[ACADEMY] Broken Authentication

I am about to give up on this module. I’m stuck on page 5 “Weak Bruteforce Protections” and can’t answer question 2: “Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed.” Hint: “This web server doesn't trust your IP!”.

I get the hint and used the method described in the section to change what my IP looks like in the header. I rewrote the provided python script several times, tried with hydra and ffuf, but I don’t find anything. I worked on the scada cvs to make it work with the script, used rockyou and several of the default credential lists of SecLists.

Can anyone give me a hint? This is really frustrating.

Comments

  • Ok, I got it to work. The user and password doesn’t matter at all. You can just use curl.

  • @iougiri could you give me some help pls? I have the same problem and I'm getting crazy because I think it's a simple thing and I can't find it. The tip from what I understand refers to the X thing but nothing works
  • You’re on the right track with the X thing. I sent you a DM.
  • Have also tried the X thing in combination with the hint but without success... Can anyone give me another hint?
  • I hope this doesn’t spoil too much, but I know how frustrating it was for me. So for everyone having the same problem my hint is: The server only trusts itself.

  • I see...! crazy, haha
    you should read this link as below:
    https://www.w3schools.com/HTML/html_entities.asp
    interested in the special symbol!

    you will get more confused with the "Predictable Reset Token" section, question 1, :))
  • Anybody here, who can give me a nudge on the first assignment "Brute Force attack". I think I have a good working Python script and tried with al available credentials files, but maybe I am missing one. Please respond.
  • Type your comment> @andrevanm said:
    > Anybody here, who can give me a nudge on the first assignment "Brute Force attack". I think I have a good working Python script and tried with al available credentials files, but maybe I am missing one. Please respond.

    Thanks to Satellite was able to solve it.
  • Lmk when you get to “predictable reset token”, question 1. I can’t figure it out
Sign In to comment.