“McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?”
Link to Room: https://tryhackme.com/room/adventofcyber3#
Question #1: Access the login form at http://10.10.118.44
I’m again using the TryHackMe Attack Box today because everything is already loaded in and set up. I think non-subscribers get one hour free per month. So if you use it that way, just consider your time constraints.
Here’s the login form:
No answer needed
Question #2: Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.
Open up Burp and make your way to the Proxy tab. You want to make sure Intercept is switched to ON.
Then go back to that login form in Firefox and look in the upper right hand side. You want to switch FoxyProxy ON also.
Next we will use dummy credentials so we can intercept the request in Burp:
Here they are:
No answer needed
Question #3 What valid password can you use to access the “santa” account?
The point of this whole thing is to inject a bunch of passwords for the santa account into this request and then rapidly forward them to the website until one of them works.
In order to do this, right-click the request and choose “Send to Intruder”
Head to the Intruder tab and then the Positions tab, where you will change the attack type to “Sniper” (Read about attack types HERE).
All those green bits are the spots that Burp will manipulate during the attack. Let’s clear the defaults, because we only want it messing with the password. On the right-hand side just choose “Clear”
Then you can highlight the password you used and click “Add” to make it green again. We already have the username “santa”, so you can manually input that into the request.
Now we need a payload (list of password options) for Burp to use during the attack. Go to the “Payloads” tab.
You can use whatever wordlist you like, but today they have provided one for us at /root/Rooms/AoC3/Day4/passwords.txt
Load that in under payload options:
Now…Start Attack! (orange button on upper right side)
Here are the results:
You can see that one of these has a unique status message. 302 indicates that the URL was redirected somewhere, which means that the password probably worked.
Let’s try it out back at the login page. Remember to turn off FoxyProxy:
We’re in!
cookie
Question #4 What is the flag in Santa’s itinerary?
For this one you can see the flag down at the bottom of the graphic:
THM{SANTA_DELIVERS}
Happy Holidays! ❤
