1
00:00:00,330 --> 00:00:01,320
‫Instructor: Hi.

2
00:00:01,320 --> 00:00:02,430
‫Within this lecture,

3
00:00:02,430 --> 00:00:05,790
‫we're gonna solve the second challenge in our API.

4
00:00:05,790 --> 00:00:09,150
‫So I'm gonna close down all this tabs, okay?

5
00:00:09,150 --> 00:00:12,060
‫So far, we have solved only the first one.

6
00:00:12,060 --> 00:00:14,760
‫Now, we are down to the second one.

7
00:00:14,760 --> 00:00:18,840
‫So in the second one, we have a new challenge

8
00:00:18,840 --> 00:00:21,900
‫called broken authentication

9
00:00:21,900 --> 00:00:25,200
‫and we have two endpoints over here.

10
00:00:25,200 --> 00:00:30,200
‫One of them is post, so we are logging in, I believe,

11
00:00:30,300 --> 00:00:33,690
‫and it will ask us for an email and password,

12
00:00:33,690 --> 00:00:38,310
‫and then we can get something which is the user details.

13
00:00:38,310 --> 00:00:40,170
‫So when we get something,

14
00:00:40,170 --> 00:00:42,630
‫we need to give an authorization token,

15
00:00:42,630 --> 00:00:47,630
‫and we get that authorization token by simply logging in.

16
00:00:47,850 --> 00:00:50,370
‫So let's see the challenge over here

17
00:00:50,370 --> 00:00:54,720
‫because there is no additional information over there.

18
00:00:54,720 --> 00:00:56,640
‫So I'm gonna go into the Postman

19
00:00:56,640 --> 00:01:00,300
‫and just go to the user login, okay?

20
00:01:00,300 --> 00:01:03,390
‫So right now, I'm inside of my Postman.

21
00:01:03,390 --> 00:01:06,810
‫Of course, I'm using the same old collection

22
00:01:06,810 --> 00:01:09,540
‫that we have been using so far.

23
00:01:09,540 --> 00:01:12,570
‫And if we click on the user login,

24
00:01:12,570 --> 00:01:15,180
‫then we can see the headers,

25
00:01:15,180 --> 00:01:19,020
‫and I believe we don't need to change any headers right now.

26
00:01:19,020 --> 00:01:23,370
‫And for the body, it'll ask for an email and password

27
00:01:23,370 --> 00:01:26,370
‫and there is a test as well once we log in,

28
00:01:26,370 --> 00:01:30,777
‫again, it'll give us some kind of authentication token

29
00:01:30,777 --> 00:01:35,777
‫and it will save that token inside of the get request, okay?

30
00:01:36,090 --> 00:01:37,530
‫It is not saved right now.

31
00:01:37,530 --> 00:01:40,860
‫It says unresolved variable as we expect.

32
00:01:40,860 --> 00:01:43,290
‫And there is nobody in the get request,

33
00:01:43,290 --> 00:01:47,220
‫so if we can log in, then we can get the details

34
00:01:47,220 --> 00:01:50,220
‫if we can get the user details.

35
00:01:50,220 --> 00:01:51,783
‫Okay, that's simple.

36
00:01:52,620 --> 00:01:55,020
‫So let's look for hints.

37
00:01:55,020 --> 00:01:58,950
‫It says that we don't have to see the credentials for this.

38
00:01:58,950 --> 00:02:00,720
‫How do we log in?

39
00:02:00,720 --> 00:02:02,370
‫Yeah, that's a good question.

40
00:02:02,370 --> 00:02:05,400
‫So there is something in the resources folder.

41
00:02:05,400 --> 00:02:09,660
‫Okay, so we have another supportive instrument over here.

42
00:02:09,660 --> 00:02:13,710
‫I'm gonna go into the resources folder and here you go.

43
00:02:13,710 --> 00:02:18,710
‫In the API2, we have something called creds csv.

44
00:02:18,780 --> 00:02:22,020
‫So this is credentials, I believe.

45
00:02:22,020 --> 00:02:25,080
‫So let me open it and see what it is.

46
00:02:25,080 --> 00:02:29,850
‫Okay, so if you exit on your computer, then it's great.

