Try Hack me— Advent Of Cyber 2023 Day 4 Write Up — Baby, it’s CeWLd outside
Room: Advent of Cyber 2023 Day 4
Day 4 I found to be particulary easy. AOC is beginner oriented, especially the first days. However I feel like there was a bit too much hand holding. The exact commands are in the write up, in the video walkthrough the answers are even displayed in their full glory.
Nevertheless it was a great opportunity to learn about some new tools. I had never used a tool like CeWL before. CeWL is a spider that crawls a webpage to make customised word lists. This can be a great alternative to rockyou.txt or other common password lists.
But with every password list I ask myself the question, does that still work these days? I know a lot of people dont bear cyber security in mind but still I wonder if hackers have a lot of succes with password lists like this.
Have you? Let me know!
It does bring up a story I recently heard about hackers being able to breach certain systems in a country at war, trying wordlists in their native language. Upon further investigating it was concluded that english wordlists had a much higher rate of success. Meaning in this case the passwords were in english and probably not that hard to brute-force. It makes me wonder, like yesterday with the pincodes, how safe certain critical infrastruce actually is.
After generating the wordlist it’s time to actually put it to use by brute-forcing the webapplication with wfuzz. Verry similar to Hydra, wfuzz will try every password into the form until it receives a succesfull response.
Happy Hacking!