CTF-Web-level1

CTF-InfoSecInstitude Web_level1
CTF(Capture The Flag) provided by InfoSecInstitude

First level1 is simple cross site scripting(XSS) exercise. This is simple webpage that provide ‘Site Name’ and ‘Site URL’ as input values. Provided hint is disabling front-end validation.

ctf01

 

1.  Checking the webpage source
By pressing [F12]key or right-click “view page source”, you can check out the source. Based on the source, there’re couples of attributes for the input field.

ctf1-1

Site Name

  • type = “text”  //one-line text input field
  • placeholder=”Name of site” //explains or description for the input value
  • maxsize=”10″ // text length will be 10 characters long
  • class=”form-control” // defined class is “form-control” (you can see css details on
  • linked css file)
  • pattern=”[A-Za-z]+” // alphabet only
  • required name=”name” //name is “name”

Site URL

  • type = “url”  //url input
  • placeholder=”URL of site” //explains or description for the input value
  • required maxsize=”15″ // text length will be 10 characters long
  • class=”form-control” // defined class is “form-control” (you can see css details on linked css file)
  • name=”url” //name is “url”

 

2. Edit input type and attributes
You can easily change input’s attributes to type more than 15 characters or numeric or special letters.

In this example, I delete “pattern” and change maxsize as “155”.
ctf1-3ctf1-2

 

 

3. Try XSS and see if it’s working!! or Find another validation
After editing SiteName’s input attributes, we can type basic XSS such as . But some reasons, it’s not showing alert message on the page. It’s literally recognized as letters and typed into the webpage. Which easily means that there’s another input validation in this webpage besides than input attributes.ctf-4

Let’s check out the linked javascript to find input-validation. There’re four different javascripts on this webpage.

  • jquery.min.js
  • bootstrap.min.js
  • functions.js : checking level, adding score and getting OWASP information javascript
  • ex1.js

It seems obvious to find ex1.js have input validation. (name is obvious and you can easily find the trim().replace(<) part also).

ctf1-8

replace(/A/,B) means replacing A into B. ‘g’ stands for global which causes replace-call to all matching not just first one.  So the source means change “<” into “<“. “<” is HTML encoded characters for “<“.

 

 

4. Edit Javascript
After changing javascript, we can see it’s showing alert message now.

ctf1-10

Advertisements

DVWA: File Inclusion

File Inclusion Attack?

File Inclusion attack is similar to file upload attack. The difference is that file uploading attack uses “uploading function” on a target’s website but file inclusion attack uses user-supplied input maliciously.

There’re two types of File Inclusion Attack, LFI(Local File Inclusion) and RFI(Remote File Inclusion). LFI is including files that already located in webserver -> which uses lots of directory traversal keywords (../../).

RFI is including file remotely from other domain. If you have your own server and has malicious php file on it(eg.https://hackerwebserver.com/attack.php) , you can directly include that file path into target website to loads that file.

 

ref :
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

1) DVWA : File Inclusion Attack – Low

fil_low_src

This is the source of file inclusion on DVWA. As you can see, there’s no input validation on low-level security in DVWA.

For LFI attack, you can easily go to other directory by typing ../../../../ *if you have hard time finding out directory path, you can use web application crawlers.

dirbuster)setup

 

filei_low

For RFI attack, you can easily put different website url after ‘page=’ on URL. Just like the image below, you can see the new page is loaded if you change last part of URL into  ‘page=https://google.com’.

filei_low_rfi

Which  means if you have malicious php file, you can put the file path on URL and load it to page.

You can easily make malicious(bind or reverse shell) php file and loads that file from victim’s web browser with Metasploit(msfconsole or msfvenom) . First, start metasploitable

2) DVWA : File Inclusion Attack – Medium

The difference between low level and medium level is that there’s input validation, which is simply blocking http:// and https://. This input validation can be exploited by using lower and upper case or write down more words. eg. HtTp://  ,hhttp://ttp://

file_i_medium_src

 

For LFI, ../../ directory traversal keywords are still valid to use this website, so we can use same words that we used from low level.