47
00:02:29,850 --> 00:02:33,990
‫And open it and just see what's inside of it.

48
00:02:33,990 --> 00:02:35,370
‫So here you go.

49
00:02:35,370 --> 00:02:38,160
‫As you can see, we have some kind of email

50
00:02:38,160 --> 00:02:40,920
‫and password combinations over here.

51
00:02:40,920 --> 00:02:42,873
‫So Brown Grimes,

52
00:02:43,800 --> 00:02:48,800
‫and it goes up to 1,000 users and passwords.

53
00:02:49,530 --> 00:02:52,650
‫So okay, we're gonna try them,

54
00:02:52,650 --> 00:02:54,585
‫but I believe the scenario over here

55
00:02:54,585 --> 00:02:57,900
‫is that there is a leak like that.

56
00:02:57,900 --> 00:03:01,770
‫So we are just trying to log in with any of this.

57
00:03:01,770 --> 00:03:04,650
‫So I grabbed the first one,

58
00:03:04,650 --> 00:03:07,140
‫I just pasted the email from here,

59
00:03:07,140 --> 00:03:10,680
‫and I'm gonna go and get the password as well.

60
00:03:10,680 --> 00:03:14,070
‫So let's get the password for this Brown.

61
00:03:14,070 --> 00:03:17,970
‫So I'm gonna copy this, get back to the Postman,

62
00:03:17,970 --> 00:03:19,830
‫and just paste the password.

63
00:03:19,830 --> 00:03:22,770
‫I'm gonna send this request and see what happens.

64
00:03:22,770 --> 00:03:23,603
‫Here you go.

65
00:03:23,603 --> 00:03:25,530
‫We are not successful.

66
00:03:25,530 --> 00:03:27,330
‫For the success, we get a false.

67
00:03:27,330 --> 00:03:32,330
‫And because of this, username or password incorrect.

68
00:03:32,430 --> 00:03:35,250
‫Okay, so what we need to do,

69
00:03:35,250 --> 00:03:40,230
‫we need to try 1,000 users and passwords obviously.

70
00:03:40,230 --> 00:03:41,063
‫Okay?

71
00:03:41,063 --> 00:03:43,770
‫So one of them should be working

72
00:03:43,770 --> 00:03:47,730
‫and the scenario over here is that we found a data leak

73
00:03:47,730 --> 00:03:49,500
‫on the internet, on the dark web,

74
00:03:49,500 --> 00:03:53,390
‫on some forums, and we are trying to see

75
00:03:53,390 --> 00:03:55,260
‫if we can log into the system

76
00:03:55,260 --> 00:03:58,560
‫with one of those credentials, right?

77
00:03:58,560 --> 00:04:01,290
‫Of course, we can try one-by-one,

78
00:04:01,290 --> 00:04:03,510
‫but it will take a lot of time.

79
00:04:03,510 --> 00:04:06,390
‫So we need to find a way to brute force.

80
00:04:06,390 --> 00:04:09,273
‫We need to find a way to try them automatically.

81
00:04:10,950 --> 00:04:13,440
‫There isn't any way to do that with the Postman

82
00:04:13,440 --> 00:04:16,530
‫because this is not a penetration testing tool

83
00:04:16,530 --> 00:04:20,760
‫but of course there is a way to do this with Burp Suite.

84
00:04:20,760 --> 00:04:23,670
‫So we need to find a way to connect Postman

85
00:04:23,670 --> 00:04:26,370
‫with the Burp Suite, okay?

86
00:04:26,370 --> 00:04:28,820
‫So all you need to do is just open the Burp Suite

87
00:04:29,790 --> 00:04:34,790
‫and make sure you have this proxy that we have given

88
00:04:35,370 --> 00:04:38,760
‫before 127.0.0.1, port 8080,

89
00:04:38,760 --> 00:04:41,670
‫and we're gonna give the exact same number

90
00:04:41,670 --> 00:04:44,520
‫exact same proxy to the Postman.

91
00:04:44,520 --> 00:04:46,050
‫In order to do that

92
00:04:46,050 --> 00:04:50,610
‫we need to find the proxy settings of the Postman.

93
00:04:50,610 --> 00:04:54,540
‫So over here we have the capture request and cookies.

