Heartwood Outfitters
A small outdoor-gear brand's customer portal. The forgot-password flow emails you a 4-digit reset code — and the verify endpoint will cheerfully accept as many guesses as you can fire at it.
The Scenario
Heartwood's site was built in a long weekend by a co-founder who reads more about fly-fishing than web security. The reset flow uses a short numeric code (because the previous one with hex tokens "confused a few customers"). The verify endpoint has no rate-limit, no captcha, and no lockout — so the 10000-code space is fully enumerable.
Challenge Intel
Synopsis
The password-reset verify endpoint (POST /account/reset) takes an email + 4-digit code + new password. No rate limit, no captcha, no lockout. Brute-force the 10000-code space against the admin's seeded pending reset, set a new password, log in, read the flag.
What It Is
On container start the app seeds a pending 4-digit reset code for the admin email ([email protected], visible on /about as the wholesale contact). The code is generated with secrets.randbelow(10000) and stored in an in-memory dict. The /account/forgot endpoint is idempotent — repeated requests for the same email return the same pending code. /account/reset accepts unlimited POST submissions and never rate-limits, captchas, or locks the email. wfuzz / ffuf / curl through 0000..9999 lands on the correct code in seconds.
Who It's For
Players who have used a wordlist tool (wfuzz, ffuf, hydra) and understand response-code filtering. The brute-force capstone in the Auth module.
Skills You'll Practice
- Numeric reset-code brute force
- Recognising endpoints with no rate-limit or lockout
- Filtering brute-force runs on response status
What You'll Gain
- Reset codes must be long enough that brute force is infeasible (or be paired with rate-limit + lockout)
- Every endpoint that accepts a secret needs both: (a) attempt-rate limiting and (b) per-account lockout after N failures
- Numeric short codes are convenience theatre unless the verify side is hardened
Ready to hack Heartwood Outfitters?
This challenge is free. Sign up and start hacking.