upload! Very well explained, even for me as a beginner! I stucked, even in a writeup, because I liked to do the FFUF tool, which I didn't knew,, (I use gobuster, dirsearch, dirbuster,,,) in PARROT,, but it didn worked well, because the commands are problematic, and the fail codes I didn understand, so I have to switch to the ATTACK BOX which I dont like! (copy and paste is cumbersome,) ,, Anyway I made it with your help!
Take care, stay safe,,, greetings from germany PS: Abo is done! You deserve more
Thank you!! The support is great to see! I'm glad I can help. Awesome to see I'm able to help all the way in Germany also! Love Germany and wish you the best!
@@stuffy24 Thank you and greeting to the USA! I travelled in the 80th and 90th a lot in the US and I had a great time. People was so friendly and open hearted,,,(here, I live in the black forrest area,) , its not the same...I like to travel again, but Corona destroy the hope, and there a so many restrictions, hard to get a visa, even after Trump deside NOT like the germans (europeans) anymore,,,it´s also the fault of Merkel! She destroy the friendship! Anyway, did you travel to germany or europe? I see, you published a lot of videos! I will look some, and try to comment! In this video I saw your video picture is very big and covered the THM site! Maybe not a problem, but you should flash the THM answer site, when you finish, the room! Just a thought! take care!
I actually really liked Germany! I have traveled a lot around the world and I hope to continue. It's awesome to see some great suggestions! I think I am going to do your suggestions for showing the answer site! That's a great idea thank you
@@stuffy24 It´s great you travel in your younger years! This will open your eyes for the future, to understand other cultures and people! Big advantage! for life!
Thanks for the video very helpful. What if you want to run for a large number of wordlists this would be tasking. What is the best way to go about this? Any idea?
My best suggestion if using the same method would be to consolidate all your wordlists to just 1. Would take a little longer than running simultaneously but would be less taxing.
Hi there, many thanks for this great walkthrough. Task 3 is really driving me nuts for quite a bit of time now. I'm still doing something wrong. No matter if I'm using the created valid_usernames.txt file (only containing the four usernames listed over four lines) or your method, as soon as I add -fc 200 at the end of the command, I'm only getting nasty errors. Without it, it shows me all the Status 200 returns which also include the password in combination with the username. But that's not the purpose of the exercise, right?
Well I'm not sure what's going on with that it should be getting those errors out of there for you but that's OK if you can do it without filtering for the 200 and can still manually go through and see the passwords by doing it the long way! That's what hacking is all about! Finding ways to make it work even when it may be a different way than what worked for me or someone else !
That's the right spirit, for sure. Thank you for the encouragement.
Hello, could you please help me. Why the progress takes so much time, and i can not find the users like you show
discord.gg/hg7WF26r Join this discord and put your question with screenshots in the questions discord and ill be able to tell you but i cant just based off that info.
Thank you!!! :D
No problem!
Any other boxes you want to see just throw them in these comments and ill try to do it as fast as i can for you!
thanks
Thank you!
Hi, please someone help me : Do I need to be in Desktop before typing ffuf…..?
Please hop in discord and share screenshots
Hi stuffy24,
I tried to join the discord server but I am getting a message link has expired. Please could you help with a valid link.
Thank you.
Yes sir I will get a link that doesn't expire posted for you!
discord.gg/GUKRCFtYc6
I have the problem where i dont have result(only status) no passwords no usernames
Make sure your syntax is exactly the same and you understand what your doing so that you can troubleshoot these issues. It would be very difficult for me to troubleshoot over comments since i cant see your screen or what you are typing. Feel free to join the discord and try to get some help there also. discord.gg/KzzGfnKjCS
Im having an issue getting my names to appear in the terminal. Please help me
Can you give me a little more detail of the issue ?
@@stuffy24 Can I email you a picture of the command I put in and the result I get ?or does direct message on here allow picture to be sent?
discord.gg/aRt5udRc join my hacker discord and put the question in there. I will answer it if I can
@@stuffy24 okay, thank you !
I have a problem with the base-64 decoding to appear correctly from the THM Attack Box machine. But, when I went to the base64 website and ran it there, I was able to see the flag. THM is glitchy.
If you run it with the flag -s, it will only output the usernames. If you add > valid_usernames.txt it will write it to the file.
Thank you! Another useful tip!
Thank you!!! :-)