Skills Assessment - Broken Authentication

Hey !

i used your script to get the permutations of the shortlist and some contrycodes lit 1 or 49 or 211 but when i fuzz the message i cannot get a hit
am i using the wrong country codes ?

kind regards
porta

Ok I’m lost I ran the modified the rate_limit.py script against support(all five) and admin(all five). I don’t know where to go from there. I haven’t tried guest yet. This was the grep command I used:

sudo grep ‘[1]’ ‘/home/htb-ac397863/Desktop/Useful Repos/SecLists/Passwords/Leaked-Databases/rockyou.txt’ | grep ‘[[:digit:]]$’ | grep “:/?#@!$&'*()-_+=,.;%{}” | grep -E ‘^.{20,}$’ > list.txt

the list had a total of 96 passwords is this right?


  1. [:upper:] ↩︎

you dont need a password, if you have all the accounts there are … create a tolken

edit: true you first need the password for a support account thanks for pointing that out dfgdfdfgdfd

Password is quite useful to get a cookie and check the cookie pattern to
elevate from support to admin

3 Likes

I ended up getting it and got the flag but I had to do it manually @dfgdfdfgdfd you used the rate_limit.py script right? Could I message you my script and can you take a look at it to see where I went wrong. @PortaHelle I’m going to message you too.

Can you help me? Which command did you use to make wordlist? I think I have mistakes in my command: sudo grep ‘[1]’ ‘rockyou.txt’ | grep ‘[[:lower:]]’| grep ‘[[:digit:]]$’ | grep -E ‘^.{20,}’ | grep [[:punct:]]


  1. [:upper:] ↩︎

I don’t know if you created an account, but if you did you’re making your list too big.

Take out punct command and make your grep to target these:

I make new command
sudo grep ‘[1]’ ‘rockyou.txt’ | grep ‘[[:lower:]]’| grep ‘[[:digit:]]$’ | grep -E ‘^.{20,}’ | grep ‘[@#$]’

and found 14 password
But passwords doesn’t work.
Can I show pass which I found?


  1. [:upper:] ↩︎

Hi , i still couldn’t find the correct syntax for the usernames. Give me some hints ?

Guys I’ve been at this for days. I’ve enumerated the usernames with Burp Suite (really easy) and I’ve figured out the password requirements. I built a grep command that I thought worked, and it gave me about 6 results. I’ve been fiddling with ChatGPT this week and I actually asked it to generate a grep command with the same terms to check mine and, although it structured the command a bit differently, the results were the same (ChatGPT is amazing btw).

I then edited the rate limit script they provided in the module and tested it against the account I created with my password in the list to check if the script works. Which it does.

However, when I use my password list against the support accounts I enumerated I get nothing. What am I doing wrong? Can anyone nudge me in the right direction?

What country codes are you using?, I just solved the user-enum part. The country codes are mentioned in the “brute forcing usernames” section

1 Like

Can someone help me with finding more usernames

Im using burp to find something but I cant find anything

Do I need to keep doing this kind of research or is not the right way?

Having the same issue. I am trying the country codes and tried supportAV, support762, adminAV. But not getting anywhere.
Anyone have any tips for username syntax with the country codes?

Try lowercase too, and different formats, e.g “admin xx” “admin_xx” “adminSOMEOTHERCHARxx”.

1 Like

thanks @lancedelacroix

I found 4 accounts. When I filtered rockyou.txt with the rules of passwords. I have found 35 possible passwords.
Despite all this, I could not find any account with a country code. I tried 935 country code in lower case with ‘userfound’+‘character’+‘countrycode. With as character: " *-/!?+_,;.:!><&’$"
and for the 4 discovered users, none of the 35 filtered passwords pass… am I on the right track?

I solved it with @lancedelacroix 's hint. Try the top username short list and the country codes in lowercase and don’t forget to try the country codes with the known account - e.g. "supportSOMEOTHERCHARxx” then try some passwords on those accounts after grepping the password rules from the rockyou.txt file.

Try two letter country code. i.g, username+.+country-code and then use filtered password form rockyou.

After enumerating the users, I tried to use a script to blast, but it was unsuccessful. Can you help me find out where there is a problem?

import requests

file that contain user:pass

userpass_file = “C:\Users\dne91\Desktop\userpass.txt”

create url using user and password as argument

url = “http://157.245.39.81:32452/login.php”

rate limit blocks for 30 seconds

message that alert us we hit rate limit

lock_message = “Too many failures”

read user and password

with open(userpass_file, “r”) as fh:
for fline in fh:
print(fline)
# take username
username = “support.it”

    # take password, join to keep password that contain a :
    password = "".join(fline)

    # prepare POST data
    data = {
        "userid": username,
        "passwd": password,
        "submit": "submit"
    }

    # do the request
    res = requests.post(url, data=data)

    # handle generic credential error
    if "Invalid credentials" in res.text:
        print("[-] Invalid credentials: userid:{} passwd:{}".format(username, password))
    # user and password were valid !
    elif "Messages" in res.text:
        print("[+] Valid credentials: userid:{} passwd:{}".format(username, password))
    # hit rate limit, let's say we have to wait 30 seconds
    elif lock_message in res.text:
        print("[-] Hit rate limit, sleeping 30")
        # do the actual sleep plus 0.5 to be sure
        time.sleep(31)