Welcome, Guest: Join Nairaland / LOGIN! / Trending / Recent / New
Stats: 2,624,846 members, 6,120,701 topics. Date: Wednesday, 27 January 2021 at 01:17 AM

Hacker Ctf Challenge INFOSEC - Programming - Nairaland

Nairaland Forum / Science/Technology / Programming / Hacker Ctf Challenge INFOSEC (346 Views)

Hacker Ctf Challenge / What's Needed To Become An Ethical Hacker / Inspire To Be An HACKER? Come In Then.. (2) (3) (4)

(1) (Reply) (Go Down)

Hacker Ctf Challenge INFOSEC by nurain150(m): 1:14pm On Jul 21, 2020
coolSo hey guys few weeks ago i stumbled upon infosec ctf challenge.Infosec helped me a lot in knowing some tools have not got to know at the beginning of my pentesting career.I will take you through
CTF #2: Practical Web Hacking (new) ALL LEVELS I CAN SOLVE

1 Like

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:37pm On Jul 21, 2020
So as we can see the page it says XSS script valunrability.
Check more on what XSS is on

https://owasp.org/www-community/attacks/xss/
.
Okay so the page says the challenge is to make the page gives us an alert of Ex1.something not in the page logic.So what do we do next.In every ctf always check out the hints as it is very important.
We know see we have to get an alert box on the page saying ex1.
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:39pm On Jul 21, 2020

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:46pm On Jul 21, 2020
We could all see in the following hint that says
"You should disable the front end validation"
If you click the link to the excerise and try saving a link with a number or incorrect.It automatically tells us to correct the field.
Why because there is a validation on the client side as this is just a JavaScript posting back to the client side.This does not have anything to do with backend or server side so lucky we.Let try and use our 'INSPECT ELEMENT TOOL IN OUR BROWSER'.Right click the page to inspect in this case infosec page link above me.
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:47pm On Jul 21, 2020
-

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:57pm On Jul 21, 2020
My aim is to get an alert on the page .How do I do that?............Think about it....what language is used mostly for client side script . Of course it JavaScript embarassed.So check out the oswap js payload script for


XSS.https://owasp.org/www-community/xss-filter-evasion-cheatsheet.


Here you will see ton load ranging from simple XSS to complex ones that could bypass firewall.I love images so I opted for the image payload.

What a nice payload
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:58pm On Jul 21, 2020
I would have pasted the payload it seems kudos to seen for protecting nairaland with
Intrusion detection system.see the error I got why trying to post the payload

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 2:02pm On Jul 21, 2020
He blocked his site from this kind of attack lol.This forum is well protected similar to the CTF I am solving .CTF is like exam.it not real.But see an example of ethical hacking now.This real practice you are most likely to face what I faced Intrusion detection system will block you if you try any mess.Anyways we could get around this
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 2:21pm On Jul 21, 2020
So this is somewhat related to the CTF am solving inorder for you to see the payload I used we need to use what is called html on entities and special characters .So < becomes &gt; and so > becomes &lt; .And other special characters so when your browsers see that it does not execute it as part of the html page rather it displays it as a symbol.
So the payload I used is

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 2:34pm On Jul 21, 2020
EXPLANATION OF THE PAYLOAD
the img tag tries to load a page from x as a source using src which will result to an error as this is deliberately intended.so onerror which will definitely happen we have our alert xss accomplished.lol shocked
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 2:35pm On Jul 21, 2020
So back to where I stopped before trying to post and explain the payload.looking at each at each html attribute we could see that the form has been contained in the div container tag looking at the form source code action does nothing other than to echo what I posted in the text fields.
Looking label tag which contains 'site name' we could clearly see the restrictions placed on the input element.The following attribute are the problem cause which do not allow us to be able to get our payload in.
maxsize 10
pattern {A-Za-z}
.The maxsize limits the characters or word count in our input field to 10 .While the pattern makes sure no <> makes it in.
Rather than using html entities the CTF used pattern attribute .While on contary nairaland decides to pay for an intrusion detection system to do the work.So by deleting the maxsize and pattern attribute in inspect element with there values.We are able to pass in < or > sign that a good news for us as we would be able to pass up our payload

Re: Hacker Ctf Challenge INFOSEC by Runningwater(m): 2:39pm On Jul 21, 2020
I don't understand any damn it but I'm following cause I might catch up later

1 Like

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 2:50pm On Jul 21, 2020
Runningwater:
I don't understand any damn it but I'm following cause I might catch up later
please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.

