Loading...

Initializing...

Web Security Labs Part II

· 9 min read
WebSecurityCyberTalents

ุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽูŠู’ูƒูู…ู’ ูˆูŽุฑูŽุญู’ู…ูŽุฉู ุงู„ู„ู‘ูŽู‡ู ูˆูŽุจูŽุฑูŽูƒูŽุงุชูู‡ูุŒ ุจูุณู’ู…ู ุงู„ู„ู‘ูŽู‡ูุŒ ูˆูŽุงู„ุตู‘ูŽู„ูŽุงุฉู ูˆูŽุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽู‰ ุฑูŽุณููˆู„ู ุงู„ู„ู‘ูŽู‡ูุŒ ุงู„ู’ุญูŽู…ู’ุฏู ู„ูู„ู‘ูŽู‡ู ุงู„ู‘ูŽุฐููŠ ุนูŽู„ู‘ูŽู…ูŽ ุจูุงู„ู’ู‚ูŽู„ูŽู…ูุŒ ุนูŽู„ู‘ูŽู…ูŽ ุงู„ุฅูู†ุณูŽุงู†ูŽ ู…ูŽุง ู„ูŽู…ู’ ูŠูŽุนู’ู„ูŽู…ู’ุŒ ูˆูŽุงู„ุตู‘ูŽู„ูŽุงุฉู ูˆูŽุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽู‰ ุฎูŽูŠู’ุฑู ู…ูุนูŽู„ู‘ูู…ู ุงู„ู†ู‘ูŽุงุณูŽ ุงู„ู’ุฎูŽูŠู’ุฑูŽุŒ ู…ูุญูŽู…ู‘ูŽุฏู ุตูŽู„ู‘ูŽู‰ ุงู„ู„ู‘ูŽู‡ู ุนูŽู„ูŽูŠู’ู‡ู ูˆูŽุณูŽู„ู‘ูŽู…ูŽุŒ ุฃูŽู…ู‘ูŽุง ุจูŽุนู’ุฏู

Back to basics

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

I Have a Message for you.

Solution

well, if you try to review source code you got this

so, from the name of lab tell us to back to basics , so i open dev tools and review network tarffic you can use burp but it doesnโ€™t need it , just click f-12 to see dev tools

like this , now click on network and reload page

you got this , now go to and check every request, and you found it ( i mean flag ) in second request

Maximum Courage

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Max prefers to learn by practicing and not just reading all day, so he set up a webserver and hopes it stays secret, can you prove it has a weakness?

Solution

after access the lab we open it browser

okaay we donโ€™t have access to open flag.php (the aim is to open it because it contain the flag )

now we need a tool to Scan the web server for directories, i will use drib you can find it here https://github.com/andrenth/drib,well letโ€™s go to our terminal command line (drib target )

okay goog findings if we open this url we found another path , i opend it and itโ€™s unuseful but we know that this website has /.git so thatโ€™s mean that this website has Git directories , i will gittools for it you can got it from here https://github.com/internetwache/GitTools , well we will actually use ./gitdumper

i will explain command line first ./gitdumper.sh(script) and url (our target ) and name folder(the output will store in ) final โ‡’ ./gitdumper <target> <name of folder>

okay open the folder and type ls -a <-a to appear hidden files>

i already serach on it but i didโ€™t find anything (you can search if you want itโ€™s up to you), now we try another tool called git we will use git status to see the changes that have been made for this repository command โ‡’ git status

yeah itโ€™s just type git restore flag.php to solve the challenge ๐Ÿ˜„

Easy access

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Only superpower makes you see unlimited view.

Solution

we review source code (ctrl+u)

now try to login in with this credentials :

username : bob

pass : password

well, know we try to type payload to bypass authentication and gain unauthorized access to a system. the common one is (โ€™ OR 1=1โ€” -) , Iโ€™ll try it with above credentials

now login

well, itโ€™s easy one, in common case itโ€™s doesnโ€™t like this (i mean easy) .

ConCmarks

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

it might be useful to find a mark.

