With Burp running, investigate the login page. Observe that your IP is blocked if you submit 3 incorrect logins in a row. However, you can reset the counter by logging in to your own account before the limit is reached.
Enter an invalid username and password, then send the POST /login request to Burp Intruder. Create a pitchfork attack with payload positions in both the username and password parameters.
On the "Payloads" tab, select payload set 1. Add a list of payloads that alternates between your username and carlos. Make sure that your username is first and that carlos is repeated at least 100 times.
Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.
Add this list to payload set 2 and start the attack.
When the attack finishes, sort the results by username and then response code. There will be a 302 response for the request that successfully logged in to Carlos's account.
Log in as carlos and click "My account" to solve the lab.
Want to track your progress and have a more personalized learning experience? (It's free!)