Scripting
Mission Brief
The Department for the Administration of Internal Affairs has a new website at https://wordpress.luhack.uk/. Try to find out as much about it as possible.
Build your own scripts, that way you will learn stuff.
Easy: Page Counting
Websites often have sitemap.xml
files to help search engines index the website.
Write a script that calculates the total number of indexable pages on the website.
Medium: Brute force login
WordPress sites almost always have an exposed /wp-admin endpoint to login to edit the site.
Use a dictionary based credential stuffing attack to gain a username and password.
HINT: there is probably an admin user. The rockyou.txt wordlist contains many common passwords.
Hard: Secrets
The Inter-Departmental Committee on Community Engagement (IDCCE) has weekly meetings to discuss their progress on their strategies. They sometimes like to put the meeting minutes securely on their website so they make sure to not index them.
Hint: robots.txt is where people normally put things they want to hide.
How many meeting minutes are actually on the website?
Between all the pages posted, how many unique words are
there? (Exclude titles, answer was calculated using wc -w
)
Very Hard: Secure Communications
To complete your training with the DAIA, we would like you to research some of the history of the DAIA. It is stored securely on the website.
Hint: You’re not getting one this time. That’s what makes it very hard.
When was the DAIA founded, and who is in charge?