Username Enumeration Via Different Responses

The objective of this lab is to use username enumeration to find a valid username and then perform a passowrd brute-force attack to gain access to this username’s account.
The lab gives access to a blog as shown below.

First things first, you need to find a valid username. A list of usernames and passwords, one of which is valid for the site, has been provided. Copy the usernames as you are about to use them. Head on over to My Account and input a random username and a random password. While doing this, ensure that Burpsuite is open and Proxy Intercept is on. Also, turn on the Burp proxy on Foxy Proxy. Now, login with these random credentials and capture the request on Intercept.

Once the request is on Intercept, right-click on the screen and send the request to Intruder. You will be performing username enumeration using Intruder. On Intruder, highlight the username and then click Add §.

Next, move to the Payload option on Intruder and paste the usernames you had already copied from the list provided. After doing this, click on Start attack

All of the results have the same time length except one (root). You can try and log in to the site using this username and a random password to see if you will get a different response than before.

When you use this username, you get the response below rather than Invalid Username which means this username is valid

Now, with this username, you can brute-force the passwords to find a valid password. Try to log in with this username and a random password, capture the request and send it to Intruder, highlight the password and use the list of passwords as a payload this time. One of the results will have a different time length and this will be the password for the user.

You can now log in using the credentials you have obtained.

Note that the valid username and password for the lab change with every instance. As such, do not copy the credentials used here as they may not work for you.