We are back with Day 5 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Previous Day challenge click here.

This challenge is again based on Web Exploitation and the task is named Pesky Elf Forum. TryHackMe Web Exploitation Pesky Elf Forum XSS

Learning Objectives:

• What is an XSS vulnerability?
• What Types of XSS vulnerabilities are there?
• Challenge Walkthrough.

What is an XSS vulnerability?


Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.


If you can get JavaScript to run on a victim’s computer, there are numerous things you can achieve. This can range from stealing the victim’s cookies to take over their session, running a keylogger that will log every key the user presses on their keyboard while visiting the website, redirecting the user to a totally different website altogether or performing some kind of action on the website such as placing an order, or resetting their password etc.

What types of XSS vulnerabilities are there?

1. DOM
2. Reflected
3. Stored
4. Blind

Let’s Get Started..

1. What flag did you get when you disabled the plugin?

Login using Username: McSkidy Password: password

Leave a comment on any post as Follow <a href="https://www.kumaratuljaiswal.in">kumaratuljaiswal.in</a>


 

Once your comment is posted, you’ll see that the word ‘kumaratuljaiswal.in’ has been underlined.

This means the comment is reflected as you wrote it without the underline HTML tags being stripped out. As this isn’t being stripped out, you can try the HTML script tags instead to see if the website will run any JavaScript that is entered.



Using the URL, you found earlier for changing the user’s password, you can try the following payload:


<script>fetch('/settings?new_password=pass123');</script>

 

The <script> tag tells the browser we want to run some JavaScript, and the fetch command makes a network request to the specified URL.

After posting the above as a comment, you could view the webpage source to see whether it has been shown correctly. The screenshot below shows us that the script tags aren’t being stripped out or disabled and, in fact, are working:


 

Now that we have this XSS running on the forum, it means that any logged in users viewing the thread will automatically have their password changed to pass123. So let’s log out and see if the Grinch has visited the thread by trying to log in as them (It may take up to a minute before the Grinch visits the page and their password changes).

Username: grinch

Password: pass123

Once logged in, go to the settings page again, and this time, you’ll discover another feature with the option to disable the Christmas to Buttmas plugin.


 

Disable the plugin, and you’ll be awarded a flag.

Done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?
Learning Objectives of the day

1. Understanding authentication and where it is used
2. Understanding what fuzzing is
3. Understanding what Burp Suite is and how we can use it for fuzzing a login form to gain access
4. Apply this knowledge to retrieve Santa’s travel itinerary

Let us understand the concepts targeted for today first!


What is authentication, and where is it Used?

Authentication is the process of verifying a user’s identity, establishing that they are who they say they are. Authentication can be proven using a variety of authentication means, including:

• A known set of credentials to the server and user such as a username and password
• Token authentication (these are unique pieces of encrypted text)
• Biometric authentication (fingerprints, retina data, etc.)

Authentication is often used interchangeably with authorisation, but it is very different. Authorisation is a term for the rules defining what an authenticated user can and cannot access.

What is Fuzzing?

Put simply, fuzzing is an automated means of testing an element of a web application until the application gives a vulnerability or valuable information. When we are fuzzing, we provide information as we would typically when interacting with it, just at a much faster rate. This means that we can use extensive lists known as wordlists to test a web application’s response to various information.
 

Steps to Fuzz with Burp Suite

Let’s launch FireFox by navigating to “Applications -> Internet-> Firefox”

avigate to the login form in the web browser using the vulnerable IP address (http://MACHINE_IP) (note that the IP address in the screenshots is only an example, you will need to replace this with the MACHINE_IP)

And press “Intercept On” in “Proxy -> Intercept”

Now we will need to return to our Firefox Browser and enable the FoxyProxy extension in Firefox. You can do this by pressing the “FoxyProxy” extension and pressing “Burp”

Submit some dummy data on the login form

Let’s launch Burp Suite by navigating to “Applications -> Other -> Burp Suite”

Navigate to the “Proxy” tab

We will need to return to Burp Suite, where we will see some data has now been returned to us. Right-click the window containing the data and press “Send to Intruder”
    
    

 
Navigate to the “Intruder” tab

10.1. Click the “Positions” tab and clear the pre-selected positions by pressing “Clear $”

10.2. Add the value of the “username” parameter as the first position, sometimes we will already know the username, other times we will not. We can tell Burp to use a wordlist of usernames for this position as well. However, as the username is already known (i.e. cmnatic), we are just brute-forcing the password. (this can be done by highlighting the password parameter and clicking “Add $”)

10.3. Add the “password” value as the position (i.e. password123) (this can be done by highlighting the value in the password parameter and clicking “Add $”)

 
10.4. Select “Cluster Bomb” in the Attack type in the dropdown menu.

10.5. We will now need to provide some values for Burp Suite to fuzz the login form with passwords. We can provide a list manually, or we can provide a wordlist. I will be providing a wordlist.

11. Now after selecting our wordlist, we can see that some passwords have filled the “Payload Options” window

12. Now let’s press the “Start Attack” button, this will begin fuzzing the login form. Look at the results and sort by “Length”. Unsuccessful passwords will return a certain length, and successful passwords will return another length.

Now that we understand how to use Burp Suite, we can create our own attacks and complete the challenge!

Q1. What valid password can you use to access the “santa” account?

Follow the steps mentioned above and create your own attack.

If you read the challenge properly, the link for the wordlist is given there already.

Use this wordlist for your attack and select the Cluster attack for this challenge.

Navigate to the vulnerable login form at http://10.10.205.31/ and apply the material for

today's task to login to Santa's itinerary, using the username as "santa" and the password

list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download

it from here for your payload.

Q2. What is the flag in Santa’s itinerary?

Once you have logged in from the login panel, you get the flag!!

Answer - THM{SANTA_DELIVERS}


 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?



Learning Objectives of Day 2:
 

• Understanding the underlying technology of web servers and how the web communicates.
• Understand what cookies are and their purpose.
• Learn how to manipulate and manage cookies for malicious use.

Let us understand the concepts targeted for today first!

HTTP(S)

he HTTP protocol is a client-server protocol to provide communication between a client and a webserver. HTTP requests are similar to a standard TCP network request; however, HTTP adds specific headers to the request to identify the protocol and other information.

When an HTTP request is crafted, the method and target header will always be included. The target header will specify what to retrieve from the server, and the method header will specify how.

When retrieving information from a web server, it is common to use the GET method, such as loading a picture.

When sending data to a web server, it is common to use the POST method, such as sending login information.

Example Request

GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/

Example Response

HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wednesday, 24 Nov 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

Cookies

Cookies are tiny pieces of data (metadata) or information locally stored on your computer that are sent to the server when you make a request.

Cookies can be assigned any name and any value allowing the webserver to store any information it wants. Today we will be focusing on authentication cookies, also known as session cookies. Authentication or session cookies are used to identify you and what access level is attached to your session.

Cookie Manipulation

Cookie manipulation is taking a cookie and modifying it to obtain unintended behavior determined by the web developer. Cookie manipulation is possible because cookies are stored locally on your host system, meaning you have complete control over them and modify them as you please.

To begin modifying and manipulating cookies, we need to open our developer tools. In Google Chrome, developer tools are known as the “Chrome Developer Tools,” and in Mozilla Firefox, they are known as the “Firefox Developer Tools.”

Developer tools can be accessed by pressing F12 or Ctrl+Shift+I. Once developer tools are open, to access your cookies, navigate to the Storage tab in Firefox or Application tab in Chrome/Edge; select the Cookies dropdown on the left-hand side of the console.

Now that we understand these basic terms and concepts! Lets Enumerate!!

Q1. What is the name of the new cookie that was created for your account?

Once you open the website from the given link, you have to register an account.

    


    Welcome To Advent of Cyber!

 

Then open the developer options and check for the cookie and find out the cookie name

Answer: user-auth

Q2. What encoding type was used for the cookie value?

If you notice the value of the cookie that was generated,it is alphanumeric with more of numbers and less of alphabets.

Mostly all these alphabets are between “a” and “f” and we know only kind of encoding that is this way which is


Answer: Hexadeciaml

Q3. What object format is the data of the cookie stored in?

We can see that the value of the cookie is encoded so we need to go and get the value decoded.

We can do this by going onto CyberChef and inputting our cookie value. We convert it from hex so we get our output

From the image we can clearly see that the data is stored in key-value pairs and that is why it is called

Answer: JSON

Now we need to manipulate the cookie to get Admin access!!

Now copy the json output and set it as the input for this conversion in CyberChef tool. Select the option of “ To Hex” and set the delimiter as none so as to avoid all the spaces that come with it.

Once we do that, we have the value of the same json with user as “admin”

Q4. What is the value of the administrator cookie? (username = admin)


Ans :-

 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

You can also decode this hex value via terminal through this command 

echo " 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d" | xxd -r -p

We have the value of the admin login cookie, so we go back to our page and edit the value of the cookie into this new value for admin login.

and Voila!!

We are now Admin!!

Q5. What team environment is not responding?


Ans :- HR



Q6. What team environment has a network warning?


Ans :- Application

All answer done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Windows Security

Per Microsoft, "Windows Security is your home to manage the tools that protect your device and your data".

In case you missed it, Windows Security is also available in Settings.

 

 In the above image, focus your attention on Protection areas.

• Virus & threat protection
• Firewall & network protection
• App & browser control
• Device security

Each following task will briefly touch on these areas.


Before proceeding, let's provide a quick comment on the status icons.

• Green means your device is sufficiently protected, and there aren't any recommended actions.
• Yellow means there is a safety recommendation for you to review.
• Red is a warning that something needs your immediate attention.

    

Click on Open Windows Security.

Note: Since the attached VM is a Windows Server 2019 edition, it looks different from a Windows 10 Home or Professional edition.

The below image is from a Windows 10 device.

1) In the above image, which area needs immediate attention?

Ans - Virus and Threat Protection


 

Virus & threat protection

Virus & threat protection is divided into two parts:

• Current threats
• Virus & threat protection settings

The image below only focuses on Current threats. 

Current threats

• Quick scan - Checks folders in your system where threats are commonly found.
• Full scan - Checks all files and running programs on your hard disk. This scan could take longer than one hour.
• Custom scan - Choose which files and locations you want to check.

Threat history

• Last scan - Windows Defender Antivirus automatically scans your device for viruses and other threats to help keep it safe.
• Quarantined threats - Quarantined threats have been isolated and prevented from running on your device. They will be periodically removed.
• Allowed threats - Allowed threats are items identified as threats, which you allowed to run on your device.

Virus & threat protection settings

Manage settings

• Real-time protection - Locates and stops malware from installing or running on your device.
• Cloud-delivered protection - Provides increased and faster protection with access to the latest protection data in the cloud.
• Automatic sample submission - Send sample files to Microsoft to help protect you and others from potential threats.
• Controlled folder access - Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications.
• Notifications - Windows Defender Antivirus will send notifications with critical information about the health and security of your device.

Warning: Excluded items could contain threats that make your device vulnerable. Only use this option if you are 100% sure of what you are doing.

Virus & threat protection updates

Check for updates - Manually check for updates to update Windows Defender Antivirus definitions.  

Ransomware protection

Controlled folder access - Ransomware protection requires this feature to be enabled, which in turn requires Real-time protection to be enabled.



Note: Real-time protection is turned off in the attached VM to decrease the chances of performance issues. Since the VM can't reach the Internet and there aren't any threats in the VM, this is safe to do. Real-time protection should definitely be enabled in your personal Windows devices unless you have a 3rd party product that provides the same protection. Ensure it's always up-to-date and enabled.  

Tip: You can perform on-demand scans on any file/folder by right-clicking the item and selecting 'Scan with Microsoft Defender'.


The below image was taken from another Windows device to show this feature.



1) Specifically, what is turned off that Windows is notifying you to turn on?

Ans - Real-time protection

Firewall & network protection

What is a firewall?

Per Microsoft, "Traffic flows into and out of devices via what we call ports. A firewall is what controls what is - and more importantly isn't - allowed to pass through those ports. You can think of it like a security guard standing at the door, checking the ID of everything that tries to enter or exit".

The below image will reflect what you will see when you navigate to Firewall & network protection.

Note: Each network may have different status icons for you.

What is the difference between the 3 (Domain, Private, and Public)?

Per Microsoft, "Windows Firewall offers three firewall profiles: domain, private and public".

• Domain - The domain profile applies to networks where the host system can authenticate to a domain controller.
• Private - The private profile is a user-assigned profile and is used to designate private or home networks.
• Public - The default profile is the public profile, used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

If you click on any firewall profile, another screen will appear with two options: turn the firewall on/off and block all incoming connections.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave your Windows Defender Firewall enabled.

Allow an app through firewall

You can view what the current settings for any firewall profile are. In the above image, several apps have access in the Private and/or Public firewall profile. Some of the apps will provide additional information if it's available via the Details  button. 

Advance Setting

Configuring the Windows Defender Firewall is for advanced Windows users. Refer to the following Microsoft documentation on best practices here.

Tip: Command to open the Windows Defender Firewall is WF.msc.


1) If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?

Ans - public network

App & browser control

In this section, you can change the settings for the Microsoft Defender SmartScreen.

Per Microsoft, "Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files".

Refer to the official Microsoft document for more information on Microsoft Defender SmartScreen here.

Check apps and file

Windows Defender SmartScreen helps protect your device by checking for unrecognized apps and files from the web.

Exploit protection

Exploit protection is built into Windows 10 (and, in our case, Windows Server 2019) to help protect your device against attacks.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.

