top of page

Red Team Attacks

We did not gain unuauthorized access to the target server, but the following attacks were used in an attempt to do so: 

Identification thta the wp-admin URL was unchanged and allowed us to identify valid usernames due to them not having disabled username hints

​

ksuitg5 confirmed as valid user.jpg

Password Attacks

Password brute force attack using Hydra:

Hydra password attack.jpg

Password brute force attack using WPScan:
command: wpscan -v --disable-tls-checks --url https://10.96.32.116/home/ -p <passlist> -U Ksuitg5

Denial-of-Service Attacks

Command: nmap -sS -sU -T4 -A -v 10.96.32.116

​

Screenshot lost due to corruption of Microsoft Teams image

SQL Attacks

Crawling the the website with SQLmap and auto-exploit

command: sqlmap -u "http://10.96.32.116/home/ --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

SQLMap crawl.jpg

Cross-Site Scripting Attacks

We were able to attempt XSS attacks because the other team did not disable the ability to post comments on their WordPress

Phishing Attacks

We obtained approval from our sponsor to utilize his email address to send emails to the team defending the target server and try to obtain credentials or other useful information.

Phishing attack - testing.jpg
bottom of page