Broken Authentication - Weak Bruteforce Protections

Hi guys, I need some help over the last question, to be more specific the question related with /question2 URL. I tried all, used the python script and modified the headers, used hydra and ffuf even curl, but none one of these works. The hint of the last question is " This web server doesn’t trust your IP!". How that I said, I used the python script and curl request on both I modified the header request " X-Forwarded-For" and change my IP with other random IP even with the target IP.
I don’t know what I’m doing wrong and I’m so lost with this question. Please if some one was able to solve this question, give me a some little hint for how solve this question. Really I’m so frustrated with this question and I’m going mad.

You are on the right way.

The hint says that the server does not trust your IP.
He probably doesn’t trust any public IP address.

But which IP address could it trust then? :wink:

2 Likes

Thanks a lot bro. Finally I got it!

Hi there,
I set up the header as suggested with only IP that is probably trusted by the server. And I am still using the credential file as in the first question. However, I get invalid credentials all over. I adapted the script so it should work. Is there another wordlist to use?

Oh man, the solution was too obvious for me :slight_smile: Got it now

Can anyone please give me a nudge in the right direction for question 2 please. I’m using cURL and I add the -H for X-Forwarded-For, using an IP that is trusted, but I just can’t get the flag. Any help much appreciated.

Ta

Hey! Don’t mean to be poking fun at you, but how do you know the IP is trusted? Think about the different types of IPs and IP ranges when after reading what PayloadBunny wrote!

DM me if you need a harder nudge.
-onthesauce

Hi onthesauce, thanks for your reply, i was thinking that the server would trust It’s own IP address, so I’ve been using the web server IP for X-Forwarded-For in my cURL command. I’m not too sure now tho.

Ta

Please ignore above post, thanks for the extra push onthesauce, yet again, it’s another face palm moment for me.

Many Thanks

1 Like

Lol no worries! Trust me, we all have those moments.

Glad to hear you got it!
-onthesauce

Hello everyone
I can’t understand, do we use the script in these exercises at all, which they provide us with every time?
(basic_bruteforce_py)
He scares me a little because he doesn’t really work for me.
(Or I do not know how to configure it)

Need a nudge on this.

AllowedIPList, is that something within their NAT, or within the VPN Nat is using pwnedbox.

Also i don’t want to spend all day running through rockyou,txt, :slight_smile: is there
a particular wordlist we are supposed to be using for this exercise.

Hey! I honestly can’t remember the wordlist I used for that challenge, but as for the bypass, make sure you think on a local level.
-onthesauce

Awesome, thanks as always!

for anyone still stuck, i used hydra. Used the Seclist commn usernames and commin password.

Somehow didn’t need to set the magical header. But once hydra got that, set the magical header after capturing the packet in burp.

In setting the magical header, think local