Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Initial Observations
  • Step 2 : Analyzing the protection method
  • Step 3: Crafting the Attack
  • Step 4: Analyzing the Output

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Authentication

Broken Brute-Force Protection, IP Block

PreviousUsername enumeration via response timingNextUsername enumeration via account lock

Last updated 5 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Initial Observations

  • Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 1 minute.

Step 2 : Analyzing the protection method

By testing further, I observed:

  1. The counter resets after a successful login.

  2. If I attempt two failed logins for one user and successfully log in as another user (wiener), the lockout mechanism resets for future attempts.

This behavior reveals a logic flaw in the brute-force protection:

  • The system resets the counter upon a successful login, allowing us to alternate between two users to bypass the lockout.

Step 3: Crafting the Attack

To exploit this logic flaw:

  1. Use the victim's username (carlos) and attempt to brute-force their password.

  2. Alternate the password attempts for carlos with a known valid login (wiener:peter) to avoid the lockout.

Modify the password list to repeat wiener's password after every incorrect attempt:

We use the provided password list and modify it to use wieners password after each line to trigger a successful login

Step 4: Analyzing the Output

Once the attack finishes:

  1. Filter results for carlos and status code 302 Redirect.

  2. The 302 status code indicates a successful login, revealing the correct password for carlos

And then we can see carlos's password

2KB
passwords.txt