Loading...

Initializing...

Web Security Labs Part I cover image

Web Security Labs Part I

· 9 min read
WebSecurityCyberTalents

ุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽูŠู’ูƒูู…ู’ ูˆูŽุฑูŽุญู’ู…ูŽุฉู ุงู„ู„ู‘ูŽู‡ู ูˆูŽุจูŽุฑูŽูƒูŽุงุชูู‡ูุŒ ุจูุณู’ู…ู ุงู„ู„ู‘ูŽู‡ูุŒ ูˆูŽุงู„ุตู‘ูŽู„ูŽุงุฉู ูˆูŽุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽู‰ ุฑูŽุณููˆู„ู ุงู„ู„ู‘ูŽู‡ูุŒ ุงู„ู’ุญูŽู…ู’ุฏู ู„ูู„ู‘ูŽู‡ู ุงู„ู‘ูŽุฐููŠ ุนูŽู„ู‘ูŽู…ูŽ ุจูุงู„ู’ู‚ูŽู„ูŽู…ูุŒ ุนูŽู„ู‘ูŽู…ูŽ ุงู„ุฅูู†ุณูŽุงู†ูŽ ู…ูŽุง ู„ูŽู…ู’ ูŠูŽุนู’ู„ูŽู…ู’ุŒ ูˆูŽุงู„ุตู‘ูŽู„ูŽุงุฉู ูˆูŽุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽู‰ ุฎูŽูŠู’ุฑู ู…ูุนูŽู„ู‘ูู…ู ุงู„ู†ู‘ูŽุงุณูŽ ุงู„ู’ุฎูŽูŠู’ุฑูŽุŒ ู…ูุญูŽู…ู‘ูŽุฏู ุตูŽู„ู‘ูŽู‰ ุงู„ู„ู‘ูŽู‡ู ุนูŽู„ูŽูŠู’ู‡ู ูˆูŽุณูŽู„ู‘ูŽู…ูŽุŒ ุฃูŽู…ู‘ูŽุง ุจูŽุนู’ุฏู

Admin-has-the-power

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Administrators only has the power to see the flag , can you be one ?

Solution

first access the lab

to solve this lab we you need to install this extension

link โ‡’ https://chromewebstore.google.com/detail/cookie-editor/hlkenndednhfkekhgcdicdfddnkalmdm?hl=en-US&utm_source=ext_sidebar

well, now we will go to review page source (ctrl+u)

focus on line 18, you see login credentials

user:support
password:x34245323

after login with this credentials.

now we open cookie editor and change roleโ€™s value

from support to admin and and click save and reload the page

This-is-Sparta

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Morning has broken today theyโ€™re fighting in the shade when arrows blocked the sun they fell tonight they dine in hell

Solution

we review source code (ctrl+u)

we focus in this line

// Some codevar _0xae5b=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
"\x70\x61\x73\x73","\x43\x79\x62\x65\x72\x2d\x54\x61\x6c\x65\x6e\x74","\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
x20\x20\x20\x20\x20\x20\x20\x20\x43\x6F\x6E\x67\x72\x61\x74\x7A\x20\x0A\x0A","\x77
\x72\x6F\x6E\x67\x20\x50\x61\x73\x73\x77\x6F\x72\x64"];function check(){var _0xeb80x2
=document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];var _0xeb80x3=document[_0xae5b[2]](_0xa
e5b[3])[_0xae5b[0]];if(_0xeb80x2==_0xae5b[4]&&_0xeb80x3==_0xae5b[4]){alert(_0xae5b[5]);
} else {alert(_0xae5b[6]);}}

well, iโ€™ll explain what this function do

{var _0xae5b} //is array of 7 elements [0:6]

function check() and if statement

if ( varx2(usename) == array[4] && varx3(pass)=array[4] ){

then show alert array[5]};// which is **Congratz** -if we decode it ,

else {show alert array[6], //which is **wrong Password**}.

//So letโ€™s lets decode array [4] to get itโ€™s content through any website

this numbers look like in hex style because the variable start with 0x ,So we will remove everything excepted numbers

76616C756575736572676574456C656D656E74427949647061737343796265722d54616c656e742020
2020202020202020202020202020202020202020436F6E677261747A200A0A77726F6E67
2050617373776F7264

now letโ€™s go to convert it from this site โ‡’ https://cryptii.com/pipes/hex-to-text

now copy the numbers , and you will see thing like this

lab solve itโ€™s just login with this credentials :

user โ‡’ Cyber-Talent

pass โ‡’ Cyber-Talent

after submit you see this pop-up

I am Legend

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

If I am a legend, then why am I so lonely?

