Everyone has been ranting and raving about how cool this new club is, but it's so exclusive that nobody can seem to get in to figure out what it's all about. There's a rumor going around that the passphrase is sitting somewhere on their webpage -- can you find it?
Challenge Steps
Navigate to the /challenge directory with the command cd /challenge
Run ./verify
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
The Swiss Army Button does EVERYTHING. I mean everything. It's actually crazy. Once I found this thing I quit my job and snapped my phone in half, don't need 'em anymore. The only thing I can't figure out is how use the "flag" feature....
Challenge Steps
Navigate to the /challenge directory with the command cd /challenge
Run ./verify
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
I love browsing YeeBay to find deals on lightly used items I didn't know I needed. My friend's mom's cousin's son told me you knew a secret way to get admin permissions on the page, can you help me find it?
Challenge Steps
Navigate to the /challenge directory with the command cd /challenge
Run ./verify
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
Frequently, cookies are used to identify users and their access levels to applications. However, developers must remember that users can modify anything sent to the their system. Can you become an admin in this example app?
To start the challenge:
Run the web application by running /challenge/app.py
Open a web browser and browse to http://127.0.0.1:5000
Well, well, well. You figured out how to become an admin. In this new version of our app, we made it so you can't just change it to anything to get in. We're definitely safe now.
(HINT: take a look at the python code!)
To start the challenge:
Run the web application by running /challenge/app.py
Open a web browser and browse to http://127.0.0.1:5000
For this one I'll just give you the flag. All you have to do is ask nicely.
How It Works:
This challenge serves as an intro to PortSwigger's Burp Suite tool. Burp is a web hacking tool with many features, such as:
The ability to intercept and modify HTML requests/responses
Automated site mapping/crawling
Features for fuzzing request parameters, attack payloads, etc
Compatibility with additional extensions
The machine given has already been set up with a browser configured to use Burp. Normally, you would need to go into the browser's proxy settings and set up a proxy for 127.0.0.1:8080 to direct traffic through the tool. As stated before, this has already been done for you!
First, get the challenge page running via /challenge/verify. Afterwards, open a new terminal tab/window and launch Burp with the command /challenge/burp.sh. Click the default selections (highlighted in orange) until you get to the main Burp menu. Then, click on the Proxy tab. You won't need to leave this tab to complete the challenge.
Turn on Intercept in the top left -- this will catch each request and response sent from/to your browser and hold them in Burp until you forward them manually. Before being forwarded, they can be modified as well! Simply type into the text of the request inside of Burp before forwarding. If you just want to navigate the web without dealing with forwarding every request, turn Intercept off. Note that messages can still be seen in the "HTTP History" sub-tab of Proxy.
With Burp running, you now have all the required knowledge to open and complete the challenge at 127.0.0.1:5000! Note that you will need to open the browser the normal way -- the "Open Browser" button in Burp doesn't work in this environment.
Challenge Steps
Start the challenge and use the "GUI Desktop Workspace" option
Navigate to the /challenge directory
Run ./verify
Open a new terminal tab/window and open Burp with ./burp.sh
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
We know the page is insecure to XSS, but it shouldn't matter since it's so annoying to figure out which spot the vulnerability is in.
How It Works:
Now that you have a basic knowledge of Burp, let's take a look at the Intruder tool.
After getting Burp and the challenge page up and running (via /challenge/burp.sh and /challenge/verify), navigate to the page at 127.0.0.1:5000 and test out the form.
After sending a request to the tryXSS endpoint, you can view it in Burp via the Proxy->HTTP History window or in the Target window. Right click on the request and hit Send to Intruder. Afterwards, the Intruder tab should be highlighted -- after clicking on it, you'll be able to see the same request.
BurpSuite's Intruder tool is meant to automate testing of paylaods within different locations of a request. While configuring Intruder, the ยงยง symbols that can be added via the buttons signify where payloads will be placed. There are a few different types of attacks that can be set as well -- Sniper is the default, and Burp has straightforward explanations of each one built into the dropdown menu.
