Enumerate: 172.25.200.200:9014: Flag_H

Want to run this Docker container locally?

docker run -d -p 9014:80 -p 9015:22 --cap-add=NET_ADMIN --name flag-h joshbeck2024/ctf-brute-force-login-flag-h

Note, there are two ports listening:

Port 9014: Webpage

Port 9015: SSH

Description:

-This is a medium challenge

-Points: 10

Enumeration Challenge!

Walk through:

When you first go to the webpage at `HTTP://172.25.200.200:9014` you’ll see that we need to fuzz for `.txt` files that will allow us to brute-force the SSH server for usernames and passwords.

Let’s fuzz using the wordlist `raft-small-words.txt`

Look at the file extension .txt after FUZZ . This will be interpreted literally.

wget <https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/raft-small-words.txt>
ffuf -u <http://172.25.200.200:9014/FUZZ.txt> -w raft-small-words.txt

If `ffuf` spits out too many results, you’ll want to filter.

In this case, we’ll say, ‘Don’t show any page that returns a 403 status

Want to run this Docker container locally?

Note, there are two ports listening:

Description:

Walk through:

When you first go to the webpage at HTTP://172.25.200.200:9014 you’ll see that we need to fuzz for .txt files that will allow us to brute-force the SSH server for usernames and passwords.

Let’s fuzz using the wordlist raft-small-words.txt

If ffuf spits out too many results, you’ll want to filter.

When you first go to the webpage at `HTTP://172.25.200.200:9014` you’ll see that we need to fuzz for `.txt` files that will allow us to brute-force the SSH server for usernames and passwords.

Let’s fuzz using the wordlist `raft-small-words.txt`

If `ffuf` spits out too many results, you’ll want to filter.