Walkthrough For Web Security Category In Cyber Talents Part 1
السَّلَامُ عَلَيْكُمْ وَرَحْمَةُ اللَّهِ وَبَرَكَاتُهُ، بِسْمِ اللَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، الْحَمْدُ لِلَّهِ الَّذِي عَلَّمَ بِالْقَلَمِ، عَلَّمَ الإِنسَانَ مَا لَمْ يَعْلَمْ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى خَيْرِ مُعَلِّمٍ النَّاسَ الْخَيْرَ، مُحَمَّدٍ صَلَّى اللَّهُ عَلَيْهِ وَسَلَّمَ، أَمَّا بَعْدُ
Admin-has-the-power
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Administrators only has the power to see the flag , can you be one ?
Solution
first access the lab
to solve this lab we you need to install this extension
well, now we will go to review page source (ctrl+u)
focus on line 18, you see login credentials
1
2
user:support
password:x34245323
after login with this credentials.
now we open cookie editor and change role’s value
from support to admin and and click save and reload the page
This-is-Sparta
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Morning has broken today they’re fighting in the shade when arrows blocked the sun they fell tonight they dine in hell
Solution
we review source code (ctrl+u)
we focus in this line
1
2
3
4
5
6
7
// Some codevar _0xae5b=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
"\x70\x61\x73\x73","\x43\x79\x62\x65\x72\x2d\x54\x61\x6c\x65\x6e\x74","\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
x20\x20\x20\x20\x20\x20\x20\x20\x43\x6F\x6E\x67\x72\x61\x74\x7A\x20\x0A\x0A","\x77
\x72\x6F\x6E\x67\x20\x50\x61\x73\x73\x77\x6F\x72\x64"];function check(){var _0xeb80x2
=document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];var _0xeb80x3=document[_0xae5b[2]](_0xa
e5b[3])[_0xae5b[0]];if(_0xeb80x2==_0xae5b[4]&&_0xeb80x3==_0xae5b[4]){alert(_0xae5b[5]);
} else {alert(_0xae5b[6]);}}
well, i’ll explain what this function do
1
2
3
4
5
6
7
8
9
10
11
{var _0xae5b} //is array of 7 elements [0:6]
function check() and if statement
if ( varx2(usename) == array[4] && varx3(pass)=array[4] ){
then show alert array[5]};// which is **Congratz** -if we decode it ,
else {show alert array[6], //which is **wrong Password**}.
//So let’s lets decode array [4] to get it’s content through any website
this numbers look like in hex style because the variable start with 0x ,So we will remove everything excepted numbers
1
2
3
76616C756575736572676574456C656D656E74427949647061737343796265722d54616c656e742020
2020202020202020202020202020202020202020436F6E677261747A200A0A77726F6E67
2050617373776F7264
now let’s go to convert it from this site ⇒ https://cryptii.com/pipes/hex-to-text
now copy the numbers , and you will see thing like this
lab solve it’s just login with this credentials :
1
2
3
user ⇒ Cyber-Talent
pass ⇒ Cyber-Talent
after submit you see this pop-up
I am Legend
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
If I am a legend, then why am I so lonely?
Flag Format : FLAG{}
Solution
we review source code (ctrl+u)
the line 26 is Obfuscation , so we will try to Deobfuscation in PoisonJS :
link : https://filipemgs.github.io/poisonjs/
hint : (you already delete script tag 😄)
you can submit the flag or login in with this credentials it’s up to you 😂
Cool Name Effect
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Webmaster developed a simple script to do cool effects on your name, but his code not filtering the inputs correctly execute JavaScript alert and prove it.