For RFI, this is easily exploitable by using ‘ H t T p s ‘ (e.g http://192.168.88.132/vulnerabilities/fi/?page=hTtPs://google.com)

 

3) DVWA : File Inclusion Attack – High

 

DVWA: CSRF

1. DVWA (Low) – CSRF
CSRF(Cross-Site Request Forgery) is advanced XSS attack, which forces an end user to send malicious request to webserver by running malicious action on web application.

For low level DVWA CSRF, you can easily change password without login to website. After viewing page source code, you can see the values(new password and password_conf(confirm new password value)) are sent via GET method.

First, Create your own html source which has same form action to change password.

csrf05Second, change action=”” part and type password value.  To make this source code(eg. csrf_test.html) send GET value to actual website(DVWA website) you need to put the form action value as “http://127.0.0.1/dvwa/vulnerabilities/csrf/?&#8221; instead of “# “.

Also assign the value(in this example, this would be ‘csrfdone’) of password_new and password_conf to change the password without loging on to website.

csrf06

Finally, click Change button and the page will redirect to dvwa csrf page, and give you ‘password change’ result!!!

csrf07

DVWA: Brute Force

1. DVWA (Low) – Brute Force
Brute force is password attack, which tries every possible words till it finally finds the right password. This attack method might be useful if the password is only made with English letters or numbers. (But as we all know, lot of people start to create their password with special characters or numbers etc.)

One more advanced attack is dictionary attack, which uses password dictionary(wordlists of characters that people use often as a password;

All-Password-List-Dictionary-collection-2

Back to DVWA, to brute force, there’re well-known tools like Hydra, Patator, etc. To use a tool for web brute force attack, we can’t just directly try all possible password to live server(it will lock the account out or time relay). So we are using another tool, called BurpSuite to intercept the login request and change it.

You need to set up a internet browser’s proxy setting to localhost:8080. For IceWeasel, you can go to [Edit] tab menu > [Preferences] > [Connection Settings]. Check Manual proxy configuration part and type localhost or 127.0.0.1

proxysetting

Then setup BurpSuite Proxy Listeners to 127.0.0.1:8080 on [Proxy]>[Options]>[Proxy Listeners].

HTTP has two well-known method; GET and POST. GET method gets a file or information. Post method is used when you post data like inputting contents into a board.

DVWA:Command Injection

1. DVWA (Low) – Command Injection

Command injection is an attack, which an attacker inputs malicious command and run it on a target.  SQL injection uses SQL query but Command injection use system command such as ifconfig or whoami etc.

*cf command
A | B (whether A is true or not, B starts)
A ; B (whether A is true or not, B starts)
A || B (If A is fail, then B starts)
A && B (If A is true, then B starts)

In DVWA Command injection (security level:Low), if you type ‘192.168.0.25; ls’ on Enter an IP address part, (whether ping 192.168.0.25 is true or not, it will tun ls command after ‘;’) you can see ‘ls’ command shows result after ping result.

07

2. DVWA (Medium) – Command Injection

In DVWA Command Injection (security level:Medium),

You can see the difference between low and medium is there’s black list on ‘; and &&’. So if you type ‘192.168.43.43|ls’, you can still see the result.

command inejtion_medium

 

How to set up DVWA in Kali

1. Download DVWA zip file from Github and unzip it on /var/www/html path.
Go to /var/www/ path on Kali and (you can create ‘html’ or ‘dvwa’ directory with “mkdir” command. Choose the path and download DVWA zip file from ethicalhack3r github.

0

* You can also download the zip file from DVWA.co.uk and unzip it.

Set the permission of dvwa folder 777(writing and execution available)

02

2. Change database password ‘p@ssw0rd’ into ” on config.inc.php.dist file
Go to var/www/html/dvwa/config folder and edit config.inc.php.dist file to change password.04

3. Start apache2 and mysql service
03

4. Go to web browser and type 127.0.0.1 to see if the server is running.
**If you are using old version of Kali, the default browser path will be /var/www not /var/www/html. So, if you couldn’t find html on your kali’s var/www location. You can locate DVWA folder on www and type url as 127.0.0.1/DVWA/login.php or 127.0.0.1/DVWA/setup.php.

