CTFs

BurpSuite Lab – DOM XSS in jQuery selector sink using a hashchange event

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. The affected code is: Go to the exploit server: Add into the body the malicious iframe: <iframe src=»https://0a2e00cb036dbde4c0785e5d005a000a.web-security-academy.net/#» onload=»this.src+='<img src=1 onerror=print()>'»></iframe> Based on the documentation found in the

BurpSuite Lab – DOM XSS in jQuery anchor `href` attribute sink using `location.search` source

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. This is the Submit feedback functionality: If we check the url, we can see a returnPath parameter: https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/ This parameter is used here: To modify the back link with the value of the

BurpAcademy Lab – DOM XSS in innerHTML sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a cross-site scripting attack that calls the alert function. As we can see here innerHTML sink used. Checking BurpAcademy DOM based Cross Site Scripting documentation. The innerHTML sink doesn’t accept script elements on any modern browser, nor will svg onload events fire. This means you will need to use alternative elements

Burp Suite Academy lab – DOM XSS in document.write sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL. To solve this lab, perform a cross-site scripting attack that calls the alert function. If we check the source code, we can see: as document.write() is who writes the query as part of an img tag we

HTB Synced

Today we return with a new of the very easy HTB boxes to try to finish them all. $ nmap -v -p- 10.129.228.37 –min-rate 5000 Rsync port is 873/tcpLet’s see which version rsync is using… $ nmap -v -p873 -sV 10.129.228.37 –min-rate 5000 Another option: $ nc -vn 10.129.228.37 873 Rsync protocol is version 31. From Linux, we can interact with rsync with the tool rsync. $ rsync –help $

Burp Suite Academy lab – Stored XSS into HTML context with nothing encoded

This lab contains a stored cross-site scripting vulnerability in the comment functionality.To solve this lab, submit a comment that calls the alert function when the blog post is viewed. Access to the lab https://0a7900e404a806d2c000170700c90074.web-security-academy.net Solution Click on View post button: https://0a7900e404a806d2c000170700c90074.web-security-academy.net/post?postId=6 At the bottom of the page, there is a comments section where you can add a message. We can try to use the comment system to place our payload. Now access again to

Burp Suite Academy lab – Reflected XSS into HTML context with nothing encoded

Today we start a new series of CTF lab solutions. In this case, we start to solve labs from the Burp Suite Academy from portswigger.net Objective: This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.To solve the lab, perform a cross-site scripting attack that calls the alert function. Solution: The lab’s URL is always a random series of characters followed by the domain web-security-academy.netIn this case,

HTB Mongod

This is another of the Very easy HTB Starting Point boxes. $ nmap -sV -p- 10.129.143.75 –min-rate 5000 As we can see in the Nmap results we hava a MongoDB version 3.6.8 MongoDB is a NoSQL database.You can find more information in their documentation here: https://www.mongodb.com/docs To be able to interact with the db, we need to install the MongoDB package into our Kali Linux. it is included in the

HTB Tactics

$ nmap -v -Pn 10.129.251.21 We can see, that box has SMB enabled on port 445.SMB stand for Server message block. $ smbclient -L 10.129.251.21 if we don’t add a -U parameter, the smbclient request will be performed using the current user. So, the only user we currently know that the box will contain is the Administrator, so we can use it. $ smbclient -L 10.129.251.21 -U Administrator $ smbclient

HTB Pennyworth

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins