Task 1: Hacking your first machine - Hsanokklis/2022-2023-Tech-journal GitHub Wiki

Click the "Start Machine" button. Once loaded in Split View in your browser, you will have access to a machine you'll use to hack a fake bank application called FakeBank.We will use a command-line application called "GoBuster" to brute-force FakeBank's website to find hidden directories and pages. GoBuster will take a list of potential page or directory names and tries accessing a website with each of them; if the page exists, it tells you.

Step 1: Open a Terminal

On the machine, open a terminal.

Step 2: Find a hidden website page

Most companies will have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Often these pages are not made private, allowing attackers to find hidden pages that show, or give access to, admin controls or sensitive data.

Type these commands into the terminal:

gobuster -u http://fakebank.com -w wordlist.txt dir

image

-u

  • this command is used to state the website we are scanning

-w

  • this commmand takes a list of word to iterate through to find hidden pages.

image

status 200 tells us the pages/directories that the terminal found with out specified words

Step 3: Hack the Bank

use the hidden directory that you found on the website to hack the bank!

To do this I just added the directory the to URL image

Transfer 2000 from the bank account 2276, to your account (account number 8881).

image