Christmas Chaos
Web Exploitation - Burp Suite
SecLists is a collection of common lists including usernames, passwords, URLs and much more.
A password list known as "rockyou.txt" is commonly used in security challenges, and should definitely be a part of your security toolkit.
Deploy your AttackBox
Use Burp Suite as proxy and intercept the request in Burp Suite.
Send to Intruder --> Positions
Select Attack Type Cluster Bomb
Use BurpSuite to brute force the login form. Use the following lists for the default credentials:
Payloads
Start attack
Looking at the results, the pair admin 12345 as a different size length result.
Use the correct credentials to log in to the Santa Sleigh Tracker app. Don't forget to turn off Foxyproxy once BurpSuite has finished the attack!
What is the flag?
THM{885ffab980e049847516f9d8fe99ad1a}
