Personal Website Github LinkedIn

Brute Force

Last updated 1 year ago

Objective
Your goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords!

Security Level: Low

The application provides us with two input fields in order to enter the username and the password.
Let's enter admin as both.

Let's intercept the request in Burpsuite.

We can now forward this request to the Intruder to automate the attack.

After adding a field to the password, we can move on to setting up the substitution payload.

For the payload type we want a simple list, more specifically the darkweb2017-top100.txt passwords lists from the seclists collection.
Before we start the attack there is something important that we have to do.
In the Options tab, we can set the string to grep for. We can set it to the following:

Username and/or password incorrect.

Let's start the attack.

We can immediately see that the response for password did not include the string.
Let's take a closer look at the response.

We can see that it greets us with a welcome message. This means that the password is password.