Yet another Mr. Robot themed challenge.
Save those credentials we’re gonna need them.
Olivia Cortez:olivi8
1- Scanning:
nmap -p22,80 -A 10.10.199.22Result:
2- Visiting Web Page:
Make sure to add the following to you /etc/hosts file and then visit the web page.
10.10.199.22 cyprusbank.thm
2.1. Brute Directories Using Ffuf:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://cyprusbank.thm/FUZZNothing Found!
2.2. Brute Subdomains:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1
add admin.cyprusbank.thm to your /etc/hosts file
Use the credentials mentioned above to login
Navigate to Messages, and change c=5 to c=0 in the URL.
We got Gayle’s password
p~]P@5!6;rs558:q
Now, using this password and Name: Gayle Bev
Login to Gayle’s accont
Question 1: What’s Tyrell Wellick’s phone number?
842–029–5701
Visit Settings Page, we can see that he has the ability to change users passwords. Time for BurpSuite.
Remove password field from the request body and see that we got an error
what you should do is add the following to the end of the request b
