From 452ba0102dcc2674fa1323143c4849c628c7603d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Thu, 5 Aug 2021 02:19:42 -0400 Subject: Dusoleil's Writeups from Metasploit Community CTF 2020 Signed-off-by: dusoleil --- .../Metasploit_Community_CTF_2020/login_timing.txt | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt (limited to 'docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt') diff --git a/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt b/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt new file mode 100644 index 0000000..29ae962 --- /dev/null +++ b/docs/writeups/Metasploit_Community_CTF_2020/login_timing.txt @@ -0,0 +1,26 @@ +PORT 8080 + +This challenge presents us with a simple login page and says that there is one other user. If we can figure out the username of this other user, we can input it into a different form to check if we're right. + +The page says to use your observational skills. +When logging in, if we use the username "guest" that we are given, the page takes a bit to load. If we give anything else, it immediately tells us it failed. + +I pulled a public wordlist of common usernames, cleaned the list up of special characters, and wrote a simple bash script to iterate over it and try to login using curl. I kept the log of this loop and ran a grep over it for any requests that took more than basically instant. + +Two results were found: guest and demo. + +Inputting demo into the other form gives us a success message and a link to the card. + +``` +#!/bin/bash +while IFS= read -r line; do + echo "Trying $line..." + curl target:8080/login.php --data "username=$line&password=" 1>/dev/null; +done < usernames-fixed.txt +``` + +``` +#!/bin/bash +grep '0:0' -B3 werdz.txt + +``` -- cgit v1.2.3