Tryhackme-Web Hacking Fundamentals

最新推荐文章于 2023-01-19 16:57:04 发布
最新推荐文章于 2023-01-19 16:57:04 发布
阅读量828 收藏
点赞数
分类专栏: # Tryhackme-Modules 文章标签: 信息安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36531487/article/details/119571962
版权

Web Hacking Fundamentals

文章目录

Web Fundamentals

task1 Introduction and objectives

1.Read and understand the information

task2 How do we load websites?

1.What request verb is used to retrieve page content?

get

2.What port do web servers normally listen on?

80

3.What’s responsible for making websites look fancy?

CSS

网页的实际内容通常是HTML、CSSJavaScript的组合。 HTML 定义页面结构和内容。CSS 允许您更改页面的外观,使其看起来花哨。JavaScript 是一种在浏览器中运行的编程语言,允许您使页面交互或加载额外的内容。

task3 More HTTP - Verbs and request formats

1.What verb would be used for a login?

post

2.What verb would be used to see your bank balance once you’re logged in?

get

3.Does the body of a GET request matter? Yea/Nay

Nay

4.What’s the status code for “I’m a teapot”?

418

IETF在1998年愚人节时发布的一个笑话RFC,具体可以参考RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)超文本咖啡壶控制协议。
htcpcp1.0协议中的418的意义是:当客户端给一个茶壶发送泡咖啡的请求时,茶壶就返回一个418错误状态码,表示“我是一个茶壶“

5.What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?

401

task4 Cookies, tasty!

1.Read and try and understand this information. Check out the link for extra information

task5 Mini CTF

1.What’s the GET flag?

thm{162520bec925bd7979e9ae65a725f99f}

curl http://10.10.103.59:8081/ctf/get

2.What’s the POST flag?

thm{3517c902e22def9c6e09b99a9040ba09}

curl -d flag_please http://10.10.103.59:8081/ctf/post

3.What’s the “Get a cookie” flag?

thm{91b1ac2606f36b935f465558213d7ebd}

火狐浏览器访问http://10.10.103.59:8081/ctf/getcookie,查看浏览器cookie

4.What’s the “Set a cookie” flag?

thm{c10b5cb7546f359d19c747db2d0f47b3}

修改domain为10.10.103.59的cookie名/值都为flagpls,访问http://10.10.103.59:8081/ctf/sendcookie;

或者在上一问使用curl -c cookie.txt http://10.10.103.59:8081/ctf/getcookie 获取cookie,修改cookie名/值为flagpls,再使用curl -b cookie.txt http://10.10.103.59:8081/ctf/sendcookie 得到flag

OWASP Top 10

task1 Introduction

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-site Scripting
  • Insecure Deserialization
  • Components with Known Vulnerabilities
  • Insufficent Logging & Monitoring

task2 Accessing machines

Connect to our network or deploy the AttackBox.

task3 [Severity 1] Injection

I’ve understood Injection attacks.

task4 [Severity 1] OS Command Injection

I’ve understood command injection.

task5 [Severity 1] Command Injection Practical

1.What strange text file is in the website root directory?

drpepper.txt

image-20210715161158889

2.How many non-root/non-service/non-daemon users are there?

0

3.What user is this app running as?

www-data

4.What is the user’s shell set as?

usr/sbin/nologin

image-20210715162649421

5.What version of Ubuntu is running?

18.04.4

image-20210715162729946

6.Print out the MOTD. What favorite beverage is shown?

DR PEPPER

00-header – /etc/update-motd.d/00-header 修改Ubuntu下ssh登录欢迎信息

image-20210715163205599

task6 [Severity 2] Broken Authentication

1.I’ve understood broken authentication mechanisms.

task7 [Severity 2] Broken Authentication Practical

1.What is the flag that you found in darren’s account?

fe86079416a21a3c99937fea8874b667

注册用户时将darren和 darren认定为不同账户,登陆时认定为同一账户造成逻辑漏洞

image-20210715165120571

2.Now try to do the same trick and see if you can login as arthur.

3.What is the flag that you found in arthur’s account?

d9acof7db4fda460ac3edeb75d75e16e

image-20210715165252530

task8 [Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

task9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

task10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

task11 [Severity 3] Sensitive Data Exposure (Challenge)

1.What is the name of the mentioned directory?

/assets

image-20210715170305276

2.Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db

image-20210715170434647

3.Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb

image-20210716093743784

image-20210716093808624

4.What is the admin’s plaintext password?

qwertyuiop

md5在线解密破解,md5解密加密

5.Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

image-20210716094229296

task12 [Severity 4] XML External Entity

Deploy the machine attached to the task.

task13 [Severity 4 XML External Entity - eXtensible Markup Language

1.Full form of XML

eXtensible Markup Language

xml(eXtensible Markup Language)可扩展标记语言

2.Is it compulsory to have XML prolog in XML documents?

no

3.Can we validate XML documents against a schema?

yes

4.How can we specify XML version and encoding in XML document?

XML Prolog

task14 [Severity 4] XML External Entity - DTD

1.How do you define a new ELEMENT?

!ELEMENT

2.How do you define a ROOT element?

!DOCTYPE

3.How do you define a new ENTITY?

!ENTITY

!ELEMENT定义新的元素;!DOCTYPE定义根元素;!ENTITY定义新的实体

task15 [Severity 4] XML External Entity - XXE Payload

1.Try the payload mentioned in description on the website.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

task16[Severity 4] XML External Entity - Exploiting

1.Try to display your own name using any payload.

2.See if you can read the /etc/passwd

3.What is the name of the user in /etc/passwd

falcon

4.Where is falcon’s SSH key located?

/home/falcon/.ssh/id_rsa

5.What are the first 18 characters for falcon’s private key

MIIEogIBAAKCAQEA7b

image-20210716112009114

task17 [Severity 5] Broken Access Control

Read and understand how broken access control works.

task18[Severity 5] Broken Access Control (IDOR Challenge)

1.Read and understand how IDOR works.

2.Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.

3.Look at other users notes. What is the flag?

flag{fivefourthree}

image-20210716112500053

task19 [Severity 6] Security Misconfiguration

1.Deploy the VM

2.Hack into the webapp, and find the flag!

thm{4b9513968fd564a87b28aa1f9d672e17}

(https://github.com/NinjaJc01/PensiveNotes)

image-20210716113142362

task20 [Severity 7] Cross-site Scripting

1.Deploy the VM

2.Navigate to http://10.10.131.49/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

ThereIsMoreToXSSThanYouThink

image-20210716131522731

3.On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

ReflectiveXss4TheWin

<script>alert(window.location.hostname)</script>

image-20210716131801610

4.Now navigate to http://10.10.131.49/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

HTML_T4gs

image-20210716132810009

5.On the same page, create an alert popup box appear on the page with your document cookies.

W3LL_D0N3_LVL2

<script>alert(document.cookie)</script>

image-20210716133124681

6.Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

websites_can_be_easily_defaced_with_xss

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

image-20210716133456263

task21 [Severity 8] Insecure Deserialization

1.Who developed the Tomcat application?

Apache Software Foundation

2.What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

反序列化漏洞会造成Dos(Denial of Service)和远程代码执行RCE (Remote Code Execution)

task22 [Severity 8] Insecure Deserialization - Objects

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

A Behaviour

task23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

binary

task24 [Severity 8] Insecure Deserialization - Cookies

1.If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

2.What is the acronym for the web technology that Secure cookies work over?

https

secure属性只在https连接发送;http only 不允许js脚本读取cookie

task25 [Severity 8] Insecure Deserialization - Cookies Practical

1.1st flag (cookie value)

THM{good_old_base64_huh}

2.2nd flag (admin dashboard)

THM{heres_the_admin_flag}

image-20210716141119271

task26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

执行修改后在Github上得到的python脚本,得到base64编码后的反弹shell脚本,写入cookie的encodepayload中发送请求

4a69a7ff9fd68

task27 [Severity 9] Components With Known Vulnerabilities - Intro

Read above.

task28 [Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

task29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

主页右下方点击Admin Login进入登录界面,万能密码 %’ or ‘1’='1进入后台页面,后台添加书籍信息存在任意文件上传漏洞,上传小马。返回页面,找到新增书籍,反弹shell成功

1611

image-20210716180322580

task30 [Severity 10] Insufficient Logging and Monitoring

1.What IP address is the attacker using?

