Pen-testing challenge help
Pen-testing challenge help
In this article, I will try to explain how to complete the pen-testing challenge, hopefully with no or very very minor spoilers.
Before even thinking about this challenge, you should have finished majority of the basic challenges, or have knowledge and understanding of basic web exploits including: SQL injection Javascript injection Include exploits Full path disclosure (http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm) XSS ( Beside a lot of HBH articles etc. http://www.steve.org.uk/Hacks/XSS/ helped a lot) Session poisoning (http://www.talkphp.com/general/1077-understanding-life-session.html) DoS ( If you've got no idea what the hell is this, you can start here http://en.wikipedia.org/wiki/Denial-of-service_attack )
Tools required: You shouldn’t need any special tools. Only thing I used was Tamper data, an Add-on for Mozilla Firefox. It's also good to use Live HTTP headers.
Objectives: This challenge should work as a confirmation of your skills acquired either from basic and realistic challenges or other resources, and should ensure you’re ability not only to apply the knowledge, but also finding and identifying where you can apply that knowledge ( ability to look for the exploits ). The objectives are to find and exploit any possible vulnerabilities, compromise security of the web site, and beside other things possibly get access to member/admin accounts.
For all the exploits, use as basic syntax as possible !!
Now to actual challenge, so you go to the pen-testing challenge, and there is the link to the web site, and also wow a username and password to login, that’s easy, but as you will find out later, it doesn’t work, so don’t really bother trying …
Ok so now we can start with the pen-testing itself: First off you should start with observation, go through all the pages, check the source code, look for any clues; maybe notes within the source, any input areas, variables passed in url etc.
By now, you should have identified at least two most obvious possible exploits. For the first one, since you can't login as member, maybe you can do something else ( if you don't know what, read the objectives dumbass…) But what to input?! Maybe it uses some kind of common database, so what is the most common exploit for that?
The second exploit should be even more obvious; when you're browsing through the web site, it may worth looking how some of the files are accessed. Yeah, second exploit found ( After exploiting those, you should have 40 points ). But it doesn't really work, since we don't get the page requested. Then I suppose it's different type of exploit, so what did we actually get from exploiting it?
General advice: ALWAYS read the error messages, because they may include vital information. Content of what you get from the error message will help you finish one of the exploits ( just be looking at it, even without knowledge of the code you should get the idea what is it about ) which is covered later.
Now as you've logged as admin, something changed, you have one more page available. And there you can find a lot of input fields, which can be submitted to the server. That's just perfect for what kind of exploit ?! Let's try all the fields… Hmm, nothing happens, but wait have you really tried ALL the input fields ??
At the moment you've finished the basic web exploiting, now we can move to the more difficult part: For the DoS attack, it may seem there is nothing to exploit, but look again, maybe it could be LFI exploit kinda like Realistic challenge 12 has had, or it could be in some unexpected place, where you'd expect e.g. blind sql injection to be more likely. Got it?! Good, now just look what you input in it and think of the easiest way how could you overflow it ( how you can get error on calculator ? ).
For the last exploit, get the error message and just 'follow' it. Here you are presented a code which is used on the site to gain admin access ( what the hell is the last bit of url of all the pages ?! ). If you have little knowledge of PHP ( how could you 'end' the session hintwith what you finish every linehint ) session poisoning (http://google.com) and common sense, this exploit should be piece of cake. To be more specific, you don't poison the session, you have to end it, and set a new one, based on the code from the file from the error code. Again use as simple syntax for that as possible; some people over think this, but as a matter of fact, the code you have to set your session to is given to you…
If you can't find anything after this article, just do more research, learn more, and leave pen-testing for some time, until you have the necessary knowledge and abilities.
Sorry for not being clear, and specific ( some might say confusing :)) most of the time, but if I included any more spoilers ( I still think there are too much, but I'll leave it like that ) it would ruin the whole point of this challenge ( for same reason I don't go too much in depth and leave most of thinking on the reader )… I also assume at least basic knowledge of all the readers, because I think this challenge is not for newbies. As this is my first article, I'd appreciate any comments/suggestions for improvement.
Lastly sorry for any inconvenience due to repetition, bad grammar and also 'over punctuation', which I tend to do a lot, although I tried to prevent as much errors as possible…
Thanks for reading clone4
ghost 16 years ago
Feels a bit vague at some points, but since it's not supposed to reveal too much, there isn't much to do about it. That's why articles about challenges can only be so good. Generally, well done.
crashbird 16 years ago
Good Job! Only wish i had got this earlier before doing the missions. The problem with giving hints is that until you get it right it seems to less and when you've got it, it seems to reveal it a lot.
clone4 16 years ago
@COM: true, but I always prefere vague then spoiling… :)
@crashbird: yeah it was the biggest struggle to find the right amount of hints etc…
Anyway I'm still thinking about editing the session part, I didn't put there enough info, but the problem is that once I give one more clue, it's obvious to everyone. I gotta think it through and maybe I'll edit it later today/tommorow ( otherwise I will just leave it like this ;))
SySTeM 16 years ago
There is no file inclusion exploit, it's a full path disclosure exploit… And the "session poisoning" exploit, isn't session poisoning at all, it's an exploit which manages to SET a session, not POISON an existing one.
clone4 16 years ago
@system: Wow about the include exploit it's true, I always thought that the points are for 'including' something else, and the error message as a separate part of other exploit. You're right with the second point, I'll correct that as well.
Question, if I edit article and submit it again, does it have to be again reviewed by the admins ?
clone4 16 years ago
Article updated!! The 'include' mistake and session poisoning are corrected.
Thanks system for that comment, I hope you won't find more misleading info…
Uber0n 16 years ago
Well done clone4, it makes me happy to see a user who actually improves an article after it has been submitted :)
SySTeM 16 years ago
Nice work updating :) As Uber0n said, glad to see people who amend their work :) Very good article, nicely written, good job.