In this case, I rename the DVWA folder as dvwa lowercase. so the path will be ‘127.0.0.1/dvwa/login.php’. It will redirect to setup.php to create/reset database.

Click the Create/ Reset Database button and click login link.

04

 

5. Login page , Default id is ‘admin’ and password ‘password’

05

 

**if you are having hard time setting up DVWA environment in kali or other vm, you can easily download virtual image of DVWA (.iso file).

DVWA_ISO

 

06

Penetration Tester(PENTEST)

1. Title : Penetration Tester, Security Assessment Tester, Ethical Hacker, Vulnerability Tester. etc

2. Task
Perform active analysis of system to find any potential vulnerabilities, weaknesses, or compliance issues. Also Perform network availability with a network tool like an Avalanche(DDoS test/ fuzzing) etc. Penetration testing on system, web interface etc, Research testing methodology, Research recent vulnerability, set up test environment.

It could be related to research testing methodology or providing penetration service as a company’s monthly/annual security check/test as a consultant. Most of position requires applicant to have at least 3 years experience in information security field.

 

BeautyPlus_20170318131837_save

3. Skill
Knowing test environment/ methodologies, interfaces.  Set up network & system as a test bed.. etc.
Web : Knowing popular web vulnerabilities (OWASP and others) and attack types code injection, CSRF, SQL injection.. etc /Tools : Burp Suite, ZAP, Nessus, SQLmap, Nmap, OWASP ZED, Cenzic, Qualys Guard

System : OllyDB, IDA Pro, LordPE, Knowledge in x86 Intel Assembly Language, Windows API(DLL injection, function hooking, Key logging), Configuring in Windows/*nix/DB
Hacking tools : Metasploit,

Preferable Programming / Scripting language : Python, Ruby, Perl, Bash..
Basic knowledge or experience in Linux(Kali Linux)

4. Related Certificates
Certified Cyber Forensics Professional (CCFP)
Systems Security Certified Practitioner (SSCP)
Certified Computer Examiner (CCE)
Certified Reverse Engineering Analyst (CREA)
IAC Certified Intrusion Analyst (GCIA)
EC Certified Incident Handler (ECIH)
Giac Cerified incident handler(GCIH )
Certified Ethical Hacker (CEH)
Licensed Penetration Tester (LPT)
Giac certified Pen tester
Certified Penetration Tester (CPT)
GIAC Certified Enterprise Defender (GCED)
GIAC Systems and Network Auditor (GSNA)

1. Set your ideal position to apply

1.  Set your goal / ideal position to apply for

Like we already know, there are lot of different occupation in cyber security, forensic analyst, malware analyst, threat&risk report / monitoring team (like CERT) etc. Before applying a job, decide a  field you are interested in/ want to work in.

1) Specific types of Information/Cyber Security Workforce
Based on NIST(National institute of Science and Technology), there are seven categories for cyber security workforce.

1) SECURELY PROVISION : specialized in/work for conceptualizing, designing, and building secure IT system.
KEYWORDS : Planing, Designing, Architecture, Compliance, Evaluation..
(eg. DRP/BCP planne or project manager, Security Evaluation /Penetration Planer/Tester.. etc)

2) OPERATE AND MAINTAIN : specialized in/work for providing support, administration, and maintenance to secure IT system, including its performance.
KEYWORDS : Administration, Maintenance, Support
(eg. System Admin, Network Manager, Operator, Data Admin/ Analyst, Customer Service Team, IT Support Team.. etc)

3) PROTECT AND DEFEND : specialized in/work for identification, analysis, and mitigation of threats to internal IT systems or networks.
KEYWORDS : Identification, Analysis
(eg. (CERT&CIRT) Cyber Incident Response Team, Vulnerability Management Team, Vulnerability Analyst Team/ Test Team.

