Tag: infosec

hacking, owasp, web application security

The BodgeIT Store Series #1, Level 1 XSS – #bodgeit #infosec #pentest #appsec #webapp #XSS

thefluffy007

First post of 2018!

This post will be a first in a series to solve the BodgeIt Store.

I am running the BodgeIt store from an ISO (disk image) on a virtual machine (I am using VM Workstation Player 12 which is free). I have a previous post that describes how to install ISO’s in virtual machines (VMs). Link here.

Now on to the hacking!

After installing the ISO, and powering on the VM, you will be presented with the login page:

owaspbwa_login

Navigating to the IP you will see OWASP BWA (Broken Web Application) homepage:

owaspbwa_homepage

Clicking on the BodgeIt link we’re presented with this homepage:

owaspbwa_bodgeit_homepage

Going to the “About Us” we see there’s a scoring page.

Clicking on the scoring page, we see:

bodgeit_scoring_1

By the end of the series, these challenges will be green (completed).

Let’s get started!

I’m going to start with “Level 1: Display a popup using: alert(“XSS”)”

Note: I am using Google Chrome which has XSS auditor pre-installed in the application.

If you’re using Chrome you will need to temporarily disable this for the XSS vulnerability.  Make sure to close ALL instances of Chrome before entering the below command.

To disable xss auditor, open a command prompt (run –> cmd.exe), and enter (or copy) the following: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-xss-auditor

Once you press Enter, a new instance of Chrome will open.

OK, now a new instance of Chrome has opened, and we’ve navigated to the BodgeIt store.

Going to the Search link we see the following:

owaspbwa_bodgeit_level1_XSS

Entering the following line in the search input: alert(“XSS”)

owaspbwa_bodgeit_level1_XSS_search_1

And pressing the “Search” button we see:

owaspbwa_bodgeit_level1_XSS_search_2

We have successfully simulated a XSS attack!

Navigating back to the scoring page (About Us –> Scoring Page) we see:

bodgeit_scoring_2

Level 1 is complete (green)!!!

 

Uncategorized

PicoCTF 2017 – A Thing Called A Stack #ctf #picoctf #appsec #infosec #reverseengineering

thefluffy007

Another day, another challenge.

In today’s blog post we’re going to solve the “A Thing Called A Stack” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge, we see the following:

PicoCTF_A_Thing_Called_A_Stack_1

OK, so we’re given a file, and we need to determine the difference between the value of esp at the end of the code, and the location of the saved return address.

Looking at the hints we see the following:

PicoCTF_A_Thing_Called_A_Stack_2

We’ve encountered two different questions. Where is the return address saved, and what commands actually affect the stack.

DISCLAIMER: I haven’t worked with assembly in probably 8 years. So, what did I do? Go to YouTube.

Entering – “Assembly tutorial” I found a GREAT crash course on explaining assembly.

I have linked the video here.

Opening the file (Notepad++ is great!)

We see the following:

PicoCTF_A_Thing_Called_A_Stack_3

Using the YouTube tutorial, let’s decode the assembly code.

First we’re pushing the ebp (base pointer) onto the stack.

Next, we move the esp (stack pointer) to be at the same location to the base pointer.

Next, we push edi, esi, and ebx onto the stack. Note these instructions don’t change the stack. This solves question #2 in the hints section.

Next, we add 180 (0xb4 hex) to the stack to hold local variables.

Next, we’re going to store the local variable x = 0, to address 180 + 4 = 184

Next, we’re going to store the local variable y = 1,  to address 184 + 4 = 188

Next, we’re going to store the local variable z = 2, to address 188 + 4 = 192

Next, we’re going to store the local variable a = 3, to address 192 + 4 = 196

So now the esp (stack pointer) is now at 196.

Let’s convert 196 to hexadecimal.

Doing this we get the following: 0xc4

Entering this into the challenge, we see that solved the challenge and acquired 60 points!

capture the flag, hacking

PicoCTF 2017 – computeAES #infosec #appsec #crypto #ctf

thefluffy007

Another day, another challenge.

Today’s blog post will explore solving the “computeAES” challenge in PicoCTF.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_computeAES_1

Clicking on the clue link we see the following:

PicoCTF_computeAES_2

Going back to the challenge and clicking the hints we see:

PicoCTF_computeAES_3

Let’s use the hint of using online tools to solve this challenge.

Doing a Google search for “convert base64 to hex” we get the following link.

Going to this link we put in our base64 input to get the hex equivalent.

