Web Exploitation

Web Exploitation challenges for Haaukins Platform.

Web Exploitation

This category includes all the challenges that provide a vulnerable website, from the ones that contains a bug to the ones that run over an old version of a framework. All the challenges in this category show up in a kind of challenge in which the user need to exploit a bug to gain some kind of higher level privilege.

Difficulty Levels

The levels of difficulty scale is based on the number of steps required in order to solve the Training Challenge

  • Very Easy​: It requires just one step in order to get the flag
  • __Easy:__​ It requires one-two steps, it is based on the challenge category
  • Medium​: It requires two-three steps, it is based on the challenge category
  • Hard: ​It requires three-four steps based on the challenge category
  • __Very Hard:__​ It requires several steps in order to get the flag

SQL Injections

SQL Injection

Points: ​ 50 Difficulty: ​Medium

Learning Objectives:

  • Understand how an SQL attack is performed
  • SQL language and its syntax

Description: ​In this challenge, the HAAUKINS user is expected to utilise knowledge about web service communication. When accessing and logging into the website in challenge “1.3: Web server login”, it should be noticed that the presented home screen includes a comments field. When posting a comment this is shown on the website page, which illustrates that database communication is active. After this realisation the user is expected to form an abusive SQL query and exploit the comments field to access passwords from the database users table.

Prerequisite:

  • Understand the fundamentals of database communication (SQL)

SQL Users

Points: ​ 26 Difficulty: ​Medium

Learning Objectives:

  • Learn a bit of pen testing workflow(Enumeration).
  • Learn the importance of sanitizing inputs during development.
  • Learn the basic idea of SQL injections Description: ​Use SQL injections to bypass the owner of the page’s password

Prerequisite:

  • Understand the fundamentals of database communication (SQL)

SQL Easy

Points: ​ 18 Difficulty: ​Medium

Learning Objectives:

  • Understand how an SQL attack is performed
  • SQL language and its syntax

Description: ​In this exercise the user will need to find the place where the website is vulnerable to SQL injections and use this in order to change the credentials of the first user in the users table and use these to login and find the flag.

Prerequisite:

  • Understand the fundamentals of database communication (SQL)

Micro CMS XXS , URL and robots

Points: ​ 10-14-18 Difficulty: ​Very easy

Learning Objectives:

  • Lean how much is it important to sanitize the data submitted through a form
  • Manage and Modify the URL

Description: I have implemented a basic Content Management System (CMS) in which the user is faced with an interface in which they can create and edit web pages. The main goal of this challenge is to let the user understand how an XSS works and also how is possible to retrieve data managing the URL. On this challenge the user has to find three flags (the order doesn’t matter):

Prerequisite:

  • Know how an Cross-Site Scripting (XSS) works

Heartbleed

Points: ​ 16 Difficulty: ​Easy

Learning Objectives:

  • Achieve confidence using the Metasploit framework
  • Understand that also encrypted web traffic (HTTPS) can be exploited

Description: ​In this challenge, the HAAUKINS user is expected to complete an attack abusing the famous Heartbleed Bug, that is a serious vulnerability in the popular OpenSSL cryptographic software library. This bug allows an attacker to access information otherwise protected by SSL/TLS encryption. The user is expected to gather information about conducting a Heartbleed attack from Google, and subsequently configure a Metasploit session to complete the exploit. The target host should be determined through an active network scan.

Prerequisite:

  • Fundamentals in Linux terminal
  • Knowing what Metasploit is and its capabilities

Exposed Logging Login Blogging

Points: 20 Difficulty: Easy

Learning Objectives:

  • Learning about the role of the robots.txt file on the web.
  • Learning about the danger of exposing sensitive data, such as logs, on a web site.
  • Learning how to crack MD5 hashes for other challenges.

Description: A logging file with weakly encrypted sensitive data is left exposed on a website, only protected by obscurity. Its location is revealed by the robots.txt file. Ultimately, the challenger can get a password by piecing together information in the logging file. Logging in and posting on the blog will reveal the flag.

Prerequisite:

  • Knowing that ‘/’ in URLs can be used to access different pages/resources on the same domain.
  • Ability to understand the basic relationship between a hash value and an original input.

Cross-Site Request Forgery

Points: ​ 36 Difficulty: ​Medium

Learning Objectives:

  • Gain a basic understanding of web APIs

Description: ​In this challenge the user is expected to utilise knowledge about web service communication. After registering on the website the user should figure out that the people in the chat is clicking on all links send. After realising this the user should use knowledge about web APIs to create a link that will get the other users to send money in order to buy the flag.

