On this page
Username Enumeration via Different Responses
Lab
Username enumeration via different responses · Apprentice
Solution
Given
This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
Candidate usernames
Candidate passwords
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
Analyzing the task
We're given wordlists of names and passwords. We need to set up a brute-force attack. First guess the name, then the password. To solve the lab we need to log into the victim's account.
Recon
Login goes through:
POST /login
username=VARIABLE&password=123
We've been given a list of names to enumerate. Copy it and create an Intruder attack. Make username a variable — 101 names to test. The server always responds with 200, so we filter by response length. Here's our candidate — asterix.
Second step — guess the password:
username=asterix&password=VARIABLE
Same way, take the list — 100 passwords. Launch, here we can rely on the 302 redirect:
HTTP/2 302 Found
Location: /my-account?id=asterix
That means the password worked. Password found — computer.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.