Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Lernaean [by Arrexel]
Our target is not very good with computers. Try and guess their password to see if they may be hiding anything!

The challenge

We visit the webpage and notice there’s a login form and some hints about bruteforcing.

Lernaean - Login form

We use wfuzz to bruteforce the login form.
By passing a ‘known-incorrect’ value and the --hw=BBB parameters, we can automatically filter out incorrect attempts, giving us much cleaner results.

$ wfuzz -c -v -z file,/usr/share/wordlists/dirb/big.txt --hw=BBB -d password=FUZZ{test}

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.4 - The Web Fuzzer                           *

Total requests: 20470

ID           C.Time       Response   Lines    Word     Chars       Server                           Redirect                         Payload                          

000000002:   0.093s       200        17 L     38 W     474 Ch      Apache/2.4.18 (Ubuntu)                                            "test"                           
000010743:   0.037s       200        19 L     44 W     618 Ch      Apache/2.4.18 (Ubuntu)                                            "leonardo"                       

Total time: 81.72543
Processed Requests: 20470
Filtered Requests: 20468
Requests/sec.: 250.4728

We now login using leonardo as a password.

We are redirected to and are greeted with a rather bullyish message.

Lernaean - Too slow

The flag

Capturing the browser request using a proxy, or even simply using the browser’s Developer Tools, will allow us to view the browser response to the login action and reveals the flag.
Make sure you check ‘Persist logs’.

Lernaean - Flag

Et voilà :)