Flag Format : FLAG{}

Solution

we review source code (ctrl+u)

the line 26 is Obfuscation , so we will try to Deobfuscation in PoisonJS :

link : https://filipemgs.github.io/poisonjs/

hint : (you already delete script tag ๐Ÿ˜„)

you can submit the flag or login in with this credentials itโ€™s up to you ๐Ÿ˜‚

Cool Name Effect

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Webmaster developed a simple script to do cool effects on your name, but his code not filtering the inputs correctly execute JavaScript alert and prove it.

Solution

after access the lab we open it we try to type any special character like (<,>,(,),etc.) see if there is any filter or not

now letโ€™s go to see source code to check is the filtering process available or not?

okay we two good findings but weโ€™ll focus on line 25 because itโ€™s start with eval() function this mean this line is obfuscated and Iโ€™ll use this [site](http://deobfuscatejavascript.com/index_html#) to deobfuscated

well , i already review this function and found weakness point in this function

okay , Iโ€™ll explain what this function do

var legacyAlert = alert;
var newAlert = function() { ... }; // to save the same functionality of alert in legacyalert

var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':']; // array of character (c-string ) contain (your flag is :)

var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (NaN + [Infinity])[10];
f += (+211) + "")[3];
f += (+35) ; //this lines make variable called f and every line updates it value by unexpected values

well to this value (unexpected values) , iโ€™ll use online interpreter and makes is to print this value by console.log() function

var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':'];
var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (+(211))["to" + String["name"]](31)[1];
f += ([]["entries"]() + "")[3];
f += (+(35))["to" + String["name"]](36);
console.log(z.join('') + f)

and you will get output (this is flag )

Encrypted Database

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

The company hired an inexperienced developer, but he told them he hided the database and have it encrypted so the website is totally secure, can you prove that he is wrong ??

Solution

well, after we access the lab we try to find any input field to inject it but i didnโ€™t found anu input field

now , letโ€™s go to review page source code hope to find any thing

okay, now we know we have /admin endpoint letโ€™s to access on it

well ,we donโ€™t have access letโ€™s try baypass it with this bypass-403 tool install it and type this command

./baypass-403.sh our_target (name of endpoint ) //in our case name of endpoint =>admin

all of this urls lead to the same endpoint now open it to see admin page login

we donโ€™t have any credentials to login in so letโ€™s review page source code

okay we find another endpoint

target//admin/secret-database/db.json #final endpoint

okay if you try to submit this flag you get wrong so letโ€™s try to see if it encrypted or no wit this site

now we know itโ€™s already hashed with MD5 so iโ€™ll decrypt it in this site

Newsletter

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

the administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name

Solution

well well type any valid email and intercepted it in burp and send it to repeater and put the payload (you can search for it ) i will use email ; ls || ,The semicolon (;) will end the statement (line or block of code whatever )to start our commands and the (||) to let the code know the start from (ls) and ignore the dummy mail in the first after typing send the request

now send it

who am i?

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Do not Start a fight you can not stop it

Solution

we review source code (ctrl+u)

focus on line 25,26 you see login credentials,login with them

now we try to edit cookie

i will decode this value with Base64 (you can use this site โ‡’ https://www.base64decode.org/)

now change the value to login=admin and encode it

now change the value of cookie to this value and reload site (donโ€™t forget save it ๐Ÿ˜„)

Blue Inc

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Blue Inc is a new social media website thatโ€™s still under construction, However it doesnโ€™t have registration yet, but if you are interested in seeing our website then you can login with demo/demo.

Solution

after access the lab we open it browser , we login in with credentials we found in labโ€™s description

Copy

username : demo
password : demo

after login with credentials in above , we check cookies of website with cookie editor extension

okay , letโ€™s update this value to admin or administrator (high privileges ) and reload website

well, try to your profile to get the flag ๐Ÿ˜„

Easy Message

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

I Have a Message for you.

Solution

after access the lab we open it browser , we found sign in page and we donโ€™t have any credentials to login so after search i found endpoint called /robots.txt

well, another endpoint letโ€™s open it

Iโ€™ll explain the functionality of this block of code

$user = $_POST['user'];
$pass = $_POST['pass']; //create two post parameter called user and pass

include('db.php'); //contain file called db.php

if ($user == base64_decode('Q3liZXItVGFsZW50') && $pass == base64_decode('Q3liZXItVGFsZW50'))
    {
        success_login();
    }
    else {
        failed_login();
} // if the condition is true we are able to login and if false were not able to login

well to make the condition true we must login with this credentials , first weโ€™ll decode it Iโ€™ll use this website

now letโ€™s try to login with this credentials

user : Cyber-Talent
pass : Cyber-Talent

ohh, this like morse code Iโ€™ll translate it with this site

Cheers

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

I Have a Message for you.

Solution

i already review source and i got no thing

so , we see he tell us undefined index this mean un initialized (i mean it doesnโ€™t have value ) so iโ€™ll we try to send it as parameter and set any value like this :

and send

well, itโ€™s great finding now we repeat same proccess with gimme_flag parameter like this :

and send it