Solution
after access the lab we open it we try to type any special character like (<,>,(,),etc.) see if there is any filter or not
now let’s go to see source code to check is the filtering process available or not?
okay we two good findings but we’ll focus on line 25 because it’s start with eval() function this mean this line is obfuscated and I’ll use this [site](http://deobfuscatejavascript.com/index_html#) to deobfuscated
well , i already review this function and found weakness point in this function
okay , I’ll explain what this function do
1
2
3
4
5
6
7
8
9
10
11
12
var legacyAlert = alert;
var newAlert = function() { ... }; // to save the same functionality of alert in legacyalert
var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':']; // array of character (c-string ) contain (your flag is :)
var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (NaN + [Infinity])[10];
f += (+211) + "")[3];
f += (+35) ; //this lines make variable called f and every line updates it value by unexpected values
well to this value (unexpected values) , i’ll use online interpreter and makes is to print this value by console.log() function
1
2
3
4
5
6
7
8
var z = ['y', 'o', 'u', 'r', ' ', 'f', 'l', 'a', 'g', ' ', 'i', 's', ':'];
var f = ([]["fill"] + "")[3];
f += ([false] + undefined)[10];
f += (NaN + [Infinity])[10];
f += (+(211))["to" + String["name"]](31)[1];
f += ([]["entries"]() + "")[3];
f += (+(35))["to" + String["name"]](36);
console.log(z.join('') + f)
and you will get output (this is flag )
Encrypted Database
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
The company hired an inexperienced developer, but he told them he hided the database and have it encrypted so the website is totally secure, can you prove that he is wrong ??
Solution
well, after we access the lab we try to find any input field to inject it but i didn’t found anu input field
now , let’s go to review page source code hope to find any thing
okay, now we know we have /admin endpoint let’s to access on it
well ,we don’t have access let’s try baypass it with this bypass-403 tool install it and type this command
1
./baypass-403.sh our_target (name of endpoint ) //in our case name of endpoint =>admin
all of this urls lead to the same endpoint now open it to see admin page login
we don’t have any credentials to login in so let’s review page source code
okay we find another endpoint
1
target//admin/secret-database/db.json #final endpoint
okay if you try to submit this flag you get wrong so let’s try to see if it encrypted or no wit this site
now we know it’s already hashed with MD5 so i’ll decrypt it in this site
Newsletter
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
the administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name
Solution
| well well type any valid email and intercepted it in burp and send it to repeater and put the payload (you can search for it ) i will use email ; ls | ,The semicolon (;) will end the statement (line or block of code whatever )to start our commands and the ( | ) to let the code know the start from (ls) and ignore the dummy mail in the first after typing send the request |
now send it
who am i?
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Do not Start a fight you can not stop it
Solution
we review source code (ctrl+u)
focus on line 25,26 you see login credentials,login with them
now we try to edit cookie
i will decode this value with Base64 (you can use this site ⇒ https://www.base64decode.org/)
now change the value to login=admin and encode it
now change the value of cookie to this value and reload site (don’t forget save it 😄)
Blue Inc
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Blue Inc is a new social media website that’s still under construction, However it doesn’t have registration yet, but if you are interested in seeing our website then you can login with demo/demo.
Solution
after access the lab we open it browser , we login in with credentials we found in lab’s description
Copy
1
2
username : demo
password : demo
after login with credentials in above , we check cookies of website with cookie editor extension
okay , let’s update this value to admin or administrator (high privileges ) and reload website
well, try to your profile to get the flag 😄
Easy Message
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
I Have a Message for you.
Solution
after access the lab we open it browser , we found sign in page and we don’t have any credentials to login so after search i found endpoint called /robots.txt
well, another endpoint let’s open it
I’ll explain the functionality of this block of code
1
2
3
4
5
6
7
8
9
10
11
12
$user = $_POST['user'];
$pass = $_POST['pass']; //create two post parameter called user and pass
include('db.php'); //contain file called db.php
if ($user == base64_decode('Q3liZXItVGFsZW50') && $pass == base64_decode('Q3liZXItVGFsZW50'))
{
success_login();
}
else {
failed_login();
} // if the condition is true we are able to login and if false were not able to login
well to make the condition true we must login with this credentials , first we’ll decode it I’ll use this website
now let’s try to login with this credentials
1
2
user : Cyber-Talent
pass : Cyber-Talent
ohh, this like morse code I’ll translate it with this site
Cheers
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
I Have a Message for you.
Solution
i already review source and i got no thing
so , we see he tell us undefined index this mean un initialized (i mean it doesn’t have value ) so i’ll we try to send it as parameter and set any value like this :
and send
well, it’s great finding now we repeat same proccess with gimme_flag parameter like this :
and send it
