Introduction

In this writeup, we will explore the solution to the “Baby Auth” Web challenge from HackTheBox. This challenge is designed to test our understanding of web authentication mechanisms and how to bypass them.

Target: 154.57.164.80:32749

Solution Approach

The “Baby Auth” challenge likely involves a web application with an authentication mechanism that we need to bypass. The name suggests that the authentication might be simple or “baby-like,” which could indicate weak security measures.

App Homepage

Tried to login with some common default credentials like admin:admin, admin:password, etc., but none of them worked.

Login Page

Next, i visited the page source to see if there are any hints or clues about the authentication mechanism, but there was nothing interesting.

Then, i moved forward to register a new account.

Register Page

After registering, i was able to login successfully, but the application greeted me with a message saying You are not an admin.

NotAdmin

This indicates that there is a separate admin account with different credentials. I tried to find any hints about the admin credentials in the page source, but there was nothing.

It occured to me that given the name of the challenge, the authentication mechanism might be very simple and could be bypassed by manipulating the cookies or session tokens.

I setup burpsuite to intercept the traffic and i was focused on the login flow.

The /auth/login endpoint was accepting POST requests with the username and password. After a successful login, it was setting a cookie named Set-Cookie with a value that looked like a base64 encoded string.

302 Found

I decoded the cookie value and it revealed a JSON object containing the username.

echo 'eyJ1c2VybmFtZSI6Img0Y2sifQ' | base64 -d
{"username":"h4ck"}

Decoded Cookie

What if we change the username in the cookie to admin and encode it back to base64?

echo -n '{"username":"admin"}' | base64
eyJ1c2VybmFtZSI6ImFkbWluIn0=

I turned on the intercept in burpsuite and modified the cookie value to eyJ1c2VybmFtZSI6ImFkbWluIn0= and forwarded the request.

Encoded Cookie

And just like that, I was greeted with a message, the Flag.

Flag

FLAG: HTB{s3ss10n_1nt3grity_1s_0v3r4tt3d_4nyw4ys}

Browser DevTools Approach

I could also use the browser’s dev tool to modify the cookie value directly without using burpsuite. This is a simpler approach, i believe.

  1. Open the browser’s dev tools (usually by pressing F12).
  2. Go to the “Storage” tab and find the “Cookies” section.
  3. Find the cookie named PHPSESSID , double click and modify its value to the encoded string eyJ1c2VybmFtZSI6ImFkbWluIn0=.
  4. Refresh the page and you should see the flag.

DevTool

Happy Hacking!