94
00:04:54,540 --> 00:04:58,320
‫That is not what we are looking for, I believe.

95
00:04:58,320 --> 00:05:00,690
‫Let me see, what was this?

96
00:05:00,690 --> 00:05:01,523
‫Yeah, here we go.

97
00:05:01,523 --> 00:05:04,260
‫This is to capture the request in the Postman.

98
00:05:04,260 --> 00:05:05,820
‫This is not what we are looking for.

99
00:05:05,820 --> 00:05:09,300
‫We need to capture the request in Burp Suite.

100
00:05:09,300 --> 00:05:10,800
‫We are Postman.

101
00:05:10,800 --> 00:05:12,930
‫So I'm gonna go to the settings

102
00:05:12,930 --> 00:05:16,575
‫and I'm going to just open the settings and let's see,

103
00:05:16,575 --> 00:05:20,190
‫yeah, here we go, we have the proxy tab over here.

104
00:05:20,190 --> 00:05:22,110
‫So inside of the proxy tab

105
00:05:22,110 --> 00:05:26,280
‫you can find this, add a custom proxy configuration,

106
00:05:26,280 --> 00:05:29,910
‫and make sure you choose http and https as well.

107
00:05:29,910 --> 00:05:33,470
‫So for the proxy server, I'm gonna give 127.0.0.1.

108
00:05:33,470 --> 00:05:37,470
‫And for the port make sure you give the exact same port

109
00:05:37,470 --> 00:05:40,350
‫you have given inside of the Burp Suite.

110
00:05:40,350 --> 00:05:42,390
‫So remember this was the credential

111
00:05:42,390 --> 00:05:46,530
‫that we have given local host and port ad 8080.

112
00:05:46,530 --> 00:05:49,008
‫So if this was approved here

113
00:05:49,008 --> 00:05:51,420
‫then we would just open the foxy proxy

114
00:05:51,420 --> 00:05:53,670
‫or just change the proxy settings.

115
00:05:53,670 --> 00:05:56,850
‫This is exactly what we are doing over here, right?

116
00:05:56,850 --> 00:06:00,660
‫So we are giving the same proxy to the Postman

117
00:06:00,660 --> 00:06:02,490
‫and the Burp Suite as well.

118
00:06:02,490 --> 00:06:03,480
‫So let's try it.

119
00:06:03,480 --> 00:06:06,780
‫I'm just gonna come over here and turn the intercept on.

120
00:06:06,780 --> 00:06:07,613
‫Let's see.

121
00:06:07,613 --> 00:06:10,020
‫The options are the same as you can see.

122
00:06:10,020 --> 00:06:11,910
‫Now intercept is on,

123
00:06:11,910 --> 00:06:15,180
‫now I'm going to try to send this one more time

124
00:06:15,180 --> 00:06:16,013
‫and here you go.

125
00:06:16,013 --> 00:06:17,700
‫It's not going through

126
00:06:17,700 --> 00:06:20,340
‫because we captured it in the Burp Suite.

127
00:06:20,340 --> 00:06:21,173
‫Here we go.

128
00:06:21,173 --> 00:06:22,500
‫That's great.

129
00:06:22,500 --> 00:06:25,710
‫Now we have the request over here.

130
00:06:25,710 --> 00:06:28,740
‫Now let me try to find the font settings

131
00:06:28,740 --> 00:06:32,250
‫of the Burp Suite because it's a little bit small right now

132
00:06:32,250 --> 00:06:35,490
‫so I believe it's inside of the preferences

133
00:06:35,490 --> 00:06:37,530
‫or maybe we can come over here

134
00:06:37,530 --> 00:06:40,560
‫to user options and display.

135
00:06:40,560 --> 00:06:41,880
‫Yeah, here you go.

136
00:06:41,880 --> 00:06:45,150
‫Of course, you can do that if you want

137
00:06:45,150 --> 00:06:48,000
‫but if you don't want you can just leave it on.

138
00:06:48,000 --> 00:06:51,390
‫So I'm going to change this to be 16,

139
00:06:51,390 --> 00:06:55,050
‫and yeah, I believe that's not the thing

140
00:06:55,050 --> 00:06:57,540
‫that we are looking for because it's not bigger right now.