4) INVESTIGATE : specialized in/ work for investigation of cyber events or crimes of IT system, network and digital evidence.
KEYWORDS : Investigation, Analysis, Forensic
(eg. (CERT&CIRT) Cyber Incident Response Team, Vulnerability / Malicious code Analyst, Forensic Analyst, Auditing)

5) COLLECT AND OPERATE : specialized in/ work for denial and deception operations and collection of cyber security information that may be used to develop intelligence.
KEYWORDS : Intelligence, integration, Collect
(eg. Source Collection Manager, Integration Planner/ Project Manager)

6) ANALYZE : specialized in/ work for review and evaluation of incoming cyber security information to determine its usefulness for intelligence.
KEYWORDS : Analyze, Review, Evaluation
(eg. Threat Analyst, Exploitation Analyst, Vulnerability Analyst, Source/ Language Analysis, Encryption Analyst)

7) OVERSIGHT AND DEVELOPMENT : specialized in/ work for providing leadership, management, direction, and /or development and advocacy so that individuals and organizations may effectively conduct cyber security work.
KEYWORDS : Governance, Compliance, Management, Planning, Strategy, Planning, Advising
(eg. Security Policy/Awareness(education program) Planner, CISO, IT Audit, Cyber Security Manager/ Project Manager)

 

 

 

2) Which Company?

ㅁSecurity Platform & Software Vendor >

A Security company which provides secure platform to others like Websense, Symantec, Mcfree etc, might have more detailed-oriented /separated team focused on its solution like Solution Development Team, Quality Assurance Team, Customer Service Team, Technical Marketing/ Consultant, Vulnerability&Patch Analyst(eg Anti-virus solution). Getting a job in security solution/ specialized corporate is helpful to learn how to develop/program security solutions, how to consult/ support customer’s environments or analyze malware to update a patch or secure policy.

ㅁNon security companies >

A company which buys security solutions to protect its own data(assets) like medical or insurance or educational etc.. may only have an one IT team or Security team to do all cyber security related task. It would be difficult to learn details of security software, but you get to know the corporate infrastructures as a big picture. Some place like government cyber security department such as NSA or ICS(Industrial Control System) industry, tends to have a strong cyber security team with professional team like CERT/CSIRT(Cyber Security Incident Response Team), which means you will get to learn A lot of things from here.

Reference : NIST , Seven categories in cyber security workforce

Review #4_Maintaining Access with Weevely

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Chapter 6 : Maintaining Access
This chapter described how to make backdoor to access the target easily for later. Originally, backdoor is used for engineers or administrators when they need a quick access to the systems for maintenance. For the point of hacker’s view, stealth backdoor can help hackers to main the access because sometimes hacker lost his/her access to a target, if there’s parameter changes or vulnerabilities patched.

Weevely uses a snippet of PHP code to create a terminal on the target server and allow remote code action via PHP agent. I had some issue with weevely on my backbox, so I use Kali linux for weevely. I use two Kali linux to test weevely. Kali#1 is a victim which has DVWA set up as a web service. Kali#2 is an attacker which will create weevely code and put it into Kali#1 to run a backdoor.

First of all, Kali#2 (Attacker) generates weevely.php on /root/Desktop path which has a password as ‘skyvenom’ and move this file to Kali#1(Victim), you can move the file via e-mail or upload etc. I put weevely.php file in ‘var/www/DVWA-master’ folder.

14

Secondly, make sure a victim pc runs web service well, in this case, set up DVWA and start apache2 and mysql service and type localhost or 127.0.0.1/DVWA-master/login.php over the browser FYI, the victim’s IP address is 192.168.247.132.

15

Thirdly, once you set up the victim environment and placing the backdoor file (weevely.php) on the target server, come back to attacker and type victim’s address and backdoor php file with password. Like below. You will successfully accessed the target machine after that.

16
Chapter 7 : Penetration Testing Methodologies with BackBox
This chapter is about penetration testing step by step based on what we learned from previous chapters 1)Information gathering: collecting information about the target with ‘host -a target.com’, whatweb command, ‘whois target.com’ command.
2)Scanning : getting more useful information like OS environment, application, services etc with Nmap(Zenmap, GUI) and OpenVAS to find vulnerability.
3)Exploitation: exploit vulnerability found on previous step with MSF(Metasploit Framework)

Chapter 8 : Documentation and Reporting
Documentation and reporting, creating human-readable contents is also necessary. It’s helpful to make BCP/DRP plan or verify important asset or set up security rules for f/w and IPS. MagicTree is designed to allow data consolidation, external command execution and report.

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)