brain_fuck
Checklists
Checklists
  • 📁What Is It
  • 🐧Linux Hardening
    • Privilege Escalation - Linux
      • SUDO
      • Kernel Exploit
      • SUID or SGID
      • Capabilities
      • Cron Jobs
      • PATH Hijacking
      • NFS (Network File Sharing)
  • 🖼️Windows Hardening
    • Privilege Escalation - Windows
      • Abusing dangerous privileges
      • Abusing Service Misconfigurations
      • Abusing Vulnerable Software
      • Recopilación de contraseñas en sitios habituales
      • Otras escaladas
    • AD - Active Directory
      • Basic AD
      • Samba & NTML Relay
      • Pass The Hash (PTH)
      • Kerberoasting Attack
      • Golden Ticket & Pass The Ticket (PTT)
  • 🧰Tools
    • Nmap
    • John the Ripper
      • zip2john
    • Gobuster
    • Smbmap
    • Smbclient
    • WPScan
    • GitHack
    • Chisel
      • Proxychains/Sock
    • Hydra
    • Msfvenom
    • CrackMapExec
    • Psexec
    • BloondHound
    • Rpcclient
    • Ldapdomaindump
    • Evil-wmr
    • Burpsuite
    • KeyHunter
  • 📡Ports
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 443 - HTTPS
    • 139;445 - SMB
    • 3389 - RDP
    • 5985 - Wsman
  • 🍎Red - Bash Scripting
    • Pivoting
  • 🧙‍♂️Pentesting Methodology
    • Pivoting
      • Ligolo-ng
  • 🌐OSINT
    • Gps-Coordinates
    • GPG
    • Sherlock
    • Whatsmyname
    • Wiggle
    • Image & Geospatial Intelligence
    • FFmpeg - Geolocating Videos
  • 🗒️TO-DO
  • 🕷️HTB-CBBH
    • Web Requests - Fundamentals
      • HTTP Fundamentals
        • HyperText Transfer Protocol (HTTP)
          • Hypertext Transfer Protocol Secure (HTTPS)
        • HTTP Requests and Responses
        • HTTP Headers
      • HTTP Methods
        • HTTP Methods & Codes
        • GET
        • POST
        • CRUD API
    • Introduction to Web Applications - Fundamentals
      • Front Components & Vulns
      • Back End Components & Vulns
    • Hacking WordPress
      • Info
      • Enumeration
      • Exploitin
    • Using Web Proxies
      • Web Proxy
      • Web Fuzzer
      • Extensions
    • Information Gathering - Web Edition
      • DNS & Subdomains
    • Attacking Web Applications with Ffuf
      • Fuzzing
    • JavaScript Deobfuscation
      • Deobfuscation & Decode
    • Cross-Site Scripting (XSS)
      • XSS Basics
      • XSS Phishing
      • Blind XSS - Session Hijacking
    • SQL Injection
      • Databases & Queries
      • SQL Injections
      • Exploitation
        • Database Enumeration
        • Reading Files
        • Writing Files
      • Skill Assessment
    • SQLMap Essentials
      • Building Attacks
Powered by GitBook
On this page
  • HTTP Basic Auth
  • HTTP Authorization Header
  • GET Parameters
  1. HTB-CBBH
  2. Web Requests - Fundamentals
  3. HTTP Methods

GET

PreviousHTTP Methods & CodesNextPOST

Last updated 1 month ago

HTTP Basic Auth

Unlike the usual login forms, which utilize HTTP parameters to validate the user credentials (e.g. POST request), this type of authentication utilizes a basic HTTP authentication, which is handled directly by the webserver to protect a specific page/directory, without directly interacting with the web application.

To access the page, we have to enter a valid pair of credentials, which are admin:admin in this case:

Once we enter the credentials, we would get access to the page:

Let's try to access the page with cURL, and we'll add -i to view the response headers:

eldeim@htb[/htb]$ curl -i http://<SERVER_IP>:<PORT>/
HTTP/1.1 401 Authorization Required
Date: Mon, 21 Feb 2022 13:11:46 GMT
Server: Apache/2.4.41 (Ubuntu)
Cache-Control: no-cache, must-revalidate, max-age=0
WWW-Authenticate: Basic realm="Access denied"
Content-Length: 13
Content-Type: text/html; charset=UTF-8

Access denied

As we can see, we get Access denied in the response body, and we also get Basic realm="Access denied" in the WWW-Authenticate header, which confirms that this page indeed uses basic HTTP auth, as discussed in the Headers section. To provide the credentials through cURL, we can use the -u flag, as follows:

eldeim@htb[/htb]$ curl -u admin:admin http://<SERVER_IP>:<PORT>/
<!DOCTYPE html>
<html lang="en">

<head>
...SNIP...

####

eldeim@htb[/htb]$ curl http://admin:admin@<SERVER_IP>:<PORT>/
<!DOCTYPE html>
<html lang="en">

<head>
...SNIP...

There is another method we can provide the basic HTTP auth credentials, which is directly through the URL as (username:password@URL), as we discussed in the first section. If we try the same with cURL or our browser, we do get access to the page

HTTP Authorization Header

If we add the -v flag to either of our earlier cURL commands:

eldeim@htb[/htb]$ curl -v http://admin:admin@<SERVER_IP>:<PORT>/

*   Trying <SERVER_IP>:<PORT>...
* Connected to <SERVER_IP> (<SERVER_IP>) port PORT (#0)
* Server auth using Basic with user 'admin'
> GET / HTTP/1.1
> Host: <SERVER_IP>
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.77.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 21 Feb 2022 13:19:57 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Cache-Control: no-store, no-cache, must-revalidate
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1453
< Content-Type: text/html; charset=UTF-8
< 

<!DOCTYPE html>
<html lang="en">

<head>
...SNIP...

As we are using basic HTTP auth, we see that our HTTP request sets the Authorization header to Basic YWRtaW46YWRtaW4=, which is the base64 encoded value of admin:admin. If we were using a modern method of authentication (e.g. JWT), the Authorization would be of type Bearer and would contain a longer encrypted token.

Let's try to manually set the Authorization, without supplying the credentials, to see if it does allow us access to the page. We can set the header with the -H flag, and will use the same value from the above HTTP request. We can add the -H flag multiple times to specify multiple headers:

eldeim@htb[/htb]$ curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/

<!DOCTYPE html
<html lang="en">

<head>
...SNIP...

GET Parameters

Once we are authenticated, we get access to a City Search function, in which we can enter a search term and get a list of matching cities:

We can enter any search term and hit enter, and we will immediately notice a new request being sent to the backend:

Now, we can send the same request directly to search.php to get the full search results, though it will probably return them in a specific format (e.g. JSON) without having the HTML layout shown in the above screenshot.

eldeim@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/search.php?search=le' -H 'Authorization: Basic YWRtaW46YWRtaW4='

Leeds (UK)
Leicester (UK)

Note: The copied command will contain all headers used in the HTTP request. However, we can remove most of them and only keep necessary authentication headers, like the Authorization header.

We can also repeat the exact request right within the browser devtools, by selecting Copy>Copy as Fetch. This will copy the same HTTP request using the JavaScript Fetch library.

🕷️