49.99.13.16

2.What kind of attack is being carried out?

暴力破解Brute Force

image-20210719141019761

task31 What Next?

Read the above!

OWASP Juice Shop

task1 Open for business!

1.Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

2.Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

task2 Let’s go on an adventure!

1.Question #1: What’s the Administrator’s email address?

The reviews show each user’s email address. Which, by clicking on the Apple Juice product, shows us the Admin email!

admin@juice-sh.op

image-20210719143951769

2.We can now see the search parameter after the /#/search? the letter q

q

3.If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek

Star Trek

tsak 3 Inject the juice

1.Question #1: Log into the administrator account!

32a5e0f21372bcc1000a6088b93b458e41f0e02a

使用万能密码登录,payload 1’ or ‘1’=‘1’–

image-20210719144921197

2.Question #2: Log into the Bender account!

fb364762a3c102b2db932069c0e6b78e738d4066

同样使用万能密码,payload bender@juice-sh.op’–

image-20210719145523132

task 4 Who broke my lock?!

1.Question #1: Bruteforce the Administrator account’s password!

c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

暴力破解出admin@juice-sh.op账户的密码为admin123

image-20210719153053122

2.Question #2: Reset Jim’s password!

094fbc9b48e525150ba97d05b942bbf114987257

安全问题为兄弟的中间名,上一问jim 与 Star Trek(星际迷航)有关,他的兄弟叫George Samuel Kirk

image-20210719153349773

image-20210719153424271

task 5 AH! Don’t look!

1.Question #1: Access the Confidential Document!

edf9281222395a1c5fee9b89e32175f1ccf50c5b

点击关于我们链接 http://10.10.164.205/ftp/legal.md ,进入ftp目录可以看到很多文件

image-20210719154007697

2.Question #2: Log into MC SafeSearch’s account!

image-20210719154726641

搜索MC SafeSearch,油管上有相关视频可得知他的密码为 "Mr. Noodles"但 "vowels into zeros"将元音字母变成0,密码为 Mr.N00dles

3.Question #3: Download the Backup file!

image-20210719155719770

在ftp目录下载pack只允许age.json.bak文件报错只允许下载md和pdf文件,使用%00截断下载文件

task6 Who’s flying this thing?

1.Question #1: Access the administration page!

946a799363226a24822008503f5d1324536629a0

image-20210719160120790

直接访问管理后台报错403,需要登录管理员账号才能访问

2.Question #2: View another user’s shopping basket!

41b997a36cc33fbe4f0ba018474e19ae5ce52121

burp截取访问购物车URLhttp://10.10.164.205/rest/basket/1,1代表用户ID,修改为其他用户ID即可平行越权访问

image-20210719160450918

3.Question #3: Remove all 5-star reviews!

50c97bcce0b895e446d61c83a21df371ac2266ef

登录后台页面,删除右侧5星评论即可

image-20210719160735483

task 7 Where did that come from?

1.Question #1: Perform a DOM XSS!

9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

image-20210719161122714

<iframe src="javascript:alert(xss)">搜索框输入payload即可

2.Question #2: Perform a persistent XSS!

149aa8ce13d7a4a8a931472308e269c94dc5f156

对URL True-Client-IP没有做过滤

image-20210719165928965

image-20210719165942611

3.Question #3: Perform a reflected XSS!

23cefee1527bde039295b2616eeb29e1edc660a0

URLhttp://10.10.164.205/#/track-result?id=5267-d156f507ae884e75的参数id没有做过滤直接显示在页面上,id参数换成payload请求弹窗(建议使用firefox)

image-20210719165040009

task 8 Exploration!

