Advent of Cyber 2021 — [Day 4] Santa’s Running Behind

“McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?”

Link to Room: https://tryhackme.com/room/adventofcyber3#

Question #1: Access the login form at http://10.10.118.44

I’m again using the TryHackMe Attack Box today because everything is already loaded in and set up. I think non-subscribers get one hour free per month. So if you use it that way, just consider your time constraints.

Here’s the login form:

No answer needed

Question #2: Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.

Open up Burp and make your way to the Proxy tab. You want to make sure Intercept is switched to ON.

Then go back to that login form in Firefox and look in the upper right hand side. You want to switch FoxyProxy ON also.

Next we will use dummy credentials so we can intercept the request in Burp:

Here they are:

No answer needed

Question #3 What valid password can you use to access the “santa” account?

The point of this whole thing is to inject a bunch of passwords for the santa account into this request and then rapidly forward them to the website until one of them works.

In order to do this, right-click the request and choose “Send to Intruder”

Head to the Intruder tab and then the Positions tab, where you will change the attack type to “Sniper” (Read about attack types HERE).

All those green bits are the spots that Burp will manipulate during the attack. Let’s clear the defaults, because we only want it messing with the password. On the right-hand side just choose “Clear”

Then you can highlight the password you used and click “Add” to make it green again. We already have the username “santa”, so you can manually input that into the request.

Now we need a payload (list of password options) for Burp to use during the attack. Go to the “Payloads” tab.

You can use whatever wordlist you like, but today they have provided one for us at /root/Rooms/AoC3/Day4/passwords.txt

Load that in under payload options:

Now…Start Attack! (orange button on upper right side)

Here are the results:

You can see that one of these has a unique status message. 302 indicates that the URL was redirected somewhere, which means that the password probably worked.

Let’s try it out back at the login page. Remember to turn off FoxyProxy:

We’re in!

cookie

Question #4 What is the flag in Santa’s itinerary?

For this one you can see the flag down at the bottom of the graphic:

THM{SANTA_DELIVERS}

Happy Holidays! ❤

--

--

--

CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

InfoSecSherpa’s News Roundup for Saturday, January 22, 2022

Image by Sofia Iivarinen from Pixabay

Overview of S3 Encryption Mechanisms

TryHackMe: Advent of Cyber [Day 23] LapLANd (SQL Injection)

InfoSecSherpa’s News Round Up for Wednesday, November 10, 2021

Announcement: E2E Token Deployment on the Polygon Network

InfoSecSherpa’s News Roundup for Saturday, June 11, 2022

Bangladesh. Image by khurshid alam from Pixabay.

HTB Nineveh Writeup

Stop encryption of network shares using FSRM

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samantha

Samantha

CTF Writeups to facilitate cyber education.

More from Medium

TryHackMe : Vulnversity Walkthrough

TryHackMe: Blue Writeup

Pentesting Fundamentals TryHackMe