Phishing

Convince visitation of URL

Points: ​ 48 Difficulty: ​Medium

Learning Objectives:

  • Introduction to mail servers and protocols as ‘Simple Mail Transfer Protocol’, SMTP.
  • Mail clients and how to forward emails through a STMP server in a terminal.
  • Capturing POST requests

Description: ​Social Engineering including spear phishing emails is very popular in the hacking community, because it’s a lot easier to hack a person than a computer. In this challenge the HAAUKINS user shall try to trick a person into visiting a website of his choice. In order to do that the user needs to know who to target; the first goal is to do some recon on the network and websites. The next step is to send the target an email with an URL. Haaukins is a closed environment and the user will need to use a mail server running on the network. The participants can see various flags (through traffic analysis) being exposed as they conduct phishing against an email listed on the web server.

Prerequisite:

  • It’s necessary to know how an SMTP server works and how to find services on a network like web server and SMTP server (challenge 1.2).

Impersonate colleague

Points: ​ 58 Difficulty: ​Medium

Learning Objectives:

  • Learn how to send a phishing email

Description: ​This is phishing challenge in which the user shall try to trick a person into visiting a website of his choice. In order to do that the user has to find the destination email by looking the network and the website. The user should let the destination email understand that the email is from the same domain in order to get the flag.

Prerequisite:

Abuse Credentials

Points: ​ 33 Difficulty: ​Easy

Learning Objectives:

  • Introduction to mail servers and protocols as Simple Mail Transfer Protocol
  • Setup a simple web server with a custom HTML script

Description: ​If a you can get a person to visit your website, maybe you can get him to input credentials and hand it over to you? In this challenge the user will continue working on phishing, but he will learn that it’s a lot more than just sending some emails to important people. He will need to trick them into passing confidential information without suspicion. He can do this by cloning a website the victim is trusting and trick him visit it.

Prerequisite:

Hijack Domain

Points: ​ 70 Difficulty: ​Very hard

Learning Objectives:

  • Learn how spoofing works
  • ARP Protocol

Description: ​This is a phishing challenge in which the user has to hijack the challenge domain. The user should redirect the traffic of the legitimate website to the kali machine in order to get the flag.

Prerequisite:

Cross-Site Scripting

Points: ​ 55 Difficulty: ​Medium

Learning Objectives:

  • Learn how to gain unauthorized access on a website

Description: ​The challenge consists of two machines a server and a client. The server hosts a website with a comment section which is vulnerable to injecting JavaScript. The users has to use the section in order to steal the session cookie from the client, which visits the site from time to time. When they have stolen the cookie, then they can use it to gain authorized access and find the flag.

Prerequisite:

Unauthenticated ​Access

Points: ​ 20 Difficulty: ​Hard

Learning Objectives:

  • Understanding of how HTTP headers works and how to manipulate them in order to get remote code execution access.

Description: ​The challenge provides to the user a website in which is installed an old version of Joomla. This CMS suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. It means any file on server can be accessible by sending commands, so in order to get flag from the server, users should be able to search for it and then read it.

Prerequisite:

  • Knowledge about HTTP requests and headers
  • Familiarity to Metasploit modules

Remote Access

Points: ​ 65 Difficulty: ​Very hard

Learning Objectives:

  • Know how to use cURL

Description: ​The challenge provides to the user a website in which is installed an old version of Webmin. Webmin is a web-based interface for system administration for Unix. Using any modern web browser, it is possible to setup user accounts, Apache, DNS, file sharing and much more. This web-based interface suffers from an unauthenticated remote code execution that affect the version 1.920. The main goal of the challenge is to get the flag contained into a txt file making request through either command line i.e. curl or some Kali Linux tools

Prerequisite:

  • Analyse Wireshark traffic
  • Know how to make an HTTP request from command line

Bust-N-Crack

Points: 12-19 Difficulty: Medium

Learning Objectives:

  • Learn that it is important to configure a web server correct and clean up old files
  • Learn how to crack a private ssh key

Description In this exercise contains a host running SSH and and HTTP, the user will then need to use dirbuster to find the directories that is exposed by the web server. The user should then find a directory containing the first flag and a ssh-key. The ssh-key is protected by a password which can be cracked by using john the ripper. After finding the password the key can be used to login to the server.

Prerequisite:

  • Knowledge of john the ripper/password cracking
  • Knowledge of dirbuster

JWT

Points: 30 Difficulty: Medium

Learning Objectives:

  • Learn how to exploit JWT

Description This challenge is based on the JSON Web Token. The user just need to log in to access the main page, any name can be used except admin. Once logged in, from the network console of the browser it is possible to notice a Cookie called jwt. That cookie allows the user to change the session, so in order to solve the challenge a request with a different cookie value has to be sent.

Prerequisite:

  • Knowledge of JSON Web Token
  • Know how to crack an hashed password with Kali Linux
  • Knowledge of Curl, Burpsuite or any other software which can forge http requests.

Points: 48 Difficulty: Medium

Learning Objectives:

  • Learn how to exploit deeplinks.

Description: This challenge is based on android intent that allows other apps and the browser to link to specifik sites in the app. The intent can be exploited to load something else in the app.

So with a website it is possible to call other functions inside the app.

Prerequisite:

  • reverse an APK
  • create a simple website

Edit this page on GitHub