Payloads can be configured in the right-hand side of the Intruder page. For this challenge, a simple payload list has been given. You can find it at /challenge/payloads.
After starting the attack, Burp will notify you that the Community edition is limited, then provide a window with information about each request and response. After the attack is complete, you can try to find requests that triggered vulnerabilities by sorting through the response lengths and looking for abnormalities. Be careful when submitting your answer for the challenge -- any incorrect answer will shuffle the vulnerability around, requiring you to run the attack again!
Challenge Steps
Start the challenge and use the "GUI Desktop Workspace" option
Navigate to the /challenge directory
Run ./verify
Open a new terminal tab/window and open Burp with ./burp.sh
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
YOU'LL NEVER FIND THE FLAG IN MY WEB OF SPIDERS!!!!! AHAHAHAHAHAA
How It Works:
For this challenge you'll be using a slightly older version of Burp because it has some useful web crawling capabilities that moved to Professional edition in newer versions. The general idea of how the Burp UI works is the same -- it will just look slightly different.
After getting Burp and the challenge page up and running (via /challenge/burp.sh and /challenge/verify), navigate to the page at 127.0.0.1:5000.
This challenge will require you to use the Spider tool to automatically map out all of the links of the site. While there is a tab for Spider on Burp, the simplest way to use the tool is to open the challenge homepage, then right click on it in the Burp sitemap from the "Target" tab and click "spider this host".
Newer versions of Burp Community only support passive crawling, which is why we are using an older version.
Challenge Steps
Start the challenge and use the "GUI Desktop Workspace" option
Navigate to the /challenge directory
Run ./verify
Open a new terminal tab/window and open Burp with ./burp.sh
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
Unpopular opinion: Mr. Moneybags has too much money. Can you use the feedback form to convince him to donate to charity?
How It Works:
CSRF Vulnerabilities
Cross-Site Request Forgery (CSRF) vulnerabilities involve forcing a user to make a request from their browser that results in unwanted actions and may bypass same-origin security policies. They often occcur as a consequence of the sole use of session tokens to check which user is accessing an endopoint. CSRF payloads can be triggered in many ways, from phishing links to XSS payloads that redirect to the vulnerable endpoint. A simple example of a CSRF vulnerability could be an endpoint like http://example.com/deleteAccount?auto-confirm=true that only validates the user based on a session cookie. An XSS payload redirecting to that URL would cause any logged on user to delete their account if triggered on their machine.
(Note: POST requests can also be vulnerable to CSRF, but they might require slightly more complex payloads to trigger!)
Challenge Steps
Start the challenge and use the "GUI Desktop Workspace" option
Navigate to the /challenge directory
Run ./verify and ./run-moneybags
Open the web browser and navigate to http://127.0.0.1:5000 by typing it into the URL bar. This is the page for the feedback form.
Open the web browser and navigate to http://127.0.0.1:5555 by typing it into the URL bar. This is the page Moneybags uses for banking and checking feedback.
The flag will be given at http://127.0.0.1:5555/ once Moneybags has donated all his money to charity.
XML is hard, so we made a little site to fix your syntax errors! Luckily we don't have to worry much about security since they're just silly little XML tags :)
Notes
The code running this challenge does not have a print_flag() function, you'll have to use a vulnerability in the site to retrieve it yourself! The file is located at /flag.
Additionally, note that nano is installed for use as a text editor in the console.
Challenge Steps
Navigate to the /challenge directory with the command cd /challenge
Run ./verify
Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
YeeBay has received a much needed update! The "funny trick" to login as admin no longer works, and they found a way to speed up some search times as well. I think everything is safe now. For sure.
Challenge Steps
Start the challenge and use the "GUI Desktop Workspace" option
Navigate to the /challenge directory
Run ./verify and ./victim
Open the web browser and navigate to http://127.0.0.1:5000 by typing it into the URL bar. This is the YeeBay page.
Open the web browser and navigate to http://127.0.0.1:5555 by typing it into the URL bar. This page can be used to simulate a random user performing a search.
Find a way to get the flag! There is some additional info on the "victim" page.