July 17, 2026
Enumeration & Brute Force TryHackMe Room Walkthrough
Lab link:https://tryhackme.com/room/diveintopentesting

By Amr Sebie
5 min read
Hey guys! Guess what?
TryHackMe made a banger room on Authentication Enumeration. It's actually about acting like a digital detective, peeling back layers of an application, and finding those sneaky little clues.
Let's dive into how we can break down authentication,Enjoy hacking!
Task 1 & 2: Authentication Enumeration (The Vibes)
Before you can brute-force a system, you need target intel. Authentication Enumeration is literally just figuring out valid usernames or email formats so you only have to guess the password. It saves time and keeps you low-key.
Common Places to Look for Clues:
- Registration Pages: If you try to sign up and it says "Email already taken," boom โ you just confirmed a valid user exists.
- Password Reset Features: Subtle differences in how a site tells you an email is invalid vs. valid can leak user lists.
- Verbose Errors: When the login page tells you exactly what you got wrong (e.g., "Wrong password" instead of "Invalid credentials").
- Data Breach Info: Good old-fashioned recycled credentials from past leaks.
Password Policies
Applications often spill the tea on their regex validation rules via error messages:
PHP:
<?php
$password = $_POST['pass'];
$pattern = '/^(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).+$/';
if (preg_match($pattern, $password)) {
echo "Password is valid.";
} else {
echo "Password is invalid. It must contain at least one uppercase letter, one number, and one symbol.";
}
?><?php
$password = $_POST['pass'];
$pattern = '/^(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).+$/';
if (preg_match($pattern, $password)) {
echo "Password is valid.";
} else {
echo "Password is invalid. It must contain at least one uppercase letter, one number, and one symbol.";
}
?>Detective Note:_ If you see an error like this, you can instantly optimize your custom wordlist to fit this exact policy. Work smarter, not harder._
Answer the questions below
What type of error messages can unintentionally provide attackers with confirmation of valid usernames?
Answer: Verbose errors
Task 3: Enumerating Users via Verbose Errors
Verbose Errors: The Lowdown
Developers love detailed error messages because they make debugging a breeze. But for us, verbose errors are like an accidental whisper revealing secrets the application wants to keep low-key.
When a login form tells you exactly what you got wrong (e.g., "Email does not exist" vs. "Invalid password"), it completely ruins the application's privacy. Attackers love this because it lets them harvest valid usernames/emails without even guessing the password yet.
How to Force Verbose Errors (The Tricks):
- Invalid Login Attempts: Just typing random stuff to see how the error messages change.
- SQL Injection (SQLi): Throwing a single quote ' into fields to confuse the backend database.
- File Inclusion / Path Traversal: Using ../../ to force path disclosure errors.
- Form Manipulation: Tampering with hidden fields to trigger strict server-side validation errors.
- Application Fuzzing: Using automated tools like Burp Intruder to blast the application with payloads and watch how it reacts.
Step-by-Step Lab Walkthrough
Here is exactly how we automate user harvesting to solve Task 3:
**1.Save the Automation Script:**Requires Python3.
Create a file named script.py on your AttackBox and paste the provided Python automation code into it. This script handles parsing a wordlist and sending automated POST requests to the login endpoint.
**2.Download the Target Wordlist:**Username Dictionary.
Grab the required email/username dictionary file (usernames_gmail.com.txt) from the lab repository so you have a list of potential targets to test.
**3.Execute the Attack:**Run via Terminal.
Open your terminal on the AttackBox and run the script while passing the wordlist as an argument:
Bash
python3 script.py usernames_gmail.com.txtpython3 script.py usernames_gmail.com.txt**4.Analyze the Output:**Spot the Valid User.
The script will filter out the noise. Watch the terminal logs until you see a [VALID] tag instead of [INVALID].
Terminal Output Preview:
Bash
user@tryhackme $ python3 script.py usernames_gmail.com.txt
[INVALID] xxxxxx@gmail.com
[INVALID] xxxxxx@gmail.com
...
[VALID] canderson@gmail.comuser@tryhackme $ python3 script.py usernames_gmail.com.txt
[INVALID] xxxxxx@gmail.com
[INVALID] xxxxxx@gmail.com
...
[VALID] canderson@gmail.comFlag / Answer Found:
- Question: What is the valid email address from the list?
- Answer:
canderson@gmail.com
Task 4: Exploiting Vulnerable Password Reset Logic
Password resets are highly critical. If the logic is goofy, it's game over.
The Vulnerability Types:
- Predictable Tokens: Weak, short, or sequential OTPs/links.
