Walkthrough For Introduction To Cybersecurity Path In Cyber Talents
السَّلَامُ عَلَيْكُمْ وَرَحْمَةُ اللَّهِ وَبَرَكَاتُهُ، بِسْمِ اللَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، الْحَمْدُ لِلَّهِ الَّذِي عَلَّمَ بِالْقَلَمِ، عَلَّمَ الإِنسَانَ مَا لَمْ يَعْلَمْ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى خَيْرِ مُعَلِّمٍ النَّاسَ الْخَيْرَ، مُحَمَّدٍ صَلَّى اللَّهُ عَلَيْهِ وَسَلَّمَ، أَمَّا بَعْدُ
This is Sparta
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Morning has broken today they’re fighting in the shade when arrows blocked the sun they fell tonight they dine in hell
Solution
after access the lab we open it browser
now we try to review source code (ctrl+u)
we focus in this line
1
2
3
4
5
6
7
// Some codevar _0xae5b=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
"\x70\x61\x73\x73","\x43\x79\x62\x65\x72\x2d\x54\x61\x6c\x65\x6e\x74","\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
x20\x20\x20\x20\x20\x20\x20\x20\x43\x6F\x6E\x67\x72\x61\x74\x7A\x20\x0A\x0A","\x77
\x72\x6F\x6E\x67\x20\x50\x61\x73\x73\x77\x6F\x72\x64"];function check(){var _0xeb80x2
=document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];var _0xeb80x3=document[_0xae5b[2]](_0xa
e5b[3])[_0xae5b[0]];if(_0xeb80x2==_0xae5b[4]&&_0xeb80x3==_0xae5b[4]){alert(_0xae5b[5]);
} else {alert(_0xae5b[6]);}}
well, I’ll explain what this function do
1
2
3
4
5
6
7
8
9
10
11
{var _0xae5b} //is array of 7 elements [0:6]
function check() and if statement
if ( varx2(usename) == array[4] && varx3(pass)=array[4] ){
then show alert array[5]};// which is **Congratz** -if we decode it ,
else {show alert array[6], //which is **wrong Password**}.
//So let’s lets decode array [4] to get it’s content through any website
this numbers look like in hex style because the variable start with 0x ,So we will remove everything excepted numbers
1
2
3
76616C756575736572676574456C656D656E74427949647061737343796265722d54616c656e742020
2020202020202020202020202020202020202020436F6E677261747A200A0A77726F6E67
2050617373776F7264
now let’s go to convert it from this site ⇒ https://cryptii.com/pipes/hex-to-text
now copy the numbers , and you will see thing like this
lab solve it’s just login with this credentials :
user ⇒ Cyber-Talent
pass ⇒ Cyber-Talent
after submit you see this pop-up
Hash3rror
Challenge Information
Category: Cryptography
Level: easy
Points: 50
description
we got this corrupted hash password from a Pcap file with a note (password = sha-1(hash-result)).
HASH:77be5d24ed2e3e590045e1d6o7e84i50d2799c19f48ede46804a8734e287df120f
Solution
we look on the corrupted hash ⇒ 77be5d24ed2e3e590045e1d6o7e84i50d2799c19f48ede46804a8734e287df120f, so it seems to be maybe 64 characters (We have more letters),well let’s say the hash is (SHA-256) , well the hash SHA-256 only include from 0 to f , yeah We now know the two extra letters, which are: i and o after remove them hash will be ⇒ 77be5d24ed2e3e590045e1d6o7e84i50d2799c19f48ede46804a8734e287df120f
we will use this site to decode it ⇒ https://www.dcode.fr/sha256-has
and we know the password = sha-1(hash-result),so we do it in same site :
who am i?
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Do not Start a fight you can not stop it
Solution
after access the lab we open it browser
now we try to review source code (ctrl+u)
focus on line 25,26 you see login credentials login with them
now we try to edit cookie
i will decode this value with Base64 (you can use this site ⇒ https://www.base64decode.org/)
now change the value to login=admin and encode it
now change the value of cookie to this value and reload site (don’t forget save it 😄)
I am Legend
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
If I am a legend, then why am I so lonely?