Access the /#/score-board/ page

7efd3174f9dd5baa03a7882027f2824d2f72d86e

/score-board 计分板页面

image-20210719170345287

参考:靶场Juice-Shop学习

Rickle Rick

Task1 Pickle Rick

1.What is the first ingredient Rick needs?

查看源代码,源代码注释中发现 用户名R1ckRul3s

image-20210805152201829

对网站进行目录遍历发现login.php与robots.txt,查看robots.txt内容得到Wubbalubbadubdub,猜测为密码

image-20210805152838093

登录发现命令执行页面,whoami查看账户为www-data,la -a查看目录下文件,在Sup3rS3cretPickl3Ingred.txt中得到第一种原料为 mr. meeseek hair

image-20210805153136830

2.Whats the second ingredient Rick needs?

使用;符号在Commands页面同时执行多个命令,因为不能使用cat命令查看使用less命令代替,在/home/rick文件夹下发现second ingredients文件

jerry tear

3.Whats the final ingredient Rick needs?

运行sudo -l命令发现命令框可以无需密码执行sudo,sudo ls /root查看root目录下文件发现3rd.txt,读取文件发现第三种成分

image-20210805164750603

fleeb juice

zhangwenbo1229
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
awesome-web-hackingWeb应用程序安全性列表
02-13
该列表适用于希望了解Web应用程序安全性但没有起点的任何人。 您可以发送“拉取请求”添加更多信息,以提供帮助。 如果您不希望进行@infoslack可以通过@infoslack发送给我 目录 图书 Web应用程序黑客手册:发现和...
vue中tab切换前端实现_基于Vue的简单的单页面应用的实现
weixin_39542043的博客
01-12 393
本文基于vue1.x基于vue2.x&webpack2.x请移步至基于Vue的简单的单页面应用在对Vue和webpack有了一定了解后,我们就可以开始利用所了解的东西做一个简单的webapp了,不了解的同学可以看下我的前两篇关于vue和webpack的基本应用:webpack+vue起步利用webpack和vue实现组件化构建项目首先创建各个组件,我的目录结构如下://没有后缀名的都是文件...
实用工具推荐,浏览器必备宝藏插件:Wetab新标签页
Phospheneee的博客
09-29 7550
打开浏览器,你的起始页是否充满了广告和各种乱七八糟的信息呢?或者过于单调,而失去了某些你想要的功能?这里给大家推荐一个在Chrome浏览器和edge浏览器上都能愉快使用的浏览器插件——Wetab新标签页。没有广告、页面干净美观且具备各种实用功能。
tryhackme--OWASP Top 10
qq_45414878的博客
11-13 1472
tryhackme-- OWASP Top 10Task 5 [Severity 1] Command Injection PracticalWhat strange text file is in the website root directory?How many non-root/non-service/non-daemon users are there?What user is this app running as?What is the user's shell set as?What v
使用router-link时,设置链接激活时使用的类名,默认是router-link-active
weixin_44771007的博客
05-14 1551
1. 设置链接激活时默认类名 router-link-active 的样式,详细例子如下: <template> <div class = "tab"> <div class = "tab-item"> <router-link to="/home">首页</router-link> </div> <div class = "tab-item"> <router-link to="/detai
友情链接加nofollow_如何在WordPress中添加Nofollow链接(适用于初学者的简单指南)
cumohuo9136的博客
09-04 1220
友情链接加nofollowAre you wondering how to add nofollow links in WordPress? When you link to an external website, search engines pass a small part of link authority from your website to the other website. ...
web-hacking-101
04-25
web实战教程,不需要你精通英语,只要你会用谷歌翻译,就能从入门到挖洞赚钱!!
Web Hacking 101 中文版
10-05
Web Hacking 101 中文版 (ePub格式) 原书:Hack, Learn, Earn, with a Free E-Book ---------------------------------------------------- 本 ePub 基于开源文档,目录书签齐全。 版权归原作者,翻译版权归译者。...
tryhackme-ctf:TryHackMe CTF的编写,注释,dratfs,拼字游戏,文件和解决方案
05-06
注释,代码,PoC,解决方案,文章,涂鸦,草稿...。 (意大利前10名 :Italy: ) 使用的工具: 挖 ping 跟踪路线 exiftool 哈希猫 开膛手约翰 GTFObins 尼克托 哈希标识符 ... 敲门(端口敲门)
