Szczygielka's hacking notes
  • 🚀Welcome
  • 💻Hack The Box Writeups
    • Linux Machines
      • Busqueda
      • Zipping
      • Clicker
      • Pilgrimage
    • Windows Machines
      • Aero
      • Visual
  • 🚩CTFs Writeups
    • KnightCTF 2024
      • OS, Password, IP Addr, Note, Execution, Path of the Executable, Malicious - Forensics
      • Flag Hunt! - Steganography
      • Oceanic - Steganography
      • README - Web
    • TetCTF 2024
      • TET & 4N6 - Misc/Forensics
    • 0xL4ugh CTF 2024
      • Wordpress - 1 - Forensics
      • Wordpress - 2 - Forensics
      • Gamer - 5 - Forensics
    • 1753CTF 2024
      • Resume - Misc
    • UTCTF 2024
      • OSINT 1 - Forensics
      • OSINT 2 - Forensics
      • Contracts - Forensics
      • Survey - Forensics
      • simple signature - Crypto
      • Anti-dcode.fr - Crypto
      • bits and pieces - Crypto
    • RITSEC CTF 2024
      • Curiosity Helped the Cat - Forensics
      • Failed File Transfer - Crypto
      • Dastardly Evil Scientists - Crypto
      • Secret Door - Misc
      • Guess – Reversing
    • Cyber Apocalypse 2024: Hacker Royale
      • Russian Roulette - Blockchain
      • Recovery - Blockchain
      • Primary Knowledge - Crypto
Powered by GitBook
On this page
  • Task
  • Solution
  1. CTFs Writeups
  2. 0xL4ugh CTF 2024

Wordpress - 2 - Forensics

PreviousWordpress - 1 - ForensicsNextGamer - 5 - Forensics

Last updated 1 year ago

Task

Q1. During enumeration, the attacker tried to identify users on the site. List all the users that the attacker enumerated. (seperate them with :),(sort them by alphapitical order)

Q2. After enumeration, a brute force attack was launched against all users. The attacker successfully gained access to one of the accounts. What are the username and password for that account, and what is the name of the page used for the brute force attack?

Flag Format: 0xL4ugh{A1_A2}

Example: 0xL4ugh{username1:username2_username:password_pageName.ext}

Solution

From the content of WordPress - 1 task we know that the WordPress website had a security breach. In the WordPress 1 task, I determined the IP address of the victim, i.e. 192.168.204.128 and the IP addresses of both attackers: 192.168.204.132 and 192.168.204.1. This knowledge will be useful to us in solving this task.

We will filter the results to receive all POST HTTP requests sent to the IP address 192.168.204.128. We can see that at least several login attempts were made from the IP address 192.168.204.132 belonging to one of the attackers. The attacker tried to log in as:

  1. user not7amoksha:

  1. user a1l4m:

  1. user demomorgan:

After filtering for HTTP traffic we can see that the attacker enumerated the values of the author variable:

Let's examine the HTTP stream for the selected package number 88288. By following the HTTP stream to get queries about the author with a given number, we can see that for queries with index 1 and 2, the response 301 Moved Pernamently is returned. Additionally, GET /wordpress/author/<user> queries for users a1l4m and not7amoksha returned responses 200 OK, which proves that such authors exist:

In the same HTTP stream, we can notice that a request for an author with index 3 returns a response 200 OK. In the content of the response, we can see information proving that the third user is demomorgan:

Sorted 3 users alphabetically:

a1l4m demomorgan not7amoksha

Now let's look for more information about the brute force attack carried out. After filtering the results for the HTTP POST method, we can see that almost all queries were sent to /wordpress/xmlrpc.php:

The time between individual HTTP requests is small, which also indicates the brute force attack. So the webpage used to brute force attack is:

xmlrpc.php

If the attacker was searching for users on the website, he certainly wanted to use usernames to conduct a brute force attack. So let's search in packet details strings containing names of users.

Let's check the contents of the example POST request along with the response for the query that might contain an attempt to force a password for the user a1l4m:

Based on the response received this looks like a failed login attempt. The remaining responses to failed login attempts are as follows:

Based on responses for invalid login attempts let's try to exclude all responses that have a length 674. After excluding we get 6 packets:

In the last package, we found information that may indicate that the login was successful, i.e. the value of the isAdmin variable is set to 0:

Let's follow the stream for this packet. In the POST request we can find credentials:

The login details from the POST request are as follows:

demomorgan:demomorgan

We've gathered all the information you need to get your flag.

Flag:

0xL4ugh{a1l4m:demomorgan:not7amoksha_demomorgan:demomorgan_xmlrpc.php}
🚩