Walkthrough For Web Security Category In Cyber Talents Part 2
السَّلَامُ عَلَيْكُمْ وَرَحْمَةُ اللَّهِ وَبَرَكَاتُهُ، بِسْمِ اللَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، الْحَمْدُ لِلَّهِ الَّذِي عَلَّمَ بِالْقَلَمِ، عَلَّمَ الإِنسَانَ مَا لَمْ يَعْلَمْ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى خَيْرِ مُعَلِّمٍ النَّاسَ الْخَيْرَ، مُحَمَّدٍ صَلَّى اللَّهُ عَلَيْهِ وَسَلَّمَ، أَمَّا بَعْدُ
Back to basics
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
I Have a Message for you.
Solution
well, if you try to review source code you got this
so, from the name of lab tell us to back to basics , so i open dev tools and review network tarffic you can use burp but it doesn’t need it , just click f-12 to see dev tools
like this , now click on network and reload page
you got this , now go to and check every request, and you found it ( i mean flag ) in second request
Maximum Courage
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Max prefers to learn by practicing and not just reading all day, so he set up a webserver and hopes it stays secret, can you prove it has a weakness?
Solution
after access the lab we open it browser
okaay we don’t have access to open flag.php (the aim is to open it because it contain the flag )
now we need a tool to Scan the web server for directories, i will use drib you can find it here https://github.com/andrenth/drib,well let’s go to our terminal command line (drib target )
okay goog findings if we open this url we found another path , i opend it and it’s unuseful but we know that this website has /.git so that’s mean that this website has Git directories , i will gittools for it you can got it from here https://github.com/internetwache/GitTools , well we will actually use ./gitdumper
i will explain command line first ./gitdumper.sh(script) and url (our target ) and name folder(the output will store in ) final ⇒ ./gitdumper <target> <name of folder>
okay open the folder and type ls -a <-a to appear hidden files>
i already serach on it but i did’t find anything (you can search if you want it’s up to you), now we try another tool called git we will use git status to see the changes that have been made for this repository command ⇒ git status
yeah it’s just type git restore flag.php to solve the challenge 😄
Easy access
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Only superpower makes you see unlimited view.
Solution
we review source code (ctrl+u)
now try to login in with this credentials :
1
2
3
username : bob
pass : password
well, know we try to type payload to bypass authentication and gain unauthorized access to a system. the common one is (‘ OR 1=1– -) , I’ll try it with above credentials
now login
well, it’s easy one, in common case it’s doesn’t like this (i mean easy) .
ConCmarks
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
it might be useful to find a mark.
Solution
after access the lab we inspect main page
this mean we have endpoint called sourceXXXX and XXXX have value from 7000 –> 9000 so I’ll first send request and intercepted it and send it to intruder to fuzz correct value to get access in this endpoint
now select payload type –> number and make number range from 7000 to 9000 and count step equal one so now we have 2001 request to check it
and select sniper attack
from status code select 200 OK one
and i search to bypass this condition and get flag
First i we’ll explain what this condition do well, The code is a PHP script that takes two GET parameters (n1 and n2), hashes them using md5 with a salt, and checks if the hashes are identical while ensuring that input1 and input2 are different. If the condition is met, it prints the flag; otherwise, it prints “Sorry this value not valid.”
1
2
if( $input1 !== $input2 && @hash("md5", $salt.$input1) === @hash("md5", $salt.$input2) ) /*check input1 must not be identical (!==) to input2 (strict comparison)
and The MD5 hashes of salt + input1 and salt + input2 must be identical.*/
this means we need two different inputs that produce the same MD5 hash when concatenated with $salt so after search again i found the way to bypass this condition using PHP type juggling with arrays ,so i already use this payload to bypass n1[]= & n2[]=any_value , I’ll explain it now . Instead of sending normal string values for n1 and n2,i send them as arrays using n1[]= & n2[]=1 and PHP automatically converts query parameters with [] into arrays ($_GET['n1'] and $_GET['n2'] become arrays instead of strings) , When PHP hashes an array with @hash("md5", $salt.$input1), it throws a warning and returns NULL so the condition evaluates to **true**, because $input1 !== $input2 (arrays are different ) and @hash("md5", NULL) === @hash("md5", NULL) is true. Now put this payload and send it
Private Agent
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Only private agents can make their way to the gate.
Solution
after access the lab we inspect main page
from above he get us value for user agent to get private access so got to burp and intercept request and change user agent value to given value –> givittome
and we found flag as header in response
COMRADE III
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Hey Comrade , World War III will begin soon , we need to reveal what was hidden.
Solution
after access the lab we review source code
and we have nothing so , I’ll use dirb tool
good findings, we now know .git endpoint so ,I’ll use dumber from GitTools
now use this command to see status of folder –> git status
and use this command to restore any file –> git restore <name of file> i already restore all of them and i found good findings on api.php
okay if we bypass this condition we got the flag so, i well explain how to bypass it . in this condition found cookie called api_key and it’s check if it’s true or false so , after i search i found the value of api_key in file called contact_process.php
bin2hex !! let’s go to convert this string to hex from this site
okay we got value (first remove spaces ) and go to lab and create cookie called api_key and set it’s value to 746869735f69735f746f705f736563726574 and reload page to see flag
x corp
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
X corp made a new filtration for input data , prove it is secure enough
Solution
after access the lab we review source code
well we missing quote and it based in span so I’ll try to close quote
well , now try to input payload to make alert (XSS) u can use this payload admin'onload=alert(1)' first quote to close opne one and add onload action
uGame
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
we are creating a new social media app for gaming , make sure its secure enough.
Solution
after access the lab u see input text i try to input any value to see where it’s stored in source code
now after type any value I’ll try to input simple payload to get alert
okay , from above we now know the validation skip any thing after <script so , I’ll try to use < svg or <img , anything without <script >so the final payload is :
<svg src=<any_invalid_value> onerror=alert(1)>
you should input in src invalid value to make onerror true to get alert and typr it you get the flag in alert
bean
Challenge Information
Category: Web Security
Level: medium
Points: 50
description
Come back home Mr. Bean.
Solution
after access the lab we open it browser okay let’s go to brute-force directory using dirsearch
okay we have good findings , now open this link
well , Let’s try to using Path Traversal attack
pay load ⇒ [**http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/**](http://wlemyw93xjyc7zr8r4gvmkxal3dmm73p4y52iqvq-web.cybertalentslabs.com/files/)**../../../../etc/passwd**
bad thing it doesn’t work and the good thing we now know the web server in nginx and know it’s maybe vuln with alias_traversal what is alias dir ? okay The alias directive is used to replace path of the specified location. so by the we now try put two dots before the slash like ../,final path is example.com/name../,in our case it’s files../, now we go to try it.
last thing to find the path of flag ,I searched for it a lot before. You can do that, but for now I will say the path directly. well path is /files../home/flag.txt
for more info about alias ⇒ https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
DarkSide
Challenge Information
Category: Web Security
Level: easy
Points: 50
description
Light up the darkness
Solution
okay, this lab is too easy it just click f12 to see web sources and found js file called disable open it and get the flag