Visiting the site gives us a login form, asking for a username and password. Common attacks on login forms are SQL injection and brute-force attacks. To get the flag, we have to bypass the login using either of these attacks.
First of all, we check the login page with default credentials admin:admin and retrieve the error message Invalid username and password.
Common attacks on login forms are SQL injection and brute-force attacks. To get the flag, we have to bypass the login using either of these attacks.
.png)
It was a bad idea:
if we notice the site print a “Invalid username and password.” statement when both the username and password are wrong; starting from there and assuming this statement will change if the user name is correct: we will start fuzzing the parameter of the username using ffuf.
so now we need to see the request to know the parameters names we are dealing with so we can conduct a username enumeration attack, burp will do the job:
now that we have known the parameters names we can start ffuf using SecLists:
in the first run i tried to mach our “Invalid username and password.” string to get the most repetitive response size and exclude it to get the valid usernames; as u can see it validated all the usernames on the list:
in the second run i excluded all the responses with the size 1253 so i got the valid usernames:
ffuf -w /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -X POST -H "Content-Type: application/x-www-form-urlencoded" -u <http://10.10.247.71/> -d "username=FUZZ&password=123456" -fs 1253
now that we have a valid user name:
