Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

2021/WebHackingHelp.md

Go to file
 
 
Cannot retrieve contributors at this time
245 CTF: Requests: Useragents Examination of HTTP Header. 245 CTF - Sessions state 1 Example 1 Example 2 Cookies What to take away:
167 lines (92 sloc) 5.97 KB
Raw Blame
Open in GitHub Desktop

245 CTF: Requests:

Useragents

Download and run the Alpine245 vm.

alt text "Alpine245 vm running"

Connect to the address and go to the requests: user agents challenge.

alt text "Main Page: Useragents"

Challenge Notes:

  • This challenge says that we have full control of the headers sent to the server.
  • Therefore we are able to modify them to change the behavouir of the site.
  • We must meet the criteria of making a POST request that uses the l33t Hax0r user agent.

I am using firefox for this challenge, other browsers should have similar tools available.

Challenge start:

  • Open the web developer panel in the options menu in the browser. Then open Inspector.
  • This can be done using <Ctrl+Shift+C>.

alt text "Open inspector"

Once you in the inspector, open the network tab, and send a request in the input field.

alt text "Network tab"

From the four listed network interaction, we want the one that contains the GET request with our paramaters. This can be seen using the "Domain" and "File" tabs.

Right click on the domain column/selected row and press "edit and resend". alt text "edit and resend, initial window"

This window shows us the header information aswell as the query strings we sent of with it.

Examination of HTTP Header.

  • Host = IP Address and TCP Port of server being accessed.
  • User-agent = Allows the network protocol peers to identify the application type, OS, software vendor/version of the requestion software user agent.
  • Accept = Informs the server about the types of data that can be sent back.
  • Accept-language = Informs the server about the human language the server is expected to send back
  • Accept-encoding = Which encoding algorithm is used (usually compression one), that can be used on the resources sent back
  • Connection = Controls whether the network connection stays open after the current transaction finishes.
  • referer = The address of the previous webpage, where you accessed the currently requested page link.
  • Cookie = Contains stored HTTP cookies previously sent by the server with the Set-Cookie header.
  • Upgrade-insecure-reqests = Sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive.

LINK TO INFORMATION REFERENCE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

We need to modify the Method to POST, and the user agent to l33t Hax0r.

alt text "modified request"

Once we have sent this off, we can double click the new request to see the infromation. Move to the reponse tab, then scroll down to see the flag

alt text "flag"

245 CTF - Sessions state 1

Example 1

Download and run the Alpine245 vm. alt text "Alpine245 vm running"

Connect to the address and go to the sessions tab: state1 challenge. alt text "Main Page: State1"

Challenge notes:

  • HTTP is stateless, we need a way of storing state.
  • In this example the devs are storing data in a particularly bad way.
  • Pay attention to the form, and request data being sent to server
  • Become admin

To begin with:

  • open up your dev console as shown in the User agent walkthrough.
  • Go to network tab and send a request.

alt text "Sessions, request sent"

Once youve done this, double click our main get request, (NOT css, js or .ico). When you are viewing the headers there are a few things to note:

  • The referrer is storing the data, meaning it comes from the page we came from and is stored in the data sent.
  • You can seee the user=user, and admin=0, we can deduce from the response that admin=0 means not admin
  • In this example, data is stored in the query string

Right click on the request and go to 'edit and resend'

alt text "edit and resend, sessions"

Here we can alter the admin field to be '1'. And view the response

alt text "Flag"

We have a flag, (bottom right)>

Example 2

Begin by going to 'state 2' tab on the practise column. Send off some data like you did before, make sure you have your dev console open.

You should notice that it is a POST reqeust this time, meaning that we can POST form data to the site

alt text "State 2 request data"

YOu will notice that the query string is no longer holding the data This time it is done through form data that is stored in under the referer section

Right click on the POST request and edit and resend like before. Next you need to change the request body which contains the data. Set admin to 1 and send it off

alt text "Sessions 2 flag"

We have a flag.

Cookies

Go to the 'cookies' tab on the practice column. Insert some data and view it in the network tab of the developer console.

This time round you will notice that the cookies are being set in the response headers. Admin is set to false

alt text "Cookies reponse headers"

Lets edit and resend and see what data we are able to manipulate.

alt text "Changing the cookies"

I have changed the admin=False to admin=True, send that off and view the response

alt text "Flag cookies"

We have a flag

What to take away:

  • We are able to manipulate the pages we see by modifying the headers and methods we send off
  • Cookies are used to store the state of a page.
  • Make sure you store authentication data in safe ways.