admin

Conquering CTF

A Beginner’s Guide to TryHackMe’s Bounty Hacker CTF

When the world becomes a game, and every piece of data is a potential flag, you know you’re in a hacker’s playground. Let’s walk through the strategy and steps I took to conquer this CTF challenge.

Step 1: Scanning the Target

The very first step in any CTF challenge is to gather information about the target. This is known as reconnaissance or information gathering. I used Nmap, one of the most powerful tools for scanning networks, to find open ports on the target system. The command I used was: nmap –A target-IP


The output showed three open ports:

  • Port
    21 (FTP)    : A file transfer service.
  • Port
    22 (SSH)    : A secure shell for remote
    login.
  • Port
    80 (HTTP)    : A web service.

 

Open ports represent potential entry points into the system.
We need to focus on these services because they might be vulnerable or
misconfigured, allowing us to gain access.

After analyzing the ports, I decided to start with Port
21, the FTP service. FTP is commonly used for file transfer, and
sometimes, misconfigurations or weak credentials can expose sensitive
information.

Step

2: Accessing the FTP Server

I
connected to the FTP service using the following command: ftp target-IP

·  The ftp
command is used to establish a connection to the FTP server at the given IP
address.

·  I was prompted to
provide a username. Surprisingly, the system accepted Anonymous, which
allowed unauthenticated access.


The
fact that Anonymous access was allowed
means there might be files on the system that anyone can read, including
potential clues. Misconfigured FTP servers often allow unauthenticated access,
which can be exploited.

Next,
I ran the command: ls –la

The
ls -la command lists all
files in the directory with detailed information, including hidden files. This
helped me identify any potentially interesting files in the FTP server’s root
directory.

The
directory revealed two text files: locks.txt and
task.txt. These files could contain
crucial information to help me advance in the CTF.

Step 3: Inspecting the Files

 

I decided to open both files and see what information they contained. First,
I opened locks.txt, then moved to task.txt.

·  The files were
simple text files, but in a CTF, even a small hint can be incredibly valuable.

·  In task.txt,
I found a username: lin. This was a critical piece of information. lin
was likely the user account that I needed to target in the next step.

The
username lin pointed me to the next
stage: gaining access to the lin user’s
account, which would likely bring me closer to the flag.

A Beginner’s Guide to TryHackMe’s Bounty Hacker CTF Read More »

How to Generate a Custom Wordlist with Crunch?

Introduction

Crunch is a powerful open-source tool used to create custom wordlists for password cracking, security testing, and auditing. Ethical hackers and security professionals use Crunch to generate wordlists based on specific criteria such as character sets, patterns, and lengths. These wordlists can be used with tools like John the Ripper, Hashcat, and Hydra for brute-force and dictionary attacks.

Why Pen Testers Use Crunch

In many cases, website passwords are related to company names, admin names, or common keywords. Security testers use Crunch to generate custom wordlists that include these relevant words, increasing the likelihood of cracking weak passwords during security assessments. By creating a tailored customer list based on the target’s naming conventions and industry-specific terms, testers can improve password auditing efficiency.

Installation

  • To install Crunch on Kali Linux:
    • sudo apt install crunch

·       
If you want
to read extra details about Crunch, use the following command:

    • man crunch

Basic Syntax

  • Crunch command format:
    • crunch <min_length>
      <max_length> [options]
    • <min_length>:
      Minimum word length
    • <max_length>:
      Maximum word length
    • [options]:
      Additional parameters for customization

Crunch Tool
Commands and Options

Option

Description

-o
<filename>

Specify
the output file to save the generated wordlist.

-t
<pattern>

Generate
words based on a specific pattern (e.g., -t @@@@ for 4-character words).

-p
<pattern>

Generate
permutations of the specified pattern.

-s
<string>

Specify
a string to prepend to each generated word.

-e
<string>

Specify
a string to append to each generated word.

-l
<length>

Specify
the length of the words to generate.

-c

Only
generate words that are of a certain length.

-f
<filename>

Use
a file as input for generating words (e.g., using a list of words).

-i
<string>

Insert
a string at specified positions in the generated words.

-b
<num>

Generate
only a certain number of words (limit output).

-n

Include
numbers in the output (digits).

-h

Display
help information about the tool and its options.

Example

·       
Example
1: Basic Wordlist
(Generate lowercase letters of length 4-6)

    • crunch 4 6 abcdefghijklmnopqrstuvwxyz -o
      wordlist.txt

·       
The crunch
command can be used to generate a simple wordlist composed of lowercase
letters. For instance, produces passwords that are 4 to 6 characters in length,
using only lowercase letters. The resulting combinations are saved to the file wordlist.txt, making it a straightforward option for creating basic
password lists. 

·       
Example
2: Alphanumeric Wordlist
(Generate letters and numbers of length 3-4)

    • crunch 3 4
      abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt       

·       
To generate a
wordlist consisting of alphanumeric combinations, you can use the crunch
command with a specified length range.  creates passwords that are either 3 or 4
characters long, using lowercase letters and numbers. The generated
combinations are saved to the file wordlist.txt,
making it a useful resource for various password-cracking tasks.

·       
Example
3: Generate a specific pattern of passwords:

    • crunch 10 10 0123456789@ -t tester@%%%
      -o generated_passwords.txt 

·       
Generates
10-character passwords starting with the prefix “tester,” followed by
a single lowercase letter or symbol represented by @, and
ending with three characters from the specified character set (digits and @).
The results are saved in the file generated_passwords.txt, showcasing the tool’s flexibility in producing targeted
wordlists for password cracking.