141
00:06:57,540 --> 00:07:00,270
‫So I'm gonna go back and yeah, here you go.

142
00:07:00,270 --> 00:07:02,100
‫This is the one that I'm looking for.

143
00:07:02,100 --> 00:07:06,330
‫I'm going to make this something like 17 or 18.

144
00:07:06,330 --> 00:07:09,840
‫Let's go back and change this to 15,

145
00:07:09,840 --> 00:07:12,690
‫and yeah, here you go, now it's much better.

146
00:07:12,690 --> 00:07:14,430
‫As you can see this is the request

147
00:07:14,430 --> 00:07:15,900
‫that we are trying to send.

148
00:07:15,900 --> 00:07:19,110
‫If I look over here, I can see the Post.

149
00:07:19,110 --> 00:07:22,650
‫So it's going to log in and if I forward this

150
00:07:22,650 --> 00:07:25,440
‫this will just go through, but I don't want that.

151
00:07:25,440 --> 00:07:28,410
‫What I wanna do is to change this email

152
00:07:28,410 --> 00:07:30,450
‫and password repeatedly

153
00:07:30,450 --> 00:07:34,770
‫so that I can try to see which credential works.

154
00:07:34,770 --> 00:07:37,740
‫So for right now I have this packet.

155
00:07:37,740 --> 00:07:41,160
‫If I forward this packet by clicking on this left button

156
00:07:41,160 --> 00:07:43,680
‫on the top side, okay, this one,

157
00:07:43,680 --> 00:07:46,470
‫it'll just forward this to the server.

158
00:07:46,470 --> 00:07:49,320
‫If I drop this, it won't get to the server.

159
00:07:49,320 --> 00:07:53,040
‫If I turn the intercept off, it will just go to the server.

160
00:07:53,040 --> 00:07:56,220
‫But I don't wanna do that, I want to change this email.

161
00:07:56,220 --> 00:07:57,840
‫How do I do that?

162
00:07:57,840 --> 00:08:01,121
‫I can right click and just send this to the Intruder

163
00:08:01,121 --> 00:08:02,790
‫or Repeater.

164
00:08:02,790 --> 00:08:05,160
‫For right now, I'm just gonna go to the Repeater

165
00:08:05,160 --> 00:08:07,320
‫because I want to show you something.

166
00:08:07,320 --> 00:08:10,440
‫I can come to the Repeater and just send this request

167
00:08:10,440 --> 00:08:14,070
‫as many as I want and I can change the email and password

168
00:08:14,070 --> 00:08:15,185
‫from here, okay?

169
00:08:15,185 --> 00:08:19,470
‫As you can see, this is still in the proxy section,

170
00:08:19,470 --> 00:08:23,610
‫but in the Repeater, I can just try this one-by-one

171
00:08:23,610 --> 00:08:26,310
‫by changing the email and password.

172
00:08:26,310 --> 00:08:30,390
‫And if I get the success response then it's okay,

173
00:08:30,390 --> 00:08:33,270
‫but of course that is not what I wanna do, right?

174
00:08:33,270 --> 00:08:36,690
‫So if I copy this and paste this over here, let me show you,

175
00:08:36,690 --> 00:08:38,190
‫this actually works.

176
00:08:38,190 --> 00:08:40,470
‫I'm just gonna copy the password as well.

177
00:08:40,470 --> 00:08:43,410
‫Paste this over here and send this request.

178
00:08:43,410 --> 00:08:44,340
‫And here you go.

179
00:08:44,340 --> 00:08:46,860
‫Again, we get the false as a success.

180
00:08:46,860 --> 00:08:48,990
‫So it's not successful.

181
00:08:48,990 --> 00:08:52,470
‫So this is a way, but of course it doesn't make sense

182
00:08:52,470 --> 00:08:57,270
‫because it will just take as many time as we would have

183
00:08:57,270 --> 00:08:59,760
‫by just changing the email and password

184
00:08:59,760 --> 00:09:02,370
‫in the original request, right?

185
00:09:02,370 --> 00:09:05,370
‫So there is another module inside of the Burp Suite

186
00:09:05,370 --> 00:09:06,600
‫called Intruder.

