TryHackMe Advent of Cyber 2, day 3, Write up.

The challenge today was short, but sweet!

The day three event started with some more education (I love that TryHackMe does this, because I am new and need the information).

They started out with teaching us about Authentication, what it is, and how it is different from “Authorization” which it is sometimes confused/used interchangeably with.

They then moved onto default credentials. This seems like such a simple thing to change in order to prevent unauthorized access, but it is commonly overlooked. They spoke a little bit on some big attacks that have happened in the past due to default credentials, and even talked about Internet of Things (IoT) being used in DDoS attacks because people did not change the default credentials.

They then moved into the meat of this lesson today, BurpSuite. I had heard about BurpSuite, and had seen it used in some videos before, but I had never actually played around with it. This section was a gold mine of information. They walked you through how to intercept web traffic, send the username and password fields to the “intruder” tab, then how to set up payloads in order to try many different “Default Credentials” automatically. This section was filled with screen shots and detailed instructions, so I had no problem following along with what was going on.

The first question was just to copy and paste the IP into the browser on my attackbox. I was able to complete that portion pretty easy, I’m getting good at copy/paste 😉

The final question was a bit more difficult in my eyes, because they are basically like “ok, now that you know about BurpSuite, go out and use it on this website and log into the Santa Sleigh tracker app!”.

I went back through the steps outlined in the introduction, set up everything like they explained, clicked the “Start attack” button, and it spit out a bunch of results.

I was like “ok…. Now what?”. I had no idea what I was looking at. I went back to the instructions, read through everything, double checked my settings, ran it again, and got the same output. The output just looked to me like BurpSuite had tried all combinations of the default credentials I had provided (which it did). Felling like I must be missing something, I went back and re read the instructions AGAIN, this time I noticed a sentence at the very end surrounded by parentheses and written in Italics. (typically, all incorrect logins will have the same status or length, if a combination is correct it will be different.)

Ahhh… yeah I guess it pays to read all of the instructions. Lesson learned. I found the result that had a different length, went back to the webpage, turned off the BurpSuite proxy option, entered the default creds identified to be correct by BurpSuite, and logged in. The flag was at the bottom of the Santa Sleigh Tracker: THM{885ffab980e049847516f9d8fe99ad1a}

Success.

Another day down, another lesson learned.