This lab's login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition.

To solve the lab:

1. Work out how to exploit the race condition to bypass the rate limit.
2. Successfully brute-force the password for the user carlos.
3. Log in and access the admin panel.
4. Delete the user carlos.

You can log in to your account with the following credentials: wiener:peter.

You should use the following list of potential passwords:

First To solve the lab we need to know we need to log in with carlos

but we don’t know the password and if we try many times

we will got a block so the intruder with normal send request will be not useful

so we will use turbo intruder to threading → sent many requests at the same time before any changes

→ i will intercept the login request and change the username to → carlos and select password value

Right click and extension → Turbo intruder → Send to intruder

if you not install turbo intruder go to the BAPP Store and download it

after that you will go tot the turbo intruder page and select the race single packet attack

know go to the description lab and copy the password list

Go to the code of intruder and modify in looping to be appropriate our requests