Broken Authentication - Login Brute Forcing

Hi everyone , im stuck in module Broken Authentication - Bruteforcing Passwords , i thought i found the password policy include at least 3 characters including uppercase , lowercase , and numbers , i did a filter for matching characters in the list from rockyou-50.txt but no which password is correct, where did i go wrong?
I use the grep command as follows:
grep ‘[[:upper:]]’ /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-50.txt | grep ‘[[:lower:]]’ | grep ‘[[:digit:]]’ | grep -E ‘^.{0.12}$’

your grep command is right and the password is inside it.
you almost have the password but the target has Rate Limit protection.
be more careful about Rate Limit while doing BruteForce

1 Like

only 5 passwords match the grep result , and none of them are correct , i manually login all 5 of these passwords


no the password is not among these passwords.
i found the issue
in grep command you used [[:lower:]]
but you should not.
how do you know that the password has lowercase character?!
hint for answer: an Angel is waiting for you :slight_smile:

1 Like

thanks , i found the answer , i used the wrong regex which led to the wrong result , also i was confused when i used the password policy guessing table

1 Like

nice job bro
good luck :+1:

Any hints for rate limit bypassing? Failed using ‘x-forwarded-for’ header.

1 Like

the local server only trusts itself

1 Like

Bro, how did you find the password policy?
It always returns the same response when I try to find the policy.

try with the table of guessing one of them in the register account phase one of them will tell you thanks for registration