On this page
Username Enumeration via Subtly Different Responses
Lab
Username enumeration via subtly different responses · Apprentice
Solution
Given
This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
Candidate usernames
Candidate passwords
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
Analyzing the task
We need to set up a brute-force attack using the username and password wordlists.
Recon
Let's see how login is organized and how we can set up a brute-force:
POST /login
username=xxx&password=123
Okay, throw it into Intruder. Toss in the username list from the lab. The requests split by response size: 3443 and up — about 5–6 groups. oracle catches my eye — size 3443, let's test it first. Though for convenience I'll write out 1 login from each group:
oracle - 3443
af - 3444
admin - 3445
ad - 3446
auto - 3447
root - 3460
test - 3461
guest - 3462
info - 3463
as - 3462
ajax - 3463
au - 3464
We expect a 302 code. Checked passwords for oracle — all 200. Checking af — success. Password — af.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.