diannaosec

First of all, I performed an nmap port scan on all ports. I had a look at the versions of SSH and Apache running and tried finding exploits for them using a search engine. I found one to enumerate SSH usernames on msfconsole and used this successfully. Unfortunately, a bruteforce attack using the discovered usernames using default passwords and a password list did not work. At the same time as the SSH attacks were running, I enumerated the website. I used Burpsuite's Repeater tool to have a look at the page's source code but could find nothing especially useful. I also ran dirbuster against it and used one of my own Python3 tools to check subdomains. These attacks did not turn up anything useful, so I went to bed! As I was drifting off, I saw again in my mind the website and its source code. I suddenly had two realisations of what I could try next! One idea I had was that I could try tailor made subdomains and directories / files. The top of the webpage had words which didn...

  The goal of this lab was to hack into a WordPress blog and recover the flag. I started by using arp-scan to find live hosts. Once I had identified one, I used nmap to scan for open ports. Nmap discovered that only port 80 was open, so I then probed port 80 more aggressively and discovered that a WordPress powered website was being served on it. Lots of attacks against WordPress rely on taking over an administrator account, so I wrote a bash script to enumerate users on the website. This script simply iterates through the numbers 1 to 50 and checks them in the ?author parameter. We can also do this using a list of potential user names, but I find using numbers is more reliable. This enumeration discovered that the default admin account was being used on this website. The next step was to brute-force the password. This can be done using WPScan along with this command  wpscan --url http://demo.ine.local --passwords /home/user/passwords.txt but WPScan was not installed on the at...