Flag Format : FLAG{}
Solution
after access the lab we open it browser
now we try to review source code (ctrl+u)
the line 26 is Obfuscation , so we will try to Deobfuscation in PoisonJS :
link : https://filipemgs.github.io/poisonjs/
hint : (you already delete script tag 😄)
you can submit the flag or login in with this credentials it’s up to you 😂
Searching for the cookie
Challenge Information
Category: Web Security
Level: medium
Points: 100
description
simple search website we need to know which cookie to eat ;)
Solution
after access the lab we open it browser
first we input anything in search to see where stored in source code
ctrl + u to open source code badge and search for text you already input in my case i search for admin
1
2
3
4
5
<<<<<<< HEAD
now we try to put payload to make alert : `<script>alert(2)</script>`
=======
now we try to put payload to make alert : `<script>alert(1)</script>`
>>>>>>> 0835f0bafa7f2e2966c28b9be6cbce05ba334738
but it’s doesn’t work so let’s go to see source code 😄
«««< HEAD soo, i see it we can close the first script in first of payload like this : </script>……,and open new script tags with the payload finally : </script><script>alert(1)</script> ======= soo, i see it we can close the first script in first of payload like this : </script>……,and open new script tags with the payload finally : </script><script>alert(2)</script>
0835f0bafa7f2e2966c28b9be6cbce05ba334738
it’s a good news, so let’s go to get cookie 😄
we remove 1 and put document.cookie final payload ⇒
«««< HEAD </script><script>alert(document.cookie)</script> ======= </script><script>alert(document.cookie)</script>
0835f0bafa7f2e2966c28b9be6cbce05ba334738
bean
Challenge Information
Category: Web Security
Level: medium
Points: 50
description
Come back home Mr. Bean.
Solution
after access the lab we open it browser
okay let’s go to brute-force directory using dirsearch
okay we have good findings , now open this link
well , Let’s try to using Path Traversal attack
1
pay load ⇒ [**http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/**](http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/)**../../../../etc/passwd**
bad thing it doesn’t work and the good thing we now know the web server in nginx and know it’s maybe vuln with alias_traversal what is alias dir ? okay The alias directive is used to replace path of the specified location. so by the we now try put two dots before the slash like ../,final path is example.com/name../,in our case it’s files../, now we go to try it.
last thing to find the path of flag ,I searched for it a lot before. You can do that, but for now I will say the path directly. well path is /files../home/flag.txt
for more info about alias ⇒ https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Maximum Courage
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Max prefers to learn by practicing and not just reading all day, so he set up a webserver and hopes it stays secret, can you prove it has a weakness?
Solution
after access the lab we open it browser
okaay we don’t have access to open flag.php (the aim is to open it because it contain the flag )
now we need a tool to Scan the web server for directories, i will use drib you can find it here https://github.com/andrenth/drib,well let’s go to our terminal command line (drib target )
okay goog findings if we open this url we found another path , i opend it and it’s unuseful but we know that this website has /.git so that’s mean that this website has Git directories , i will gittools for it you can got it from here https://github.com/internetwache/GitTools , well we will actually use ./gitdumper
i will explain command line first ./gitdumper.sh(script) and url (our target ) and name folder(the output will store in ) final ⇒ ./gitdumper <target> <name of folder>
okay open the folder and type ls -a <-a to appear hidden files>
i already serach on it but i did’t find anything (you can search if you want it’s up to you), now we try another tool called git we will use git status to see the changes that have been made for this repository command ⇒ git status
yeah it’s just type git restore flag.php to solve the challenge 😄
The Restricted Sessions
Challenge Information
Category: Web Security
Level: medium
Points: 100
description
Flag is restricted to logged users only , can you be one of them.
Solution
after access the lab we open it browser
now we review source code for this lab
well i’ll explain what this block of code.
first checks if the browser has any cookies stored. If there are no cookies, the script does nothing.
It uses a regular expression (/PHPSESSID=([^;]+)/) to search the cookies for the PHPSESSID value and the match() method returns an array, and [1] accesses the actual session ID value from the capturing group ([^;]+) (everything after PHPSESSID= until the next semicolon),Sends a POST request to getcurrentuserinfo.php with the session ID in the request body.
now we go to play in cookie i’ll use cookie editor (you can burp to intercept and a cookie header but my way it’s easier ), well first add cookie named PHPSESSID and any value on it and reload the site
after reload
okay , we goona open this endpoint
i think it’s cookies’s values well we try it (replace vlaue) you can use any value
welll, now we try to access in this endpoint (getcurrentuserinfo.php), first try in your browser to sent request and go to http request to the find it then send it to repeater and modified the request method from Get to Post
now send it
yeah haha, now we have the credentiales it’s just put it cookie editor (or request i prefer cookie editor it’s up to you 😄).
Newsletter
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
the administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name
Solution
after access the lab we open it
| now type any valid email and intercepted it in burp and send it to repeater and put the payload (you can search for it ) i will use email ; ls | ,The semicolon (;) will end the statement (line or block of code whatever )to start our commands and the ( | ) to let the code know the start from (ls) and ignore the dummy mail in the first after typing send the request |
now send it
Hashable
Challenge Information
Category: Web Security
Level: medium
Points: 100
description
A famous enterprise blog was hacked, can you figure out how it was hacked?
