Login Brute Forcing:
Link to challenge: https://academy.hackthebox.com/module/57
(log in required)
Class: Tier II | Easy | Offensive
Basic HTTP Auth Brute Forcing
Default Passwords:
Question: Using the technique yo
...
Login Brute Forcing:
Link to challenge: https://academy.hackthebox.com/module/57
(log in required)
Class: Tier II | Easy | Offensive
Basic HTTP Auth Brute Forcing
Default Passwords:
Question: Using the technique you learned in this section, try attacking the IP shown above. What are the credentials used?
Answer: admin:admin
Method: lets enter in the browser to the URL:
http://:
We are requested to provide username and password, which we don’t have.
We will bruteforce the authentication using the wordlist ‘ftpbetterdefaultpasslist.txt’ (which is part of ‘SecLists’), which is located in the pwnbox on the path ‘/usr/share/seclists/Passwords/Default-Credentials/ftpbetterdefaultpasslist.txt’.
And we will use the bruteforce tool ‘hydra’.
Before starting with the bruteforce, we will have to determine the http request method when logging in:
It is GET request, and the attempted credentials are placed in the ‘Authorization’ property, base64 encoded. (the default browser login alert should always be GET request, but it’s a good practice to confirm)
Now that we know the used HTTP method ‘GET’ - We will use the command:
hydra -C /usr/share/seclists/Passwords/DefaultCredentials/ftp-betterdefaultpasslist.txt -s http-get /
where the wordlist ‘/usr/../ftp-betterdefaultpasslist.txt’ contains a pair of username and password, separated by ‘:’:
The ‘-C’ flag purpose is to test both words for username and password.
The ‘http-get’ means we attack the http GET method, and the ‘/’ means we attack the website root’s path:
The bruteforce found the credentials ‘admin:admin’.
Lets login to confirm:
We are in. we can proceed.
Username Brute Force:
Question: Try running the same exercise on the question from the previous section, to learn how to brute force for users.
Answer: admin:admin
Method: for this bruteforce a combined list for login wont work. we need separate lists – one for usernames and the other for passwords. For the username lists we will use ‘names.txt’, preinstalled in the pwnbox in the path ‘/usr/share/seclists/Usernames/Names/names.txt’.
and for the password lists ‘rockyou’, which we will download:
wget https://github.com/brannondorsey/naivehashcat/releases/download/data/rockyou.txt
* *
The rockyou.txt file is saved to the pwnbox user’s home directory.
Or extract from ‘/usr/share/seclists/Passwords/LeakedDatabases/rockyou.txt.tar.gz’ in the pwnbox:
tar -xzf /usr/share/seclists/Passwords/LeakedDatabases/rockyou.txt.tar.gz -C ~
(the ‘~’ means extract the file to the user’s home directory):
Lets start with bruteforce seperatly (one time bruteforcing the password for the username ‘admin’, and the other time bruteforcing the username for the password ‘admin’)
Lets start with the former, we will use the command:
hydra -l admin -P rockyou.txt -u -f -s http-get /
in here we bruteforce the password for the already obtained ‘admin’ username:
*:
‘-f’ – stop after the first successful login. *:
Now for the second brute force – brute force for the username where we have the password ‘admin’:
hydra -L /usr/share/seclists/Usernames/Names/names.txt -p admin -u -f -s http-get /
Now when those are done, lets bruteforce for the ‘admin’ in both username and password:
hydra -L /usr/share/seclists/Usernames/Names/names.txt -P rockyou.txt -u -f -s http-get /
**note – due to the bruteforcing length of both username and password, I used the prior know of the credentials to ‘manipulate’ the rockyou.txt lise and inserted the ‘admin’ word in the beginning of the list to shorten the bruteforcing time. in real case, bruteforcing for the credentials will take much much longer. **
Web Forms Brute Forcing
Login Form Attacks:
Question: Using what you learned in this section, try attacking the '/login.php' page to identify the password for the 'admin' user. Once you login, you should find a flag. Submit the flag as the answer.
Answer: HTB{bru73_f0rc1n6_15_4_l457_r350r7}
Method: proceeding on the obtained login page:
Lets click the ‘Click Here to Login’:
Another login panel, lets enter some bogus credentials to see the http request:
[Show More]