Device security

Even though you'll probably never change any of these settings, for completion's sake, it will be covered briefly.

Core isolation
 

Memory Integrity - Prevents attacks from inserting malicious code into high-security processes.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.

The below images are from another machine to show another security feature that should be available in a personal Windows 10 device.

Security processor

Below are the Security processor details.

What is the Trusted Platform Module (TPM)?

Per Microsoft, "Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM".

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

We're continuing with Tools that are available through the System Configuration panel.

The Windows Registry (per Microsoft) is a central hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices.

The registry contains information that Windows continually references during operation, such as:

•     Profiles for each user
•     Applications installed on the computer and the types of documents that each can create
•     Property sheet settings for folders and application icons
•     What hardware exists on the system
•     The ports that are being used.

Warning: The registry is for advanced computer users. Making changes to the registry can affect normal computer operations.

There are various ways to view/edit the registry. One way is to use the Registry Editor (regedit).

Refer to the following Microsoft documentation here to learn more about the Windows Registry. 

1) What is the command to open the Registry Editor? (The answer is the name of  the .exe file, not the full path)

Ans :- regedt32.exe

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Windows Computer Management

We're continuing with Tools that are available through the System Configuration panel.

The Computer Management (compmgmt) utility has three primary sections: System Tools, Storage, and Services and Applications.

System Tools

Let's start with Task Scheduler. Per Microsoft, with Task Scheduler, we can create and manage common tasks that our computer will carry out automatically at the times we specify.

A task can run an application, a script, etc., and tasks can be configured to run at any point. A task can run at log in or at log off. Tasks can also be configured to run on a specific schedule, for example, every five mins.

To create a basic task, click on Create Basic Task under Actions (right pane).

 

Next is Event Viewer.

Event Viewer allows us to view events that have occurred on the computer. These records of events can be seen as an audit trail that can be used to understand the activity of the computer system. This information is often used to diagnose problems and investigate actions executed on the system.

Event Viewer has three panes.

1. The pane on the left provides a hierarchical tree listing of the event log providers. (as shown in the image above)
2. The pane in the middle will display a general overview and summary of the events specific to a selected provider.
3. The pane on the right is the actions pane.

There are five types of events that can be logged. Below is a table from docs.microsoft.com providing a brief description for each.


 

The standard logs are visible under Windows Logs. Below is a table from docs.microsoft.com providing a brief description for each.

Shared Folders is where you will see a complete list of shares and folders shared that others can connect to.

 

In the above image, under Shares, are the default share of Windows, C$, and default remote administration shares created by Windows, such as ADMIN$.


As with any object in Windows, you can right-click on a folder to view its properties, such as Permissions (who can access the shared resource).

Under Sessions, you will see a list of users who are currently connected to the shares. In this VM, you won't see anybody connected to the shares.

All the folders and/or files that the connected users access will list under Open Files.

The Local Users and Groups section you should be familiar with from Windows Fundamentals 1 because it's lusrmgr.msc.

In Performance, you'll see a utility called Performance Monitor (perfmon).

Perfmon is used to view performance data either in real-time or from a log file. This utility is useful for troubleshooting performance issues on a computer system, whether local or remote. 

Device Manager allows us to view and configure the hardware, such as disabling any hardware attached to the computer.

Storage  

Under Storage is Windows Server Backup and Disk Management. We'll only look at Disk Management.

Note: Since the virtual machine is a Windows Server operating system, there are utilities available that you will typically not see in Windows 10.  

Disk Management is a system utility in Windows that enables you to perform advanced storage tasks.  Some tasks are:

•     Set up a new drive
•     Extend a partition
•     Shrink a partition
•     Assign or change a drive letter (ex. E:)

Services and Applications

Recall from the previous task; a service is a special type of application that runs in the background. Here you can do more than enable and disable a service, such as view the Properties for the service.

 

WMI Control configures and controls the Windows Management Instrumentation (WMI) service.

Per Wikipedia, "WMI allows scripting languages (such as VBScript or Windows PowerShell) to manage Microsoft Windows personal computers and servers, both locally and remotely. Microsoft also provides a command-line interface to WMI called Windows Management Instrumentation Command-line (WMIC)."

Note: The WMIC tool is deprecated in Windows 10, version 21H1. Windows PowerShell supersedes this tool for WMI.




1) What is the command to open Computer Management? (The answer is the name of the .msc file, not the full path)

Ans :- compmgmt.msc




2) At what time every day is the GoogleUpdateTaskMachineUA task configured to run?

Ans :- 6:15 am




3) What is the name of the hidden folder that is shared?

Ans :- sh4r3dF0Ld3r


 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.