TryHackMe Web Exploitation Santa's Running Behind

Story

McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?
Learning Objectives of the day

1. Understanding authentication and where it is used
2. Understanding what fuzzing is
3. Understanding what Burp Suite is and how we can use it for fuzzing a login form to gain access
4. Apply this knowledge to retrieve Santa’s travel itinerary

Let us understand the concepts targeted for today first!


What is authentication, and where is it Used?

Authentication is the process of verifying a user’s identity, establishing that they are who they say they are. Authentication can be proven using a variety of authentication means, including:

• A known set of credentials to the server and user such as a username and password
• Token authentication (these are unique pieces of encrypted text)
• Biometric authentication (fingerprints, retina data, etc.)

Authentication is often used interchangeably with authorisation, but it is very different. Authorisation is a term for the rules defining what an authenticated user can and cannot access.

What is Fuzzing?

Put simply, fuzzing is an automated means of testing an element of a web application until the application gives a vulnerability or valuable information. When we are fuzzing, we provide information as we would typically when interacting with it, just at a much faster rate. This means that we can use extensive lists known as wordlists to test a web application’s response to various information.
 

Steps to Fuzz with Burp Suite

Let’s launch FireFox by navigating to “Applications -> Internet-> Firefox”

avigate to the login form in the web browser using the vulnerable IP address (http://MACHINE_IP) (note that the IP address in the screenshots is only an example, you will need to replace this with the MACHINE_IP)

And press “Intercept On” in “Proxy -> Intercept”

Now we will need to return to our Firefox Browser and enable the FoxyProxy extension in Firefox. You can do this by pressing the “FoxyProxy” extension and pressing “Burp”

Submit some dummy data on the login form

Let’s launch Burp Suite by navigating to “Applications -> Other -> Burp Suite”

Navigate to the “Proxy” tab

We will need to return to Burp Suite, where we will see some data has now been returned to us. Right-click the window containing the data and press “Send to Intruder”
    
    

 
Navigate to the “Intruder” tab

10.1. Click the “Positions” tab and clear the pre-selected positions by pressing “Clear $”

10.2. Add the value of the “username” parameter as the first position, sometimes we will already know the username, other times we will not. We can tell Burp to use a wordlist of usernames for this position as well. However, as the username is already known (i.e. cmnatic), we are just brute-forcing the password. (this can be done by highlighting the password parameter and clicking “Add $”)

10.3. Add the “password” value as the position (i.e. password123) (this can be done by highlighting the value in the password parameter and clicking “Add $”)

 
10.4. Select “Cluster Bomb” in the Attack type in the dropdown menu.

10.5. We will now need to provide some values for Burp Suite to fuzz the login form with passwords. We can provide a list manually, or we can provide a wordlist. I will be providing a wordlist.

11. Now after selecting our wordlist, we can see that some passwords have filled the “Payload Options” window

12. Now let’s press the “Start Attack” button, this will begin fuzzing the login form. Look at the results and sort by “Length”. Unsuccessful passwords will return a certain length, and successful passwords will return another length.

Now that we understand how to use Burp Suite, we can create our own attacks and complete the challenge!

Q1. What valid password can you use to access the “santa” account?

Follow the steps mentioned above and create your own attack.

If you read the challenge properly, the link for the wordlist is given there already.

Use this wordlist for your attack and select the Cluster attack for this challenge.

Navigate to the vulnerable login form at http://10.10.205.31/ and apply the material for

today's task to login to Santa's itinerary, using the username as "santa" and the password

list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download

it from here for your payload.

Q2. What is the flag in Santa’s itinerary?

Once you have logged in from the login panel, you get the flag!!

Answer - THM{SANTA_DELIVERS}


 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.