Password Brute Force

The course is part of this learning path

Start course
1h 21m

In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.


Hi. Within this lecture, we're going to continue solving our Mr. Robot CTF. And now, we know a username called Elliot exists. But we don't know the password. So, we got that from the fsocity.dic file. And this is a dictionary and this is the only dictionary that we're ever going to get in this CTF, so I'm going to use that. I'm going to close this down. Of course, we can use Burp Suite in order to brute force the password as well and we can use hydra again in order to brute force the password as well, but I suggest we go for wpscan because we have to learn how wpscan works because it's a good idea to learn about WordPress penetration test as well. So, first of all, you're going to have to supply the URL parameter like this, so this is for our URL. So, of course, you're going to have to write your own IP address over there and don't worry about the wplogin extension, we're going to write it in another parameter. First, I'm going to give the wordlist parameter over here which is fsocity.dic and over here we are inside of the Mr. Robot. So, fsocity.dic is in the Mr. Robot, so I don't have to specify the full path so make sure you run this comment in that, and by the way this fsocity.dic, and make sure you run that comment in the same folder. And username will be Elliot and if I hit 'Enter'. Here you go. It's actually complains about the wordlist and we have to make this something else because it doesn't accept the wordlist. I believe it should be something like wordlists or something like that so let me try and see what it is. So, I'm going to come over here wpscan--help and see, this is passwords and usernames. So, let me just see it one more time. So, we have given wordlist as a parameter, so it should have been passwords and not the username, I believe it's usernames. So, let me just check that one more time. Yeah, here you go, this is usernames. So, I'm going to change it to usernames and hit 'Enter' and here you go. It says that do you want to update now? It's a good idea to update, but I'm just going to say 'No' in order not to make you wait, okay? So, maybe you can say, yes and wait for it to update its database. And we are not, actually, searching for any vulnerability in the WordPress right now and the tool is doing that for us, okay? I'm not looking for a vulnerability actually, at this point, I just want to get in by finding the password, but maybe it's an alternative way for us. We can search for WordPress users, we can search for the WordPress exploits, version exploits, so it would be better for us. So, I'm going to go into my CTF document, the Mr. Robot over here and for some reason it doesn't work because I put an extra slash over here. So, it should have been cd Documents/CTF/MrRobot#. If we run ls we can see we have the notes.txt and fsocity.dic and we have the hydra restore. We can run hydra one more time from this hydra.restore file by the way, if we want to. If you don't want to, you don't have to do anything about it. So, let me just cat this fsocity.dic and just make it into sort and with -u so that we can see if there is any duplicates over here because it's taking some time in the other terminal tap. So, as you can see they're kind of, maybe uppercase-lowercase, but there are a couple of duplicates over here. So, maybe we can try to get rid of these duplicates as we have done before, like we can take the uniqs of that and we can just search with that or we can just start with that in order to shorten the period of waiting so you can do this, right? You can pipe this into uniq and see what happens, you can just do this because we have seen how to do this in the bandits section, right? So, if we get rid of the duplicate values then we would have some kind of, maybe much more smaller file over there. So, let me just run this into a file. Just write this into a file called atil.dic and see how this is going to work out. So, I'm going to run ls -la and here you go, atil.dic is actually much more smaller than fsocity.dic, right? So, I believe there was like a couple of duplicates and maybe thousands of duplicates, I don't know, and we got rid of them. So, maybe waiting here is just a waste of time. As you can see, the estimated time of arrival is 2 hours, at least 3 hours I believe. So, I'm going to stop this with 'Ctrl+C'. And I'm going to come over here and just replace this with atil.dic. So, this will give me the same result back but in a much more shorter way. So, as you can see, now the, let's see what is the estimated time? Yeah here you go. Now, this is 2 minutes comparing it with 3 hours, this is much more faster. So, if you get a wordlist in a CTF that make sure you check the same command that I had done with, okay? Just run that command and see if you can get a much more smaller wordlist over there. Of course, if we waited long enough that would have been successful as well, that will be successful. If we success, if we get success over here, then it must mean that we're going to we were going to get the success over there as well but we were going to get it in 3 hours rather than 2 minutes. Now, we're going to have to wait and see what happens. So, it's trying the passwords over here and this wp-login.php is a regular login website, regular login extension, that's how it actually, understands the login php and just go over there and tries it. So, let me come over here as you can see we already passed the 50% and it's done. Let's see. Yeah, developed combinations found username Elliot and there is a password over here and we found it under like 1 and 1\2 minutes, maybe 1 minute and 10 seconds. So, let me see if this is correct. I'm going to copy and paste this over here and say 'Log in' and proxy servers are refusing connections. So, I believe we have to turn off the Foxy proxy over here and close down the Burp Suite if you have it open and here you go, we are inside of the WordPress. So, now we found the password of the Elliot. So, okay so we haven't hacked into the server yet, right? We just came over here. So, let me go to Elliot Alderson's profile and see what kind of user this is. And here we go, Elliot is actually administrator. So, this is the administrator of the WordPress actually, not the administrator of the server. But again, this will bring us joy because it will make our job very easy compared to logging in with a regular user. So, if you know WordPress, then it's going to be a piece of cake for you but if you don't know it just follow along with me. As you can see, we get a lot of things over there. We can just try to analyze and scan if we have some kind of vulnerability in the WordPress itself. I believe this is WordPress 4.3.25. And you can search for this in the web as well, not just with the WordPress scan. You can just come over here and write wp and 4.3.25 exploit and see if there is any exploit related to that particular version. And there is one over here but it's again about 4.3.3 it's a XSS scripting the kind of thing. I don't think that's going to make us into the server. Let me come over here and check a little bit. As you can see, they're all XSS vulnerabilities. So, we're going to have to find something that will lead us to a server and I don't see it but, of course, not only we can get access with version vulnerabilities but we're going to have to try so much more in this case. So, what I will try actually, I will come over here and I will just take a look at the files and I will see if we can make a post or upload something. Like if you can upload php reverse shell over here, then it would be great. And at the left hand side, we see all the menus like Pages, Appearance, Posts, Media, Dashboard. So, you can just come over here and scroll down a little bit and just wander around to get a feeling of the WordPress if you have never used it before. Let's do that and let's meet in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.