Doing this for the key and the input we get the following:

Key = 4f9b95cd8b6e04dbfabf08e886c955e3

Input = b75874a9b70e851405e44e3a6ec34b8a67db708e9e82b28fe0b1ed291de54f851d5a386cb0cf11412053ed2ffcadc472

Doing another Google search for “AES calc hex” we get the following link.

Entering the hex value of the key and input we get the following:

PicoCTF_computeAES_4

We found the flag! Copying the flag and removing the extra space we’ve acquired 50 points!

capture the flag, hacking, web application security

PicoCTF 2017 – What Is Web

thefluffy007

Another day, another challenge.

In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:

PicoCTF_What_Is_Web_7

OK, so we need to find out how to use HTML.

Looking at the hints we see:
PicoCTF_What_Is_Web_2

Clicking on the website we see:

PicoCTF_What_Is_Web_3Doing a right click, view source we see:

PicoCTF_What_Is_Web_4

At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.

Now we need to find the second and third part of the flag.

Looking back at the page source we see two different files that are referenced: hacker.css and script.js

Let’s look at hacker.css first and see what’s there.

Going to that file we see the second part of the flag at the top of the browser:

PicoCTF_What_Is_Web_5

Now let’s look at the script.js file and see if we can find the final part of the flag…

Going to the script.js file we see:

PicoCTF_What_Is_Web_6

We now have the three parts of the flag!

Combining the parts together and submitting the flag, we’ve acquired 20 points!

capture the flag, hacking

PicoCTF 2017 – looooong

thefluffy007

Another day, another challenge…

Today’s blog post is to solve the looooong challenge from PicoCTF.

After login and opening the challenge we see the following:

PicoCTF_looooong_1

We need to see how fast our typing speed.

Clicking on the hints we see the following:

PicoCTF_looooong_2

Going to the command line and connecting to the server we get the following:

PicoCTF_looooong_3

We see that we have thirty seconds to enter the following 533 r’s an a single 3.

The hint stated we should try using python.

I can’t say enough about Python. It’s a GREAT first language for beginners to learn. TheNewBoston on YouTube has a good tutorial on Python.

Anyway, back to the challenge – going to Google and typing “Python interpreter online” we’re presented with the following here.

Python has a great way of printing characters multiple times with the following:

print ‘a’ * 399

This will print a 399 times.

I have to admit I had to do this challenge a couple of times as I was slow.

I’m going to add the screenshots of the challenge I was able to solve.

PicoCTF_looooong_4

Going to the link I provided I typed – print ‘v’ * 538 – I was presented with:

PicoCTF_looooong_5

Copying the v’s and going back to our challenge, if we right click in the command line and select paste from browser we get the following:

PicoCTF_looooong_6

Entering the v’s and adding the single 1 at the end and pressing OK I received the following:

PicoCTF_looooong_7

We received the flag and acquired 20 points!

Word of advice – have AT LEAST two window open. 1 window with the challenge, the second window of the python interpreter.

 

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #14

thefluffy007

Another day, another challenge.

Today’s challenge comes from the InfoSec Institute CTF program.

Going to the following link we see the following:

infosec_14_intro

Doing a right click, view page source we see the following:

infosec_14_page_source

Hmm… there’s a file, titled level14 inside the misc folder. Let’s go that file and see what’s there…

Going to the file we see the following:

infosec_14_php_sql_dump

Hmm… it looks like we have a SQL dump that’s showing us all the tables and values inside of a php application.

Scrolling down we see something that looks interesting, and strange…

infosec_14_encoding

Could this be some type of encoding? Possibly hexadecimal encoding?

First, we don’t need the double forward slash, we just need one. Removing the extra slashes we get the following:

infosec_14_encoding_remove_slash

Using a Hex to ASCII converter here, we get:

infosec_14_solved

We found the flag – infosec_flagis_whatsorceryisthis

Lessons learned:

Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.

capture the flag, hacking, web application security

InfoSec Institute CTF #13

thefluffy007

Another day, another challenge…

Today’s challenge is from the InfoSec Institute.

Going to the following link, we see the following:

infosec_13_intro

Doing a right click, view page source we see the following:

infosec_13_page_source

So from the hint we’re looking for a back-up file.

Since this is on a Linux box, let’s see what what the naming conventions are for backup files.

Let’s see if there’s a backup folder.

infosec_13_backup

That led us to a dead-end.

Let’s try adding .old at the end of the file.

Adding the “.old” at the end of the URL and pressing enter we get the following:

infosec_13_old

Hmm… this looks like another file. Let’s open it.

Opening the file in a text editor we get the following:

infosec_13_hidden_content

Looking at the file we see the the first paragraph, which matches our first screenshot.

Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.

Let’s navigate to this file and see what we find.

After the file downloads, we try to open it.

Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.

Since we don’t know what type of file it is, let’s go to this site here, to find out.

After uploading our file we determine that is a pcap file.

infosec_13_pcap

We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:

infosec_13_wireshark

The beginning of the file is DNS queries that are rejected we can ignore that.

Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png

Going to packet 633

infosec_13_wireshark_633

We can reconstruct this exchange.

Going to File –> Export Objects –> HTTP

We get the following:

infosec_13_wireshark_http_objects

Our file is highlighted in the above screenshot, so let’s click Save.

Opening the file we get our flag!

infosec_13_flag

Lessons learned:

Use the hints that are provided! We knew that the file we were looking for was a backup.  After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.

Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.

 

capture the flag, hacking, web application security

InfoSec Institute Challenge #12

thefluffy007

Another day, another challenge.

Today’s challenge is coming from the InfoSec Institute.

Going to the following link we see the following:

infosec_12_intro

Doing a right click, view page source we see the following:

infosec_12_css

We noticed there’s an extra CSS (Cascading Style Sheets).  Let’s see what’s in this file.

Going to the file we see the following:

infosec_12_css_opened

Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.

I’m thinking this is the actual flag, but it’s just encoded.

Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.

Going to the link here, and typing in the encoding we get the following:

infosec_12_base_64_decoding

Our decoding wasn’t successful. This encoding is not base64.

Going back to the challenge, we know that CSS uses hexadecimal to represent colors.

Maybe the encoding is in hexadecimal form.

Going to Google and typing in “converting hexadecimal to text” we get the following link.

Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:

infosec_12_flag

We found the flag!

Lessons learned:

Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.

 

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #10

thefluffy007

Another day, another challenge…

Today’s challenge will be on Challenge #10 from the InfoSec Institute CTF program.

Going to the following link we’re provided with the following page.

infosec_10_intro

Doing a right click view page source we see the following:

infosec_10_pagesource

There’s a listen button. If we click on that button we’re presented with a flag.nav file. Maybe the flag is in there? Let’s see.

Opening the file we noticed that the file is one second, and we can’t hear the audio.

Going back to the original page and doing a right click save link as… allows us to save the audio.

 

There’s a GREAT application called Audacity that can be used to change the pitch and speed of an audio file.

Going here you will be presented with the Audacity webpage.

Downloading Audacity and opening the flag.wav file we see the following:

infosec_10_flag_audacity

Playing the file it’s still inaudible.

Like I wrote above, with Audacity you can change the speed of sound of the audio without changing the pitch.

Going to the toolbar and selecting effects there’s a “changing speed” option. Clicking this option we can specify different speeds. After playing with the different speeds (.75x, .50x) and making it .22x and playing the audio again we can hear the flag.

The flag is:

infosecflag_is_sound.

We found the flag!

Lessons learned:

Our trick of doing the right click view source helped a little bit. When doing this we noticed that there is a file we needed to download. After downloading the file and playing the audio it was inaudible. Going to Google we downloaded an application that aided us to in interpreting the audio. After adjusting the speed we were able to get the flag.

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #9

thefluffy007

Another day, another challenge…

Today’s challenge will be #9 from the InfoSec Institute CTF.

Going HERE we’re presented with the following:

infosec_9_intro

Doing our handy source of right clicking viewing the page source we see the following:

infosec_9_pagesource

We see that there’s a form that takes a username and password.

Using the hint from the challenge we know we’re looking for a CISCO IDS login.

Going to Google and typing in “common username and password for CISCO IDS” we’re presented with the following link.

Searching the link for username and passwords we see the following:

infosec_9_username_passwords

Going back to our login screen and entering the first username of “netangr” and password “attack” we get the following:

infosec_9_netangr

The username and password didn’t work 🙁

Let’s try the second username of “root” and password of “attack”.

infosec_9_root

We’re presented with the flag… but it looks like gibberish.

infosec_9_flag

Inspecting the flag closely we noticed that it is backwards.

The flag is infosec_flagis_defaultpass!

Lesson learned:

Our handy trick of looking at the page source did not work. It revealed that challenge was using a form. Looking at the webpage we noticed that there is a hint – CISCO IDS. Using this information we know that most devices have a default username and password. Going to Google we found the webpage that listed a default username and password. The first username did not work, second one did. From that we found the flag even though to the naked eye one might ignore it. Looking at the flag again we noticed that the flag was written backwards. After putting the flag in the correct order we were able to see it.