web-hacking
11-29
了解web安全,应用web渗透工具,做好安全管理,各种web挖洞工具
Tryhackme-Introduction to Web Hacking
个人博客
10-15 4005
Introduction to Web Hacking 文章目录Introduction to Web HackingWalking An ApplicationTask1 Walking An ApplicationTask2 Exploring The WebsiteTask3 Viewing The Page SourceTask4 Developer Tools - InspectorTask5 Developer Tools - DebuggerTask6 Developer Tools
tryhackme之Walking An Application(web应用攻击初步探查
qq_43200143的博客
08-15 530
Application应用详解 View Source - Use your browser to view the human-readable source code of a website. Inspector - Learn how to inspect page elements and make changes to view usually blocked content. Debugger - Inspect and control the flow of a page’s JavaSc
Tryhackme-How The Web Works
个人博客
08-10 453
DNS in Detail 文章目录DNS in DetailTask1 What is DNS?Task2 Domain Hierarchytask3 Record TypesTask4 Making A RequestTask5 PracticalHTTP in detailTask1 What is HTTP(S)?Task2 Requests And ResponsesTask3 HTTP Methodstask4 HTTP Status CodesTask5 Headerstask6 C
TryHackMe-NahamStore(常见web漏洞 大杂烩)
M1n9K1n9的博客
01-19 1884
关于漏洞赏金和web常见漏洞 大杂烩 这个房间很有意思,涵盖了许多常见web漏洞。
Tryhackme-Network Fundamentals
个人博客
08-10 989
Network Fundamentals 文章目录Network FundamentalsWhat is Networking?Task1 What is Networking?Task2 What is the Internet?Task3 Identifying Devices on a NetworkTask4 Ping (ICMP)Task5 Continue Your Learning: Intro to LANIntro to LANtask1 Introducing LAN Topol
Tryhackme-Vulnerability Research
个人博客
10-15 408
Vulnerability Research 文章目录Vulnerability ResearchVulnerabilities 101Task1 IntroductionTask2 Introduction to VulnerabilitiesTask3 Scoring Vulnerabilities (CVSS & VPR)Task4 Vulnerability DatabasesTask5 An Example of Finding a VulnerabilityTask6 Showc
Tryhackme-Network Security
热门推荐
个人博客
10-15 1万+
Network Security 文章目录Network SecurityPassive ReconnaissanceTask1 IntroductionTask2 Passive Versus Active ReconTask3 Whois![image-20211015140907072](https://img-blog.csdnimg.cn/img_convert/ae9094d045b6c36260b2eb74ba23925b.png)Task5 DNSDumpsterTask6 Shodan.
Tryhackme-BurpSuite
个人博客
09-14 1万+
Burp Suite 文章目录Burp SuiteBurp Suite: The BasicsTask1 **Introduction** OutlineTask2 **Getting Started** What is Burp Suite?Task3 **Getting Started** Features of Burp CommunityTask4 **Getting Started** InstallationTask5 **Getting Started** The DashboardTask6
Tryhackme-Linux Fundamentals
个人博客
08-10 1537
Linux Fundamentals 文章目录Linux FundamentalsLinux Fundamentals Part 1task1 Introductiontask2 A Bit of Background on Linuxtask3 Interacting With Your First Linux Machine (In-Browser)task4 Running Your First few Commandstask5 Interacting With the Filesystem!tas
car-hacking数据集
最新发布
10-29
车辆黑客攻击数据集是一种包含有关车辆安全漏洞和潜在攻击手段的信息的数据集。这些数据被用于研究和理解车辆系统的脆弱性,以及如何保护车辆免受黑客攻击。 车辆黑客攻击数据集通常包括以下信息:车辆的软硬件配置...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值