1 Like

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:03pm On Jul 21, 2020
On a contary we are now able to input > and < less than sides respectively.As you can see it get echoed back to our page each time we enter "Add link" button.

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:15pm On Jul 21, 2020
-As you can see the highlighted blue element in our page on inspect element.The CTF had encoded our payload with the html entities so it won't work.I have no control over that that as the script is not inducluded directly rather the JavaScript behind the 'Add Link' button was linked to the source.So sad our payload won't work let give up hope

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:20pm On Jul 21, 2020
Don't be too sad there is still hope to get our self xss payload to work.If you remember what I told you about html entities you would remember that &lt; also means < ,so by changing the entities &lt and &gt in the previous post to their corresponding html <> in the img tag as it is highlighted below.And saving it let see if that would work

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:40pm On Jul 21, 2020
#END OF LEVEL 1.
WE GOT THE XSS WORKING .....HURRAY HAPPY HACKING.

Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:48pm On Jul 21, 2020
#Post tutorial talk .
1.We could clearly see why the adage never trust a user input comes to play.Assuming those links where to be saved in a data base it would not work the way we have the CTF but it would be similar we would just have to bypass html special entities by changing the characters encoding from utf8 to utf7.That would have caused even the biggest tech companies tears.
2.We could see that this is a teaching apporach to solving CTF as I aim to help my begginers freinds LOL
NOTE:THIS IS A WALK THROUGH AND BOTH A TUTORIAL.SO THE USE OF FANCYING SECOND PERSON PRONOUN COMES TO PLAY.YOU CAN ASK QUESTIONS BELLOW BUT MAKE IT CONSTRUCTIVE.
I hear by invites ryan.fahey to go through this thread .THANKS TO YOU ALL
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 3:57pm On Jul 21, 2020
Collinz2
IceLip
ev4real
Re: Hacker Ctf Challenge INFOSEC by Collinz2(m): 6:07pm On Jul 21, 2020
I'd love to test it on my own but my fucking elder brother travelled with the only lappy i am using and now i am force to learn marine engineering. But that wont stop me from learning ethical hacking. Kodus to u bro keep it up.

Following.........
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 6:33pm On Jul 21, 2020
Collinz2:
I'd love to test it on my own but my fucking elder brother travelled with the only lappy i am using and now i am force to learn marine engineering. But that wont stop me from learning ethical hacking. Kodus to u bro keep it up.

Following.........
Lol bro
Re: Hacker Ctf Challenge INFOSEC by darkdenizen: 3:29am On Jul 22, 2020
nurain150:
Look at the hint.
http://ctf.infosecinstitute.com/ctf2/exercises/ex1.php.

The link you gave is giving a 404 error.

You can always test your hacking skills on bwapp
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 11:24am On Jul 22, 2020
darkdenizen:


The link you gave is giving a 404 error.

You can always test your hacking skills on bwapp
This is a CTF bro...not bwapp or mutilidae they are two different things
Re: Hacker Ctf Challenge INFOSEC by darkdenizen: 11:37pm On Jul 22, 2020
nurain150:

This is a CTF bro...not bwapp or mutilidae they are two different things

What's the difference cos I can't even view the site you posted
Re: Hacker Ctf Challenge INFOSEC by Runningwater(m): 7:17am On Jul 23, 2020
nurain150:

please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.
I have knowledge in HTML and J's. Not just in depth
Re: Hacker Ctf Challenge INFOSEC by Runningwater(m): 10:48am On Jul 23, 2020
nurain150:

please kindly wait till i finnish.and you cant understand if you dont have vast knowledge in html and js.
Okay
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:06pm On Jul 23, 2020
darkdenizen:


What's the difference cos I can't even view the site you posted
Google could be of help sir.CTF is a challenge to run on live server ranging from sever to all client side vulnerability.Mutilidae are not CTF they don't award bounty.They don't take any other form of hacking other than web pentesting.Infact you shouldn't be asking me this.This is the least question I would have expected from you.As a vulnerability researcher
Re: Hacker Ctf Challenge INFOSEC by nurain150(m): 1:07pm On Jul 23, 2020
Runningwater:

I have knowledge in HTML and J's. Not just in depth
I fear then broad your knowledge until that this is a simple thing anway Self XS$.Just put more effort bro

(1) (Reply)

Python Automation Programmers Please Help! / A Remastered History Of Tony Hawk’s Pro Skater 1 & 2 Arrives This September / How Hiring An Offshore Development Team Works?

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2021 Oluwaseun Osewa. All rights reserved. See How To Advertise. 88
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.