Red Team Attacks
We did not gain unuauthorized access to the target server, but the following attacks were used in an attempt to do so:
Identification thta the wp-admin URL was unchanged and allowed us to identify valid usernames due to them not having disabled username hints
​
Password Attacks
Password brute force attack using Hydra:
Password brute force attack using WPScan:
command: wpscan -v --disable-tls-checks --url https://10.96.32.116/home/ -p <passlist> -U Ksuitg5
Denial-of-Service Attacks
Command: nmap -sS -sU -T4 -A -v 10.96.32.116
​
Screenshot lost due to corruption of Microsoft Teams image
SQL Attacks
Crawling the the website with SQLmap and auto-exploit
command: sqlmap -u "http://10.96.32.116/home/ --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
Cross-Site Scripting Attacks
We were able to attempt XSS attacks because the other team did not disable the ability to post comments on their WordPress
Phishing Attacks
We obtained approval from our sponsor to utilize his email address to send emails to the team defending the target server and try to obtain credentials or other useful information.