187
00:09:06,600 --> 00:09:10,380
‫If I send this to the Intruder by right clicking,

188
00:09:10,380 --> 00:09:13,200
‫now I can actually brute force.

189
00:09:13,200 --> 00:09:17,040
‫So the first thing on the Intruder is the target.

190
00:09:17,040 --> 00:09:21,180
‫So host and port should be by default correct.

191
00:09:21,180 --> 00:09:22,013
‫Okay?

192
00:09:22,013 --> 00:09:26,130
‫This is the IP address and this is the port, the http port.

193
00:09:26,130 --> 00:09:29,220
‫What we are interested in is the positions.

194
00:09:29,220 --> 00:09:30,630
‫So if you go to positions,

195
00:09:30,630 --> 00:09:34,440
‫as you can see email and password are highlighted.

196
00:09:34,440 --> 00:09:36,060
‫So Burp Suite understood

197
00:09:36,060 --> 00:09:40,050
‫that we are going to brute force this email and password.

198
00:09:40,050 --> 00:09:42,330
‫If we want to change the parameters

199
00:09:42,330 --> 00:09:44,130
‫that we are going to be brute forcing,

200
00:09:44,130 --> 00:09:45,240
‫of course, we can do that.

201
00:09:45,240 --> 00:09:48,028
‫We can just come over here and say, clear.

202
00:09:48,028 --> 00:09:51,120
‫It will clear all the selections

203
00:09:51,120 --> 00:09:55,590
‫and then we can add some new parameters again.

204
00:09:55,590 --> 00:09:57,930
‫Okay, that is a possibility.

205
00:09:57,930 --> 00:10:02,370
‫But in this case, email and password are highlighted for me.

206
00:10:02,370 --> 00:10:06,150
‫So it means that we are good to go.

207
00:10:06,150 --> 00:10:07,440
‫What we are going to do,

208
00:10:07,440 --> 00:10:11,970
‫we are going to give some values to replace the email

209
00:10:11,970 --> 00:10:14,250
‫and password automatically.

210
00:10:14,250 --> 00:10:18,120
‫In order to do that, I'm going to change the attack type.

211
00:10:18,120 --> 00:10:19,994
‫So far we have sniper over here,

212
00:10:19,994 --> 00:10:24,994
‫and sniper is good for one parameter only, okay?

213
00:10:25,800 --> 00:10:30,180
‫Pitchfork is actually good for two parameters

214
00:10:30,180 --> 00:10:33,510
‫so that we can change the email and the password.

215
00:10:33,510 --> 00:10:36,480
‫And there is some other options like battering ram,

216
00:10:36,480 --> 00:10:38,730
‫we are gonna see them later on.

217
00:10:38,730 --> 00:10:41,160
‫Right now I have chosen Pitchfork

218
00:10:41,160 --> 00:10:43,800
‫and in the payload section

219
00:10:43,800 --> 00:10:48,150
‫we are going to give the values that we want to try.

220
00:10:48,150 --> 00:10:50,370
‫As you can see in the payload options

221
00:10:50,370 --> 00:10:55,370
‫it asks for a list and we can just copy and paste the list

222
00:10:55,470 --> 00:10:59,100
‫or we can just insert them one-by-one.

223
00:10:59,100 --> 00:11:00,870
‫Whatever you wanna do.

224
00:11:00,870 --> 00:11:04,140
‫However, of course we are just gonna copy and paste them.

225
00:11:04,140 --> 00:11:08,010
‫So let me try to delete the hyperlink from here.

226
00:11:08,010 --> 00:11:09,240
‫Yap, here you go.

227
00:11:09,240 --> 00:11:12,870
‫Right now, as you can see we have the username and password

228
00:11:12,870 --> 00:11:14,490
‫on the same section,

229
00:11:14,490 --> 00:11:18,570
‫but over here we have to give the first and second list

230
00:11:18,570 --> 00:11:22,050
‫one-by-one because we are going to be using first list

231
00:11:22,050 --> 00:11:24,840
‫for the email and second list for the password.

232
00:11:24,840 --> 00:11:28,230
‫We can just select the first list and second list from here.

