TryHackMe : Capture!
This room is about companies that develop web applications. and to prevent hackers from using brute force using the login page. Therefore, a rate limiter is used.
//
If you got ready let’s begin together
//
Once the machine finishes booting up, you can take a look at the login like this page
If you try to in put tester a username and password that you thing is possible, that you get error message
You don’t know anything about this web-application
Let’s use Hydra with the usernames we got from the zip file
That in file have usernames.txt and passwords.txt are list username and password commonly
Here I will move users.txt and passwords.txt this path
Let’s go to try to Brute Forcer
sudo hydra -L $USERNAMES_LIST -p test $TARGET_IP http-post-form “/login:username=^USER^&password=^PASS^:does not exist” -I
But when you have tried many times and still do not get the desired information
If we reload the page, this is what you see, so this is the rate limiter they implemented after a few attempts, we need to solve a simple equation to send more requests
To do just that, we are going to create a small python script that uses the requests module to get the webpage, parse it to get and solve the captcha, and the send it back with a login attempt.
You have to use python script on Github
It works by making 10 requests, to be sure to get to the rate limiter. Then, it searches the responses for the captcha using a regex, and solves it using the exec function. While using the exec function is really unsafe. After that, it tries another username, and prints it if the response didn’t contain the string “does not exist”.
First, we want to find username. After download “capture_username.py” you have to config target ip and path usernames.txt form where
nano capyure_username.py
Run python script, you got match for a username
python3 capture_username.py
we want to find username. After download “capture_password.py” you have to config target ip and path usernames.txt form where and username that your got
Next run python script, you got match for a password
python3 capture_password.py
The last one, you got username and password and enter to login
HAHAHA, Finally you got flag
