Skip to main content

Brute Force

Objective

Your goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords!

Security Level: Low

1

The application provides us with two input fields in order to enter the username and the password.

Let's enter admin as both.

2

Let's intercept the request in Burpsuite.

3

We can now forward this request to the Intruder to automate the attack.

4

After adding a field to the password, we can move on to setting up the substitution payload.

5

For the payload type we want a simple list, more specifically the darkweb2017-top100.txt passwords lists from the seclists collection.

Before we start the attack there is something important that we have to do. In the Options tab, we can set the string to grep for.

We can set it to the following:

Username and/or password incorrect.

6

Let's start the attack.

7

We can immediately see that the response for password did not include the string.

Let's take a closer look at the response.

8

We can see that it greets us with a welcome message. This means that the password is password.