233
00:11:28,230 --> 00:11:31,110
‫For the first list, we are gonna copy and paste the emails.

234
00:11:31,110 --> 00:11:32,280
‫And for the second list

235
00:11:32,280 --> 00:11:35,283
‫we are just gonna copy and paste the passwords.

236
00:11:36,390 --> 00:11:41,390
‫So I'm going to be using something called text columns.

237
00:11:42,720 --> 00:11:46,680
‫So go to the data and use text columns.

238
00:11:46,680 --> 00:11:49,620
‫So maybe you know how to use Excel, maybe not.

239
00:11:49,620 --> 00:11:52,920
‫I'm just gonna go for the limited and choose the comma.

240
00:11:52,920 --> 00:11:57,423
‫So what it does that it actually finds everything splitting

241
00:11:58,380 --> 00:12:02,130
‫with comma and just split it into two columns, okay?

242
00:12:02,130 --> 00:12:04,050
‫Everything separated with a comma

243
00:12:04,050 --> 00:12:05,970
‫and they split it into two columns.

244
00:12:05,970 --> 00:12:08,580
‫Right now I have one column as user names

245
00:12:08,580 --> 00:12:10,290
‫and other column for passwords.

246
00:12:10,290 --> 00:12:12,810
‫So I can just paste the usernames over here

247
00:12:12,810 --> 00:12:14,610
‫and choose the second list,

248
00:12:14,610 --> 00:12:19,610
‫and just select copy A and paste the password here.

249
00:12:20,730 --> 00:12:24,480
‫As you see right now I have the first list

250
00:12:24,480 --> 00:12:26,610
‫and the second list as well.

251
00:12:26,610 --> 00:12:29,340
‫So we have chosen the Pitchfork,

252
00:12:29,340 --> 00:12:33,210
‫what Pitchfork will do is to choose the first list

253
00:12:33,210 --> 00:12:34,710
‫for the first parameter

254
00:12:34,710 --> 00:12:37,140
‫and the second list for the second parameter

255
00:12:37,140 --> 00:12:40,380
‫as we start the attack, you can see it's working.

256
00:12:40,380 --> 00:12:43,680
‫So for the first payload, we can see emails coming in,

257
00:12:43,680 --> 00:12:47,250
‫for the second payload, we can see the passwords coming in.

258
00:12:47,250 --> 00:12:48,663
‫That is very good.

259
00:12:49,710 --> 00:12:53,761
‫But right now we are gonna have to wait a little bit

260
00:12:53,761 --> 00:12:56,730
‫because we are using the community edition

261
00:12:56,730 --> 00:12:59,370
‫which is the free version of the Burp Suite.

262
00:12:59,370 --> 00:13:03,210
‫And in the free version it actually throttles us.

263
00:13:03,210 --> 00:13:07,320
‫It actually speeds down things, okay?

264
00:13:07,320 --> 00:13:10,770
‫So if you pay for it, then it's going to be very fast,

265
00:13:10,770 --> 00:13:14,310
‫but if you don't pay for it, you're gonna have to wait,

266
00:13:14,310 --> 00:13:18,990
‫and it can take like an hour or maybe two hours.

267
00:13:18,990 --> 00:13:20,010
‫I don't know.

268
00:13:20,010 --> 00:13:23,700
‫It's going to take a lot of time, trust me.

269
00:13:23,700 --> 00:13:27,330
‫So as you can see, if you click on any of these trials

270
00:13:27,330 --> 00:13:30,510
‫you can see the response from here, okay?

271
00:13:30,510 --> 00:13:32,610
‫And also you can see the state's numbers

272
00:13:32,610 --> 00:13:34,740
‫which is 401 right now

273
00:13:34,740 --> 00:13:38,850
‫if you get something like 200, then it's okay.

274
00:13:38,850 --> 00:13:41,100
‫200 means that everything is okay.

275
00:13:41,100 --> 00:13:43,110
‫If we get 500, for example

276
00:13:43,110 --> 00:13:46,080
‫it's called internal server error.

277
00:13:46,080 --> 00:13:49,410
‫If we get a 404, it means that it couldn't find

278
00:13:49,410 --> 00:13:51,570
‫the thing that we are looking for.