Solution

after access the lab we inspect main page

this mean we have endpoint called sourceXXXX and XXXX have value from 7000 โ€”> 9000 so Iโ€™ll first send request and intercepted it and send it to intruder to fuzz correct value to get access in this endpoint

now select payload type โ€”> number and make number range from 7000 to 9000 and count step equal one so now we have 2001 request to check it

and select sniper attack

from status code select 200 OK one

and i search to bypass this condition and get flag

First i weโ€™ll explain what this condition do well, The code is a PHP script that takes two GET parameters (n1 and n2), hashes them using md5 with a salt, and checks if the hashes are identical while ensuring that input1 and input2 are different. If the condition is met, it prints the flag; otherwise, it prints โ€œSorry this value not valid.โ€

if( $input1 !== $input2 && @hash("md5", $salt.$input1) === @hash("md5", $salt.$input2) ) /*check input1 must not be identical (!==) to input2 (strict comparison)
  and The MD5 hashes of salt + input1 and salt + input2 must be identical.*/

this means we need two different inputs that produce the same MD5 hash when concatenated with $salt so after search again i found the way to bypass this condition using PHP type juggling with arrays ,so i already use this payload to bypass n1[]= & n2[]=any_value , Iโ€™ll explain it now . Instead of sending normal string values for n1 and n2,i send them as arrays using n1[]= & n2[]=1 and PHP automatically converts query parameters with [] into arrays ($_GET['n1'] and $_GET['n2'] become arrays instead of strings) , When PHP hashes an array with @hash("md5", $salt.$input1), it throws a warning and returns NULL so the condition evaluates to **true**, because $input1 !== $input2 (arrays are different ) and @hash("md5", NULL) === @hash("md5", NULL) is true. Now put this payload and send it

Private Agent

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Only private agents can make their way to the gate.

Solution

after access the lab we inspect main page

from above he get us value for user agent to get private access so got to burp and intercept request and change user agent value to given value โ€”> givittome

and we found flag as header in response

COMRADE III

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Hey Comrade , World War III will begin soon , we need to reveal what was hidden.

Solution

after access the lab we review source code

and we have nothing so , Iโ€™ll use dirb tool

good findings, we now know .git endpoint so ,Iโ€™ll use dumber from GitTools

now use this command to see status of folder โ€”> git status

and use this command to restore any file โ€”> git restore <name of file> i already restore all of them and i found good findings on api.php

okay if we bypass this condition we got the flag so, i well explain how to bypass it . in this condition found cookie called api_key and itโ€™s check if itโ€™s true or false so , after i search i found the value of api_key in file called contact_process.php

bin2hex !! letโ€™s go to convert this string to hex from this site

okay we got value (first remove spaces ) and go to lab and create cookie called api_key and set itโ€™s value to 746869735f69735f746f705f736563726574 and reload page to see flag

x corp

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

X corp made a new filtration for input data , prove it is secure enough

Solution

after access the lab we review source code

well we missing quote and it based in span so Iโ€™ll try to close quote

well , now try to input payload to make alert (XSS) u can use this payload admin'onload=alert(1)' first quote to close opne one and add onload action

uGame

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

we are creating a new social media app for gaming , make sure its secure enough.

Solution

after access the lab u see input text i try to input any value to see where itโ€™s stored in source code

now after type any value Iโ€™ll try to input simple payload to get alert

okay , from above we now know the validation skip any thing after <script so , Iโ€™ll try to use < svg or <img , anything without <script >so the final payload is :

<svg src=<any_invalid_value> onerror=alert(1)>

you should input in src invalid value to make onerror true to get alert and typr it you get the flag in alert

bean

Challenge Information

  • Category: Web Security

  • Level: medium

  • Points: 50

description

Come back home Mr. Bean.

Solution

after access the lab we open it browser okay letโ€™s go to brute-force directory using dirsearch

okay we have good findings , now open this link

well , Letโ€™s try to using Path Traversal attack

pay load โ‡’ [**http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/**](http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/)**../../../../etc/passwd**

bad thing it doesnโ€™t work and the good thing we now know the web server in nginx and know itโ€™s maybe vuln with alias_traversal what is alias dir ? okay The alias directive is used to replace path of the specified location. so by the we now try put two dots before the slash like ../,final path is example.com/name../,in our case itโ€™s files../, now we go to try it.

last thing to find the path of flag ,I searched for it a lot before. You can do that, but for now I will say the path directly. well path is /files../home/flag.txt

for more info about alias โ‡’ https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md

DarkSide

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 50

description

Light up the darkness

Solution

okay, this lab is too easy it just click f12 to see web sources and found js file called disable open it and get the flag

image image