- Token Expiration Issues: Tokens that last forever.
- Insufficient Validation: Basic security questions that can be OSINTed.
- Information Disclosure: Confirming if an email exists on the reset page.
- Insecure Transport: Sending tokens over plain HTTP.
Walkthrough: Brute-Forcing Predictable Tokens
The target web app generates a terrible 3-digit numeric token using this backend logic:
PHP
$token = mt_rand(100, 200);
$query = $conn->prepare("UPDATE users SET reset_token = ? WHERE email = ?");$token = mt_rand(100, 200);
$query = $conn->prepare("UPDATE users SET reset_token = ? WHERE email = ?");Step-by-Step Exploitation:
- Go to
[http://enum.thm/labs/predictable_tokens/](http://enum.thm/labs/predictable_tokens/), inputadmin@admin.com, and request a reset. - The app uses the format:
[http://enum.thm/labs/predictable_tokens/reset_password.php?token=123](http://enum.thm/labs/predictable_tokens/reset_password.php?token=123) - Intercept the request in Burp Suite and send it to Intruder. Highlighting the
tokenvalue as your payload position. - Generate a fast wordlist of numbers from 100 to 200 using Crunch:
Bash
user@tryhackme $ crunch 3 3 -o otp.txt -t %%% -s 100 -e 200user@tryhackme $ crunch 3 3 -o otp.txt -t %%% -s 100 -e 200- Load
otp.txtinto Burp Intruder, run the attack, and look for the response with a larger Content-Length (signaling a valid token bypass). - Log in using the newly reset password to claim the flag.
Lab Answers
Question: What is the flag?
Answer: THM{50_pr3d1ct4BL333!!}
Task 5: Exploiting HTTP Basic Authentication
HTTP Basic Auth is that old-school pop-up box you see on routers. It requires zero session state management but sends credentials over the wire in an easily reversible Base64-encoded string inside the Authorization header:
$$\text{Authorization: Basic } \langle \text{base64(username:password)} \rangle$$
Walkthrough: Intruder Payload Processing
- Navigate to
[http://enum.thm/labs/basic_auth/](http://enum.thm/labs/basic_auth/), type random creds, and capture the request in Burp. - Send it to Intruder and clear all positions except the encoded string in the
Authorizationheader. - Set the payload type to Simple list and use a dictionary like
/usr/share/wordlists/SecLists/Passwords/Common-Credentials/500-worst-passwords.txt. - Set up Payload Processing rules so Burp formats the payload correctly before encoding:
- Rule 1: Add prefix ->
admin:(This builds theusername:passwordstring format). - Rule 2: Base64-encode.
- Launch the attack. Look for a Status Code 200. Decode that successful Base64 string to find the valid credentials and grab the flag.
Lab Answers
Question: What is the flag?
Answer: THM{b4$$1C_AuTTHHH}
Question: Try using Hydra instead of Burp to brute force the password.
Answer: No answer needed
but if u want to use hydra instead of burp
Task 6 & 7: OSINT & Conclusion
Don't forget that an app's history can expose its present. You can easily find historical or hidden entry points using these methods:
1. Wayback URLs
The Wayback Machine acts like a time machine for code. You can pull archived URLs that might reveal abandoned admin panels or endpoints.
Bash
user@tryhackme $ git clone https://github.com/tomnomnom/waybackurls
user@tryhackme $ cd waybackurls && go build
user@tryhackme $ ./waybackurls tryhackme.comuser@tryhackme $ git clone https://github.com/tomnomnom/waybackurls
user@tryhackme $ cd waybackurls && go build
user@tryhackme $ ./waybackurls tryhackme.com2. Google Dorks
Using specific search queries to find sensitive, indexed endpoints that shouldn't be public:
site:example.com inurl:admin(Finds admin panels)filetype:log "password" site:example.com(Leaks log files)intitle:"index of" "backup" site:example.com(Finds exposed backup directories)
Lab Answers
Task 6 Question: Click me to proceed to the next task.
Answer: No answer needed
Task 7 Question: I can now attack authentication forms!
Answer: No answer needed
Key Takeaways
- Enumeration is the real MVP โ it keeps brute-forcing targeted and efficient.
- Verbose errors and predictable tokens are immediate wins for an attacker.
- Basic Auth can be cracked easily if you master Burp's payload processing rules.
If this summary helped you save some time (or a few brain cells ), don't forget to follow and leave a ๐ Clap. It really helps and motivates me to keep making more cybersecurity notes like this โค๏ธ