279
00:13:51,570 --> 00:13:53,490
‫Right now we're getting the response,

280
00:13:53,490 --> 00:13:56,190
‫but it's not a success, okay?

281
00:13:56,190 --> 00:13:58,620
‫So we can filter this status out,

282
00:13:58,620 --> 00:14:00,990
‫once it's done, obviously,

283
00:14:00,990 --> 00:14:03,690
‫and we can just select the 200

284
00:14:03,690 --> 00:14:06,750
‫and see the working credentials.

285
00:14:06,750 --> 00:14:09,300
‫In order to do that, I'm gonna pause the video

286
00:14:09,300 --> 00:14:12,180
‫and once it's done, or once I see the 200,

287
00:14:12,180 --> 00:14:16,260
‫I will come back and I will actually show you the result.

288
00:14:16,260 --> 00:14:17,613
‫Don't worry about it.

289
00:14:18,900 --> 00:14:20,850
‫So here you go.

290
00:14:20,850 --> 00:14:22,290
‫Now it's down for me.

291
00:14:22,290 --> 00:14:26,730
‫Obviously I have paused the video and now I'm resuming it.

292
00:14:26,730 --> 00:14:31,730
‫I found that in the 455th trial, okay?

293
00:14:32,460 --> 00:14:34,920
‫Since we are using the same credentials

294
00:14:34,920 --> 00:14:37,830
‫it's going to be the same for you I believe.

295
00:14:37,830 --> 00:14:41,550
‫But if you just order this by status

296
00:14:41,550 --> 00:14:44,310
‫you can see this status is 200

297
00:14:44,310 --> 00:14:47,160
‫and if you double click on it, you can see the request.

298
00:14:47,160 --> 00:14:48,840
‫So this is Savanna.

299
00:14:48,840 --> 00:14:52,500
‫Savanna user is the thing that we are looking for

300
00:14:52,500 --> 00:14:56,460
‫and we can see the success and also token as well.

301
00:14:56,460 --> 00:15:00,540
‫So what we need to do, we need to first store this, okay?

302
00:15:00,540 --> 00:15:04,560
‫So I'm going to send this to Repeater by right clicking it.

303
00:15:04,560 --> 00:15:08,790
‫So I'm going to go back to the Intruder

304
00:15:08,790 --> 00:15:11,700
‫and I'm just going to stop this, okay?

305
00:15:11,700 --> 00:15:12,750
‫If you click on this,

306
00:15:12,750 --> 00:15:15,510
‫it will ask if you want to continue in the background.

307
00:15:15,510 --> 00:15:18,870
‫I'm just gonna discard it because I don't wanna continue.

308
00:15:18,870 --> 00:15:21,060
‫I already found what I'm looking for.

309
00:15:21,060 --> 00:15:24,330
‫So I'm gonna open the Burp Suite one more time.

310
00:15:24,330 --> 00:15:26,160
‫Go to Repeater.

311
00:15:26,160 --> 00:15:28,560
‫By the way, before going into the Repeater,

312
00:15:28,560 --> 00:15:31,590
‫you may want to uncheck this URL in code,

313
00:15:31,590 --> 00:15:34,770
‫these characters for both lists, okay?

314
00:15:34,770 --> 00:15:37,470
‫If you encountered any problem.

315
00:15:37,470 --> 00:15:40,500
‫So that may be the problem for you.

316
00:15:40,500 --> 00:15:43,260
‫But right now I'm just going to send this request

317
00:15:43,260 --> 00:15:45,540
‫and see the token one more time.

318
00:15:45,540 --> 00:15:47,730
‫And by the way, you don't need to wait

319
00:15:47,730 --> 00:15:50,940
‫until your brute force has been finished

320
00:15:50,940 --> 00:15:51,900
‫or something like that.

321
00:15:51,900 --> 00:15:54,360
‫You can just use this email and password.

322
00:15:54,360 --> 00:15:57,513
‫If you understood what's going on, then it's okay.

323
00:15:58,350 --> 00:16:00,780
‫So I'm going to turn the intercept off

324
00:16:00,780 --> 00:16:02,820
‫and go back to the Postman

325
00:16:02,820 --> 00:16:06,030
‫and just use that information, okay?

