Broken brute-force protection, IP block

On this lab we are given credentials for an account (wiener:peter) and we are told that the account we need to get access to has the username "carlos".

Testing this login mechanism, we can see that after 4 failed login attempts our IP gets blocked.

But once we login with our valid credentials we manage to circumvent this and successfully login.

So to bypass this IP block brute-force protection, we need to attempt a valid login between every iteration of our brute force attack. To do that, our usernames wordlist (we want to get access to "carlos" account) should look like this:

carlos wiener carlos wiener carlos wiener etc ...

And our password list should look like this:

pass peter pass peter pass peter etc ...

Since its too troublesome to do that one word at the time, we can script the process of creating the wordlists with python.

Using this script we can get our usernames wordlist (names.txt).

And we can also script the passwords list.

Things to keep in mind while creating the wordlists: 1. There are 100 passwords to attempt to bruteforce, meaning we need to have the username "carlos" 100 times in the usernames list. 2. When brute-forcing, we need to make sure that the username "wiener" will always match the password "peter" to bypass the IP block protection.

We can now start the brute-force attack with burpsuite. To attack this login functionality we will use the "Pitchfork" attack, and the "names.txt" wordlist for the username as payload 1 and the "newpasswords.txt" wordlist for the password as payload 2.

We can then start the brute-force attack and wait for the "302" response to pop up in one of the passwords for the username "carlos".

Finding the password allows us to login as the user "carlos" and finish the lab.