We combined valid credentials with a brute-force payload to bypass IP blocking and performed a pitchfork attack using alternating usernames and a password list:
wiener
carlos
wiener
carlos
...
peter
123456
peter
password
peter
12345678
peter
qwerty
...
During the attack, we detected a different response for the carlos user request, which allowed us to identify and recover the password:
