1
00:00:00,510 --> 00:00:08,400
Hi, within this lecture, we're going to continue solving our mystery about CTF, and now we know a

2
00:00:08,400 --> 00:00:13,980
user name called Aleut exists, OK, but we don't know the password.

3
00:00:14,610 --> 00:00:21,870
So we got that from the society that the file and this is a dictionary and this is the only dictionary

4
00:00:21,870 --> 00:00:25,280
that we're ever going to get in this CTF.

5
00:00:25,680 --> 00:00:29,900
So I'm going to use that and I'm going to close this down.

6
00:00:29,910 --> 00:00:36,810
Of course, we can use burb, so in order to brute force the password as well, and we can use Hydra

7
00:00:36,840 --> 00:00:39,870
again in order to brute force the password as well.

8
00:00:40,140 --> 00:00:48,180
But I suggest we go for Weepie Skemp because we have to learn how Weepies scan works because it's a

9
00:00:48,180 --> 00:00:52,030
good idea to learn about WordPress penetration test as well.

10
00:00:52,560 --> 00:00:56,870
So first of all, you're going to have to supply the URL parameter like this.

11
00:00:56,880 --> 00:01:00,700
So this is Tero 215 for our your URL.

12
00:01:00,720 --> 00:01:05,780
OK, so of course you're going to have to write your own IP address over there.

13
00:01:06,060 --> 00:01:09,240
And don't worry about the V.P. login extension.

14
00:01:09,250 --> 00:01:11,820
We're going to write that in another parameter.

15
00:01:12,150 --> 00:01:21,390
First, I'm going to give the word this parameter over here, which is F Society Dot DC and over here

16
00:01:21,390 --> 00:01:23,340
we are inside of the Mr. Robot.

17
00:01:23,550 --> 00:01:30,600
So if society FDIC is in the Mr. Robot, so I don't have to specify the full part.

18
00:01:30,620 --> 00:01:34,730
So make sure you run this comment in that.

19
00:01:35,220 --> 00:01:43,890
And by the way, so that Dick and make sure you run that comment in the same folder and user name will

20
00:01:43,890 --> 00:01:44,660
be Elliott.

21
00:01:44,670 --> 00:01:46,260
And if I hit Enter.

22
00:01:46,860 --> 00:01:47,850
Here you go.

23
00:01:47,850 --> 00:01:56,340
It's it actually complains about the word list and we have to make this something else because it doesn't

24
00:01:56,340 --> 00:01:57,630
accept the word list.

25
00:01:57,960 --> 00:02:03,480
I believe it should be something like word lists or something like that.

26
00:02:03,960 --> 00:02:10,920
So let me try and see whether this so I'm going to come over here, we Schenn, Dashty, Shehab and

27
00:02:10,920 --> 00:02:11,790
see.

28
00:02:12,390 --> 00:02:12,800
Yeah.

29
00:02:12,810 --> 00:02:16,830
If this is password's and the user names.

30
00:02:16,830 --> 00:02:19,020
So let me just see it one more time.

31
00:02:19,380 --> 00:02:28,230
So we have given wordlist as a parameter so it should have been password's and not the user name.

32
00:02:28,500 --> 00:02:30,540
I believe it's user names.

33
00:02:31,080 --> 00:02:33,180
So let me just check that one more time.

34
00:02:33,190 --> 00:02:33,350
Yeah.

35
00:02:33,360 --> 00:02:33,950
Here you go.

36
00:02:33,990 --> 00:02:40,470
This is user names so I'm going to change it to user names and hit enter and here you go.

37
00:02:40,470 --> 00:02:41,040
It says that.

38
00:02:41,040 --> 00:02:42,750
Do you want to update now.

39
00:02:42,990 --> 00:02:45,420
It's a good idea to update about.

40
00:02:45,420 --> 00:02:48,270
I'm just going to say no in order not to make you wait.

41
00:02:48,270 --> 00:02:53,190
OK, so maybe you can say yes and wait for it to update its database.

42
00:02:53,550 --> 00:02:59,580
And we are not actually searching for any vulnerability in the vert press right now.

43
00:03:00,510 --> 00:03:02,850
And the tool is doing that for us.

44
00:03:02,880 --> 00:03:07,230
OK, I'm not looking for a vulnerability actually at this point.

45
00:03:07,230 --> 00:03:10,710
I just want to get in by finding the password.

46
00:03:10,950 --> 00:03:13,710
But maybe it's an alternative way for us.

47
00:03:13,980 --> 00:03:22,140
We can search for the WordPress users, we can search for the WordPress exploits version exploits.

48
00:03:22,440 --> 00:03:24,750
So it would be better for us.

49
00:03:25,080 --> 00:03:31,200
So I'm going to go into my CTF document, the Mr. Robot over here.

50
00:03:31,200 --> 00:03:36,480
And for some reason it doesn't work because I put an extra slash over here.

51
00:03:36,480 --> 00:03:44,400
So it should have been KDDI documents, CTF and Mr. Robot, if we run, unless we can see we have the

52
00:03:44,950 --> 00:03:52,770
that you see and if socity that dick and we have the hydro restart, we can run hydro one more time

53
00:03:52,770 --> 00:03:55,230
from this hydro data restore file.

54
00:03:55,230 --> 00:04:00,570
By the way, if we want to, if you don't want to, you don't have to do anything about it.

55
00:04:01,020 --> 00:04:12,900
So let me just kept that socity that deck and just make it into sort and with that you so that we can

56
00:04:12,900 --> 00:04:20,190
see if there is any duplicates over here because it's taking some time in the other terminal, DTAP.

57
00:04:20,790 --> 00:04:27,420
So as you can see there, kind of maybe uppercase, lowercase, but there are a couple of duplicates

58
00:04:27,420 --> 00:04:28,110
over here.

59
00:04:28,650 --> 00:04:35,760
So maybe we can try to get rid of these duplicates as we have done before, like we can take the Unix

60
00:04:35,760 --> 00:04:42,690
of that and we can just search with that or we can just start with that in order to shorten the period

61
00:04:42,690 --> 00:04:43,410
of waiting.

62
00:04:43,680 --> 00:04:45,090
So you can do this right.

63
00:04:45,180 --> 00:04:48,600
You can pipe this into unit and see what happens.

64
00:04:49,230 --> 00:04:54,180
You can just do this because we have seen how to do this in the Bendit section.

65
00:04:54,630 --> 00:04:55,200
Right?

66
00:04:55,650 --> 00:04:59,760
So if we get rid of the duplicate values, then we will.

67
00:05:00,280 --> 00:05:08,860
Some kind of maybe much more smaller file over there, so let me just run this into a file, just write

68
00:05:08,860 --> 00:05:14,970
this into a file called Until the FDIC and see how this is going to work out.

69
00:05:14,980 --> 00:05:16,690
So I'm going to run that SLA.

70
00:05:17,210 --> 00:05:18,190
And here you go.

71
00:05:18,190 --> 00:05:24,130
Until that this is actually much more smaller than if socity that the ICI.

72
00:05:24,130 --> 00:05:24,540
Right.

73
00:05:24,880 --> 00:05:31,150
So I believe there was like a couple of duplicates and maybe thousands of different because I don't

74
00:05:31,150 --> 00:05:33,160
know, and we got rid of them.

75
00:05:33,610 --> 00:05:38,580
So maybe waiting here is just a waste of time.

76
00:05:38,620 --> 00:05:43,740
As you can see, the estimated time of arrival, these two hours, at least three hours, I believe.

77
00:05:44,080 --> 00:05:51,370
So I'm going to stop this with controversy and I'm going to come over here and just replace this with

78
00:05:51,370 --> 00:05:52,740
a tool that the ICC.

79
00:05:53,260 --> 00:05:58,350
So this will give me the same result back, but in a much more Qaderi.

80
00:05:58,870 --> 00:06:03,720
So as you can see now the let's see what is the estimated time.

81
00:06:03,940 --> 00:06:04,800
Yeah, here you go.

82
00:06:04,810 --> 00:06:06,940
Now, this is two minutes.

83
00:06:07,120 --> 00:06:09,090
Comparing it with three hours.

84
00:06:09,100 --> 00:06:10,450
This is much more faster.

85
00:06:10,690 --> 00:06:18,010
So if you get a wordlist in an initial ETF, then make sure you check the same command that I had.

86
00:06:18,010 --> 00:06:25,970
Dommett OK, just run that command and see if you can get a much more smaller wordlist over a day.

87
00:06:26,200 --> 00:06:31,580
Of course, if we waited long enough that would have been successful as well.

88
00:06:31,840 --> 00:06:33,190
That will be successful.

89
00:06:33,190 --> 00:06:38,080
If we success if we get success over here, then it must mean that we can.

90
00:06:38,290 --> 00:06:45,040
We were going to get the success over there as well, but we were going to get it in three hours rather

91
00:06:45,040 --> 00:06:46,290
than two minutes.

92
00:06:47,050 --> 00:06:49,900
Now we're going to have to wait and see what happens.

93
00:06:50,290 --> 00:06:52,720
So it's trying to pass over here.

94
00:06:53,230 --> 00:07:01,150
And this replug in, that is I'm a regular in website, very regular Logi, the extension.

95
00:07:01,150 --> 00:07:07,280
That's how it actually understands the login and just go over there and try it.

96
00:07:08,080 --> 00:07:10,390
So let me come over here.

97
00:07:10,570 --> 00:07:14,550
As you can see, we are in the past of 50 percent and it's done.

98
00:07:15,130 --> 00:07:16,000
Let's see.

99
00:07:16,330 --> 00:07:16,750
Yeah.

100
00:07:16,750 --> 00:07:24,370
Developed Combination's font username, Elliot, and there is a password over here and we found it under

101
00:07:24,850 --> 00:07:27,630
one and a half minutes, maybe one minutes and 10 seconds.

102
00:07:28,000 --> 00:07:29,950
So let me see if this is correct.

103
00:07:30,100 --> 00:07:36,220
I'm going to copy and paste is over here as a login and proxy servers are using connections.

104
00:07:36,520 --> 00:07:42,820
So I believe we have to turn off the folks you see over here and close down the street if you have it

105
00:07:42,820 --> 00:07:43,210
open.

106
00:07:43,450 --> 00:07:44,590
And here you go.

107
00:07:44,770 --> 00:07:47,230
We are inside of the WordPress.

108
00:07:47,230 --> 00:07:50,830
So now we found the password of the Aleut.

109
00:07:51,340 --> 00:07:54,970
So, OK, so we haven't hacked into the server yet, right?

110
00:07:54,970 --> 00:07:57,280
We we just came over here.

111
00:07:57,580 --> 00:08:04,330
So let me go to Elliot Elders, whose profile and see what kind of user this is.

112
00:08:04,600 --> 00:08:05,530
And here you go.

113
00:08:05,530 --> 00:08:07,990
Elliot is actually administrator.

114
00:08:08,230 --> 00:08:13,240
So this is the administrator of the WordPress, actually, not the administrator of server.

115
00:08:13,420 --> 00:08:22,600
But again, this will bring us joy because it will make our job very easy compared to logging in with

116
00:08:22,600 --> 00:08:23,680
a regular user.

117
00:08:24,310 --> 00:08:28,360
So if you know WordPress, then it's going to be a piece of cake for you.

118
00:08:28,360 --> 00:08:31,120
But if you don't know it, just follow along with me.

119
00:08:31,540 --> 00:08:34,240
As you can see, we get a lot of things over there.

120
00:08:35,020 --> 00:08:41,470
We can just try to analyze and scan if we have some kind of vulnerability in the WordPress itself.

121
00:08:42,040 --> 00:08:46,090
I believe this is WordPress four point three point twenty five.

122
00:08:46,330 --> 00:08:51,400
And you can search for this in the Web as well, not just with the WordPress scan.

123
00:08:51,610 --> 00:08:59,830
You can just come over here and write VPE and three points, four point three point twenty five exploit

124
00:08:59,980 --> 00:09:05,710
and see if there is any exposure related to that particular version.

125
00:09:06,040 --> 00:09:14,470
OK, and there is one over here, but it's again, about four point three point three.

126
00:09:14,950 --> 00:09:24,010
Yeah, it's exercise scripting, the kind of thing I don't think that's going to make us into the server.

127
00:09:24,490 --> 00:09:27,130
Let me come over here and check a little bit.

128
00:09:27,310 --> 00:09:31,330
As you can see, they're all exercice vulnerabilities.

129
00:09:31,690 --> 00:09:36,670
So we're going to have to find something that will lead us to server.

130
00:09:36,880 --> 00:09:45,220
And I don't see it, but of course, not only we can get access with version vulnerabilities, but we're

131
00:09:45,220 --> 00:09:47,770
going to have to try so much more in this case.

132
00:09:48,760 --> 00:09:49,030
So.

133
00:09:49,030 --> 00:09:50,380
Well, they will try actually.

134
00:09:50,380 --> 00:09:57,190
I will come over here and I will just take a look at the files and I will see if we can make a post

135
00:09:57,190 --> 00:09:59,640
or upload something like even.

136
00:09:59,720 --> 00:10:06,950
You can upload a reverse shell over here, then it would be great, and if the left hand side, we see

137
00:10:06,950 --> 00:10:12,590
all the menus like pages of previous posts, media dashboard.

138
00:10:12,800 --> 00:10:19,430
So you can just come over here and scroll down a little bit and just wander around to get a feeling

139
00:10:19,430 --> 00:10:21,860
of the WordPress if you have never used it before.

140
00:10:22,190 --> 00:10:25,700
Let's do that and let's meet in the next lecture.