Solution
after access the lab we open it
now search for find any input field to inject it , well i think contact it’s contain input field
| we have 3 goood , now try to see if the page contain input filtration by type (@$<> | '”;:) |
Well from error we see that the website execute the commands with the eval function, if you don’t what is eval() function ? In some programming languages, eval , short for evaluate, is a function which evaluates a string as though it were an expression in the language, and returns a result; in others, it executes multiple lines of code as though they had been included instead of the line including the eval: ,okay i will try to type thank${system(‘ls’)} this payload to list all files and directors
we got it , just type thank${system(‘cat flag_23894ABCX1.txt’)} to show the file contet
Easy access
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Only superpower makes you see unlimited view.
Solution
after access the lab we open it browser
now we try to review source code (ctrl+u)
now try to login in with this credentials :
1
2
3
username : bob
pass : password
well, know we try to type payload to bypass authentication and gain unauthorized access to a system. the common one is (‘ OR 1=1– -) , I’ll try it with above credentials
now login
well, it’s easy one, in common case it’s doesn’t like this (i mean easy) .
Keep it Simple
Challenge Information
Category: Digital Forensics
Level: easy
Points: 50
description
The answer is simple
Solution
after access the lab we open it browser
okay let’s go to see what is the hint
well, i don’t completely understand so i ‘ll gonna review source code
well, look at this pic it’s doesn’t appear in front end
okay the flag or pass must be hidden in this pic i will this website (you can use exiftool on your terminal)
this is website now upload above pic and click submit
don’t login with this just submit it 😄
I love music
Challenge Information
Category: Digital Forensics
Level: mideum
Points: 50
description
listen and focus , you will listen another thin
Solution
after open the link we download it
and now we know the flag is hidden in the audio waves i’ll use this website academo.org
and upload the audio file you already download it and see content of waves
bflag
Challenge Information
Category: Digital Forensics
Level: mideum
Points: 50
description
All of us started from the bottom. Now it’s your turn.
Solution
after download the file open it in wireshark
now add the http in serach filtration to show only http packet
okay, now if you don’t find the flag this problem in the lab and the packet contain the is
now submit this analyze_packet_for_fun , and if you found this packet <GET /f14g/analyze_packet_for_fun HTTP/1.1\r> this mean the problem is solved
Cypher Anxiety
Challenge Information
Category: Digital Forensics
Level: easy
Points: 50
description
An image was leaked from a babies store. the manager is so annoyed because he needs to identify the image to fire charges against the responsible employee. the key is the md5 of the image
Solution
after download the file unzip it and let’s see there is something hidden inside or not with strings tool
command : strings find\ the\ image.pcap | less
well we have hint tell us that the password description key is P@sswordaya and the port is 7070, okay now let’s to open file in Wireshark and put search filtration (tcp.port==7070)
well , we’ll follow this packet because his lenght , after open it and change show to raw he look this
now save it and go to your terminal for use netcat, okay open two tapes first type this command (nc localhost 7070 < cyber) and the second type this (cryptcat -l -k P@ssawordaya -p 7070 > cyber1) this credentials from strings output , after end use md5sum to show the flag
bronze ASM
Challenge Information
Category: Digital Forensics
Level: easy
Points: 50
description
An image was leaked from a babies store. the manager is so annoyed because he needs to identify the image to fire charges against the responsible employee. the key is the md5 of the image
Solution
we we’ll start review source code and implementaion it
becuse my information in assembly is so limited I’ll get info from other blog the function means to take the local variable stored in rbp-4 multiply it by 8 (left shift by 3) and compare the result with 5744.
Yes ! The parameter that we are looking for is the value stored in rbp-4, but how we are supposed to know it ? Simply suppose that parameter*8=5744, that makes the parameter=718.
Still have the message wrong submission popping up ? Easy, just have another look in the challenge description, it indicates that the format should be : FLAG{0_%X_0}, %X refers to Hexadecimal; As you can already guess the flag is : FLAG{0_2CE_0}
LOUDER
Challenge Information
Category: Digital Forensics
Level: easy
Points: 50
description
My sales manager was annoyed by this sound. However my accountant thought it might mean something. Can you figure it out? P.S: submit flag in a single string
Solution
first download the audio file and go to this website to get morse code and convert it to text (flag )
now upload the noesy audio and get the flag
now submit it and i know you have a problem to submit it , try to remove the spaces between Letters and submit it 😂
