Broken Brute-Force Protection, IP Block

Lab Description

Walkthrough

Step 1: Initial Observations

• Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 1 minute.

Step 2 : Analyzing the protection method

By testing further, I observed:

1. The counter resets after a successful login.

2. If I attempt two failed logins for one user and successfully log in as another user (wiener), the lockout mechanism resets for future attempts.

This behavior reveals a logic flaw in the brute-force protection:

• The system resets the counter upon a successful login, allowing us to alternate between two users to bypass the lockout.

Step 3: Crafting the Attack

To exploit this logic flaw:

1. Use the victim's username (carlos) and attempt to brute-force their password.

2. Alternate the password attempts for carlos with a known valid login (wiener:peter) to avoid the lockout.

Modify the password list to repeat wiener's password after every incorrect attempt:

We use the provided password list and modify it to use wieners password after each line to trigger a successful login

2KB

passwords.txt

Open

Step 4: Analyzing the Output

Once the attack finishes:

1. Filter results for carlos and status code 302 Redirect.

2. The 302 status code indicates a successful login, revealing the correct password for carlos

And then we can see carlos's password