Broken Authentication - Weak Bruteforce Protections

Hi guys, I need some help over the last question, to be more specific the question related with /question2 URL. I tried all, used the python script and modified the headers, used hydra and ffuf even curl, but none one of these works. The hint of the last question is " This web server doesn’t trust your IP!". How that I said, I used the python script and curl request on both I modified the header request " X-Forwarded-For" and change my IP with other random IP even with the target IP.
I don’t know what I’m doing wrong and I’m so lost with this question. Please if some one was able to solve this question, give me a some little hint for how solve this question. Really I’m so frustrated with this question and I’m going mad.

You are on the right way.

The hint says that the server does not trust your IP.
He probably doesn’t trust any public IP address.

But which IP address could it trust then? :wink:


Thanks a lot bro. Finally I got it!

Hi there,
I set up the header as suggested with only IP that is probably trusted by the server. And I am still using the credential file as in the first question. However, I get invalid credentials all over. I adapted the script so it should work. Is there another wordlist to use?

Oh man, the solution was too obvious for me :slight_smile: Got it now

Can anyone please give me a nudge in the right direction for question 2 please. I’m using cURL and I add the -H for X-Forwarded-For, using an IP that is trusted, but I just can’t get the flag. Any help much appreciated.


Hey! Don’t mean to be poking fun at you, but how do you know the IP is trusted? Think about the different types of IPs and IP ranges when after reading what PayloadBunny wrote!

DM me if you need a harder nudge.

Hi onthesauce, thanks for your reply, i was thinking that the server would trust It’s own IP address, so I’ve been using the web server IP for X-Forwarded-For in my cURL command. I’m not too sure now tho.


Please ignore above post, thanks for the extra push onthesauce, yet again, it’s another face palm moment for me.

Many Thanks

1 Like

Lol no worries! Trust me, we all have those moments.

Glad to hear you got it!

Hello everyone
I can’t understand, do we use the script in these exercises at all, which they provide us with every time?
He scares me a little because he doesn’t really work for me.
(Or I do not know how to configure it)

Need a nudge on this.

AllowedIPList, is that something within their NAT, or within the VPN Nat is using pwnedbox.

Also i don’t want to spend all day running through rockyou,txt, :slight_smile: is there
a particular wordlist we are supposed to be using for this exercise.

Hey! I honestly can’t remember the wordlist I used for that challenge, but as for the bypass, make sure you think on a local level.

Awesome, thanks as always!

for anyone still stuck, i used hydra. Used the Seclist commn usernames and commin password.

Somehow didn’t need to set the magical header. But once hydra got that, set the magical header after capturing the packet in burp.

In setting the magical header, think local


I’m using hydra, setting header but I didn’t get access. I used common usernames and passwords as well.

Never mind I got it.

I have no idea what to do in Weak Bruteforce Protections

/question1 and /question2

Why the exercise is not the same as the exercise in the questions?

Question 1 I know the time and now what?

Question 2 is supposed to use hydra or the script?

Question 1: Enter the time you see, but round up to the next 10-second time-frame
Question 2: I wish I knew. I’m stuck on this one as well. If you already got the answer, can you give me a hint on where to start? I’ve tried hydra and got a handful of different usernames and passwords, but none of them worked. I’ve also tried curling and entering -H X-Fowarded-For:, but nothing there either. I’m thinking that with correct credentials, I can enter the X-F-F: in Burp Repeater under User-Agent, then cat /flag.txt. So far, I’m only getting the result of “Invalid credentials.”

Help from anyone will be appreciated.

hi, i need help, i try with X-Forwarded-For: with the ip of the server but i cant get it, someone can give me a hint please?

Ok the exercise for the Q2 is a little confused… you know, the HTB way of pain haha. This one goes for that ones that are trying to fuzz or hydra this thing:

curl -L -vvv -H X-Forwarded-For:LOCAL_ADDRESS http://IP:PORT/question2/