Lab link.
We need to find the password for the user carlos. We know there is a logic flaw, so let’s make a few false entries and try to understand the system.
After 3 login attempts, the system displays “You have made too many incorrect login attempts. Please try again in 1 minute(s).” error. We will see if we can overcome this error with a correct login attempt.
After a successful login, as we expected, our error counter is reset to zero and we can make 3 attempts. This means that in our intruder attack, we need 1 successful login for every 3 attempts.
We need to update our username and password lists. You can write a script for these lists or if you are familiar with sublime text editor like me, you can edit the list with the editor.
In intruder we choose pitchfork because we need a one-to-one match. If we perform the attack, we will fail.
The reason for failure is that the number of requests we make at the same time is not 1 but 10 by default. For this reason, we can do it with Intruder>Resource pool>Creating new resource pools
We found the password 🤩