Example
4: Generate Passwords with Special Characters

    • crunch 10 10 @ -t tester@%%% -o
      generated_passwords.txt       

·       
The crunch command is an essential tool for creating custom
wordlists, particularly useful in password cracking scenarios. This example
demonstrates how to generate passwords with a specific pattern, including
special characters.

·       
Example
5: Generating Wordlist Combinations with Crunch

    • crunch 3 3 -t aaa -p admin user tester
      -o wordlist.txt

·       
In this
section, we demonstrate how to generate a wordlist of permutations from a set
of specific words using the crunch
command. This command is useful for creating custom wordlists for penetration
testing and security assessments.

Dynamic Wordlist Generation with Crunch for Password Cracking Tools (Without Saving)

 

Introduction

In this section, briefly explain the significance of password cracking and how dynamically generating wordlists with crunch enhances the effectiveness of various cracking tools without the need for saving intermediate files.

 Aircrack-ng

Command: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng -b
[bssid] -w - [file.cap]

Explanation:

  • This command generates passwords of length 8 and pipes them directly into aircrack-ng to crack WPA/WPA2 handshakes.

Example Usage: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng -b
00:11:22:33:44:55 -w - capture.cap

 John the Ripper

Command: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | john --stdin
[hash_file]

Explanation:

  • This command generates passwords of length 8 and pipes them directly into John the Ripper for cracking specified hashes.

Example Usage: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | john --stdin
hashes.txt

 Hashcat

Command:crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | hashcat -m
[hash_type] -a 0 [hash_file] -

Explanation:

  • This command generates passwords of length 8 and uses them in a straight dictionary attack against the specified hash type without saving them to a file.

Example Usage: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | hashcat -m 0
-a 0 hashes.txt -

 THC-Hydra

Command: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | hydra -l
[username] -P - [protocol] [target]

Explanation:

  • This command generates passwords and pipes them directly into THC-Hydra for brute force attacks on various protocols.

Example Usage: crunch 8 8
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | hydra -l admin
-P - ssh://192.168.1.1

 

Conclusion

In summary, crunch is a powerful tool for generating custom wordlists tailored to your password cracking needs. Its versatility allows you to create lists with specific character sets, lengths, and patterns, enhancing your efficiency in security assessments.

By mastering crunch commands, you can streamline your workflow and improve your effectiveness in penetration testing. Always remember to use these tools ethically and with permission. With practice, you can leverage crunch to boost your skills in cybersecurity.

How to Generate a Custom Wordlist with Crunch? Read More »

XML External Entity

Mastering XML External Entity (XXE) Injection: A Guide to Exploiting

XML external entity (XXE) injection

In this section, we’ll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks.

What is XML external entity injection?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Lab: Exploiting XXE using external entities to retrieve files

This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.

To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file.

Visit lab then click any post to view detail.

Then check stock

Go your burp
http history then see the request

Send the request to repeater.

You can this stock check using xml code then Insert the following external
entity definition in between the XML declaration and the stockCheck element:

<!DOCTYPE test [ <!ENTITY
xxe SYSTEM "file:///etc/passwd"> ]>

I do one mistake I not add ; semicolon in end of xxe in product id. 

You see the data is here and now your lab is solve.

Mastering XML External Entity (XXE) Injection: A Guide to Exploiting Read More »

Footprinting and Recon

Mastering Footprinting and Recon with Windows Commands: A Beginner’s Guide

Footprinting and recon using windows command line – basics :

What is footprinting and reconnaissance :

Footprinting (also known as recon) is the technique used for gathering information about the target. For knowing your target recon is important .

Types of reconnaissance :

Active reconnaissance : interacting actively with the target is active reconnaissance .

Passive reconnaissance : gathering info about the target without interacting with it .

Footprinting helps in :

  1. Knowing the target
  2. Reducing the attack area
  3. Identify vulnerabilitie
  4. Mapping target

Commands used in this tutorial :                    

  1. Ping
  2. nslookup
  3. Tracert

Ping:

To know about the usage of any command use -help option with any command

Lets ping something :

Command : ping www.certifiedhacker.com

What info it gives :

1.    
Ip of target

2.    
Ttl (time to live) helps in
determing the Operating Sysetem of target

3.    
If the host is live or not

We can find maximum frame size by using
ping:

Command : ping www.certifiedhacker.com -f -l 1500

  -f
is used for specifying not to fragment the packet

   
And -l is used for setting the frame size 

This message means the frame is too large
and need to be fragmented .

You can try different values till you reach
the maximum size.

Like ping www.certifiedhacker.com -f -l 1450

ping www.certifiedhacker.com -f -l 1400  

etc etc

 

 

tracert :

this command is used for traceroute

command :tracert www.certifiedhacker.com

this will tell the hops through which the
request reaches to destination

nslookup:

used for querying dns info of the target .

command : nslookup www.certifiedhacker.com

Mastering Footprinting and Recon with Windows Commands: A Beginner’s Guide Read More »

Subscribe

Enter Your Email to receive relevant messaging tips and examples

Lorcam Securities stands out as a premier provider of cybersecurity training, addressing the issues organizations face in defending against a rapidly changing array of cyber threats.

Quick Link

We offer

Office Address

India Office Address:- B-28, 1ST Floor, Sector-01, Noida, Uttar Pradesh -201301

Facebook X-twitter Youtube Linkedin

© 2025 Lorcram Securities. All rights reserved.

Open chat
Need help?
Hello 👋
Can we help you?