This article demonstrates how to bypass a login form on a vulnerable web application using Python scripting to automate brute-force attacks with captcha solving. It highlights the process of extracting credentials, handling captchas, and exploiting the applicationβs rate limiting defenses. #TryHackMe #WebApplicationVulnerabilities
Keypoints
- The target is a web application with a custom rate limiter designed to prevent brute-force attacks.
- The login page uses a CAPTCHA challenge to verify legitimate users during login attempts.
- A Python script is developed to automate enumeration of usernames and passwords while handling CAPTCHA challenges.
- The script captures requests and responses via BurpSuite, extracting captcha solutions with regex and eval().
- Successful credential discovery allows access to protected data, such as the flag.txt file, demonstrating exploitation of the login flaw.