326
00:16:06,030 --> 00:16:07,830
‫I'm gonna go to the Repeater.

327
00:16:07,830 --> 00:16:09,990
‫We can just use this email and password

328
00:16:09,990 --> 00:16:11,940
‫or we can just grab the token

329
00:16:11,940 --> 00:16:15,870
‫and set it as a variable inside of the Postman.

330
00:16:15,870 --> 00:16:18,930
‫But I'm just gonna go for this, okay?

331
00:16:18,930 --> 00:16:22,200
‫I'm gonna copy this and paste over here.

332
00:16:22,200 --> 00:16:25,170
‫And then I'm just gonna send this and here you go.

333
00:16:25,170 --> 00:16:28,590
‫Again, we get the success true, and we get the token.

334
00:16:28,590 --> 00:16:32,280
‫Right now this token should have been set as a variable

335
00:16:32,280 --> 00:16:33,480
‫inside of the Postman.

336
00:16:33,480 --> 00:16:36,150
‫If not, you can just copy it from here

337
00:16:36,150 --> 00:16:41,150
‫and give it to the get details and point over here

338
00:16:41,280 --> 00:16:42,900
‫as a header.

339
00:16:42,900 --> 00:16:44,760
‫So you can just copy this from here

340
00:16:44,760 --> 00:16:48,870
‫or from the Burp Suite like this and come over there,

341
00:16:48,870 --> 00:16:52,140
‫and just give it as the authorization token over here,

342
00:16:52,140 --> 00:16:55,350
‫delete this variable and just paste it.

343
00:16:55,350 --> 00:16:56,673
‫That will be okay.

344
00:16:57,720 --> 00:16:59,370
‫So right now I have this.

345
00:16:59,370 --> 00:17:02,650
‫So what I wanna do, I'm just going to come over here

346
00:17:02,650 --> 00:17:05,730
‫and just send this request because there's nothing inside

347
00:17:05,730 --> 00:17:06,690
‫of the body.

348
00:17:06,690 --> 00:17:09,300
‫And once I send it, as you can see,

349
00:17:09,300 --> 00:17:12,210
‫we get something back like this.

350
00:17:12,210 --> 00:17:14,970
‫So we get some IDs, we get some tokens,

351
00:17:14,970 --> 00:17:19,290
‫and addresses, and stuff, and here you go.

352
00:17:19,290 --> 00:17:22,140
‫So we have all of those things.

353
00:17:22,140 --> 00:17:25,170
‫And I believe inside of this we have a flag.

354
00:17:25,170 --> 00:17:26,003
‫Yeah, here you go.

355
00:17:26,003 --> 00:17:27,450
‫We have a flag.

356
00:17:27,450 --> 00:17:30,570
‫That means that we have solved this challenge.

357
00:17:30,570 --> 00:17:33,540
‫And the challenge over here, the vulnerability over here

358
00:17:33,540 --> 00:17:37,770
‫is that they do not have rate limiting, right?

359
00:17:37,770 --> 00:17:40,230
‫They do not have rate limiting.

360
00:17:40,230 --> 00:17:44,430
‫So that we found some data leak from the internet,

361
00:17:44,430 --> 00:17:46,680
‫from the dark web or somewhere.

362
00:17:46,680 --> 00:17:50,850
‫We tried every credential with the help of Burp Suite

363
00:17:50,850 --> 00:17:51,750
‫and paid off.

364
00:17:51,750 --> 00:17:54,900
‫We found a credential that is working.

365
00:17:54,900 --> 00:17:57,930
‫If they had implemented rate limit

366
00:17:57,930 --> 00:18:00,960
‫maybe after fifth trial or sixth trial

367
00:18:00,960 --> 00:18:03,450
‫then it would've stopped us,

368
00:18:03,450 --> 00:18:07,440
‫but they didn't and we managed to get something.

369
00:18:07,440 --> 00:18:12,180
‫So I'm going to turn off the proxy before I forget it, okay?

370
00:18:12,180 --> 00:18:14,070
‫And I'm going to stop here

371
00:18:14,070 --> 00:18:15,870
‫and continue within the next lecture

372
00:18:15,870 --> 00:18:17,523
‫for the challenge three.