1

For a school project I'm trying to make a challenge for a pentesting class. for the challenge the students have to bruteforce the the password as soon as they have guessed the right username from a possible list of usernames that I have provided. they know the right username because they should use the username enumeration tactic. When they get the correct username and password they should get a flag sentence/word that they have to submit below to complete the challenge. It seems my check doesn't go any further than my first if statement in my controller I have tried numerous things but nothing seems to fix this. Below you will see the code I used

Blade.php

<x-app-layout>
    <x-slot name="header">
        <h2 class="font-semibold text-xl text-gray-800 leading-tight">
            {{ __('Challenge #2') }}
        </h2>
        @if(\Illuminate\Support\Facades\DB::table('completed_challenges')->where('user_id',\Illuminate\Support\Facades\Auth::id())->where('challenge',2)->count())
            <h3>COMPLETED</h3>
        @endif
    </x-slot>

    <div class="py-12">
        <div class="max-w-7xl mx-auto sm:px-6 lg:px-8">
            <div class="bg-white overflow-hidden shadow-sm sm:rounded-lg">
                <div class="p-6 bg-white border-b border-gray-200">
                    <form method="POST" action="{{ route('challenge2FormHandler') }}">
                        @csrf
                        <label for=”username”>enter your username :</label><br>
                        <input type="text" id=”username” name=”username”><br>
                        <label for=”password”>enter your password:</label><br>
                        <input type="text" id=”password” name=”password”><br>
                        <button type="submit" value="submit">Submit</button>
                    </form>
                    <form method="POST" action="{{ route('challenge2') }}">
                        @csrf
                        <label for=”flag”>enter the found flag:</label><br>
                        <input type="text" id="flag" name="flag"><br>
                        <button type="submit" value="submit">Submit</button>
                        <!-- possible usernames
                         admin
                        rob
                        Office
                        michael scottfield
                        dwight schrude
                         -->
                    </form>
                    {{$response ?? ''}}
                </div>
            </div>
        </div>
    </div>
</x-app-layout>

routes used

Route::get('/challenges/2', function () {
    return view('challenges.challenge2');
})->middleware(['auth'])->name('challenges/2');
Route::post('/challenges/2', [\App\Http\Controllers\ChallengeController::class, 'challenge2'])->name("challenge2");
Route::post('/challenges/2/FormHandler', [\App\Http\Controllers\ChallengeController::class, 'challenge2Form'])->name("challenge2FormHandler");

the function I used in the controller

public function challenge2Form(Request $request)
    {
        $username = $request->input("username");
        $password = $request->input("password");
        $correctusername = "Office";
        $correctpw = "abc123";
        var_dump($request->all());
        if ($username !== $correctusername && $password !== $correctpw) {
            return view('challenges.challenge2', ['response' => 'the username and password are incorrect']);
        }
        if ($username === $correctusername && $password !== $correctpw) {
            return view('challenges.challenge2', ['response' => 'the password is incorrect']);
        }
        if ($username === $correctusername && $password === $correctpw) {
            return view('challenges.challenge2', ['response' => 'the flag is -> logged-in']);
        }

        return view('challenges.challenge2', ['response' => '']);
    }
}

I tried
Logging the request responses which seemed to be correct
changing putting the expected output in variables
changed the route
changed the strictness of the equals check

Brian
  • 11
  • 2
  • Please use `&&` and not `AND`. It adds a layer of complexity for people reading your code because there is a difference in their precedence order. I don't think it matters in this case, but just something to be aware of. See https://stackoverflow.com/questions/2803321/and-vs-as-operator – waterloomatt Nov 24 '22 at 19:06
  • What happens if you hardcode the username and password in your controller? Ex. `$username = 'Office'` and `$password = 'abc123'`. Does that work? Do this for all the scenarios? Do they work? – waterloomatt Nov 24 '22 at 19:20
  • @waterloomatt this works! so it has to be how I receive my request? – Brian Nov 24 '22 at 19:43
  • Try logging all the request params, by doing `dd($request->all())`. Are those _keys_ and _values_ what you expect? Do this for each scenario. And maybe just a copy/paste issue but your Blade view is using `”` (smart quotes) and probably should be using `"` (double quotes) – waterloomatt Nov 24 '22 at 19:55
  • @waterloomatt "”username”" => "Office" "”password”" => "abc123" these are the keys and values that are being returned these seem to be correct and the quotes should be double quotes – Brian Nov 24 '22 at 20:13
  • I think that's the issue. I see 2x double quotes in the key names. Ex `"”username”"`. Try searching for `”` and replacing it with `"` in your Blade view. Just to be clear, the request payload should look like `"username" => "Office" "password" => "abc123"` and not `"”username”" => "Office" "”password”" => "abc123"` – waterloomatt Nov 24 '22 at 20:30
  • 1
    @waterloomatt the issue has been fixed it was indeed the quotes. I looked over some. Thank you! – Brian Nov 24 '22 at 20:30

0 Answers0