Halftrack Model Railroad Club
A model-railroad club's member portal. The president picked his own password in 1998 and has not changed it. The portal does not feel strongly about telling him to.
The Scenario
Halftrack has met in the basement of the VFW on the second Tuesday of every month since 1971. Hollis Kerrigan has been president since 1994. He picked the member-portal admin password himself when the website went up in 1998 and has refused to change it, on principle. There is no rate limit on the login form.
Challenge Intel
Synopsis
No rate limit on POST /login. Admin username discoverable from public site copy + a username-format hint. Password is in the top-25 of any common-password list. Brute force.
What It Is
The admin account `hkerrigan` has password `password1` (top-25 in rockyou.txt and every common-password wordlist). The login endpoint has no rate limiting, lockout, CAPTCHA, or logging visible to the player. /about names Hollis Kerrigan as president; a separate page mentions the firstinitial+lastname username scheme; photos on /layout-progress reference "Hollis K." Players combine these to derive the username, then brute-force a small wordlist.
Who It's For
Players who've used wfuzz / ffuf / hydra (or a 10-line Python script) and have a top-100 wordlist on hand.
Skills You'll Practice
- Username derivation from public site copy
- Password brute-forcing with a small wordlist
- Recognising endpoints with no rate-limit
What You'll Gain
- Rate-limit every login endpoint
- Strong-password policies are non-negotiable for admin accounts
Ready to hack Halftrack Model Railroad Club?
This challenge is free. Sign up and start hacking.