Difference between revisions of "CTF-practice-evening:2014-01-13"
| (17 intermediate revisions by 2 users not shown) | |||
| Line 3: | Line 3: | ||
|Location=Tech Inc | |Location=Tech Inc | ||
|EventType=Workshop | |EventType=Workshop | ||
| − | |Contact=Melanie, | + | |Contact=Melanie, |
}} | }} | ||
= Capture The Flag evening - Part 4 = | = Capture The Flag evening - Part 4 = | ||
| Line 20: | Line 20: | ||
** 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m. | ** 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m. | ||
** http://quals.phdays.ru/ | ** http://quals.phdays.ru/ | ||
| − | |||
* Let's meet at Tech Inc on Saturday | * Let's meet at Tech Inc on Saturday | ||
** Jan 25 - 10 AM | ** Jan 25 - 10 AM | ||
| + | ** TODO: Add to Tech Inc event list | ||
| + | ** Sunday is the Tech Inc ALV, so things won't be as organised that day.. | ||
* We are now registered for the Positive Hack Days, as team Knuffelhackers | * We are now registered for the Positive Hack Days, as team Knuffelhackers | ||
| Line 30: | Line 31: | ||
* Stuff to prepare | * Stuff to prepare | ||
** Stepping stone box (for storing tools, and allowing lots of people access) | ** Stepping stone box (for storing tools, and allowing lots of people access) | ||
| − | ** Edit pad - | + | ** Edit pad - etherpad or https://quadpad.lqdn.fr |
*** We will want to archive this afterwards, for write-ups and stuff | *** We will want to archive this afterwards, for write-ups and stuff | ||
** IRC channel - create a password-protected #techinc-ctf channel | ** IRC channel - create a password-protected #techinc-ctf channel | ||
| Line 37: | Line 38: | ||
= Web hacking!!!! = | = Web hacking!!!! = | ||
| + | * Julius is talking about OWASP and Web Hacking this evening | ||
| + | ** Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking | ||
| + | |||
| + | * Afterwards, Stef did some web hacking demonstrations, using Certified Secure | ||
| + | ** Challenge: Herman Vluchtbeveiliging | ||
| + | *** Add a single quote at the end of a URL to see if it breaks | ||
| + | *** Can we request a specific page? Example: pagina=/etc/passwd | ||
| + | *** This doesn't work, but we get enough information to be able to see where it's located in the filesystem | ||
| + | *** With some directory traversal, we can dump the password file | ||
| + | ** Challenge: Security Shop | ||
| + | *** We can exploit the Search Product field | ||
| + | *** Once again, we want to cause an error that gets information from the backend.. we can use a single quote again | ||
| + | *** This indeed gives us the SQL query, including part of the database schema | ||
| + | *** You can use UNION to concatenate two adjacent tables | ||
| + | *** We can try using UNION SELECT 1 -- | ||
| + | *** We can see from the error message that the UNION isn't matching up with a table w/ 5 columns | ||
| + | *** We can now try using UNION SELECT 1,2,3,4 -- | ||
| + | *** Another query that works often is VERSION() | ||
| + | *** If we replace 3 with VERSION(), we can now see the Ubuntu version running | ||
| + | *** USER() also leaks information | ||
| + | *** Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called | ||
| + | *** You can query the password this way | ||
| + | |||
| + | == Informational Links == | ||
* https://www.owasp.org/index.php/Category:Attack | * https://www.owasp.org/index.php/Category:Attack | ||
** https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents | ** https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents | ||
** http://w3schools.com | ** http://w3schools.com | ||
** http://yehg.net/lab/#toolbox | ** http://yehg.net/lab/#toolbox | ||
| + | * https://hackvertor.co.uk/public | ||
| − | == Wargames == | + | == Web-Hacking Wargames == |
| − | * https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW | + | * https://www.certifiedsecure.com - Start with this one! |
| − | * http://webappsecmovies.sourceforge.net/webgoat/ - solutions | + | * OWASP Web Goat (requires setting up a VM) |
| + | ** https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW | ||
| + | ** http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice | ||
| + | ** http://webappsecmovies.sourceforge.net/webgoat/ - solutions | ||
* http://www.hackthissite.org | * http://www.hackthissite.org | ||
Latest revision as of 22:35, 13 January 2014
| CTF-practice-evening:2014-01-13 | |
|---|---|
| Date | 2014/01/13 |
| Time | |
| Location | Tech Inc |
| Type | Workshop |
| Contact | Melanie |
Contents
Capture The Flag evening - Part 4
- 13 January, 2014 - 8 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Our 1st CTF
- Positive Hack Days (PhD) qualifier
- 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m.
- http://quals.phdays.ru/
- Let's meet at Tech Inc on Saturday
- Jan 25 - 10 AM
- TODO: Add to Tech Inc event list
- Sunday is the Tech Inc ALV, so things won't be as organised that day..
- We are now registered for the Positive Hack Days, as team Knuffelhackers
- See: http://knuffelhackers.nl
- Stuff to prepare
- Stepping stone box (for storing tools, and allowing lots of people access)
- Edit pad - etherpad or https://quadpad.lqdn.fr
- We will want to archive this afterwards, for write-ups and stuff
- IRC channel - create a password-protected #techinc-ctf channel
- We have a mailing list already - http://technologia-incognita.nl/cgi-bin/mailman/listinfo/ctf
Web hacking!!!!
- Julius is talking about OWASP and Web Hacking this evening
- Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking
- Afterwards, Stef did some web hacking demonstrations, using Certified Secure
- Challenge: Herman Vluchtbeveiliging
- Add a single quote at the end of a URL to see if it breaks
- Can we request a specific page? Example: pagina=/etc/passwd
- This doesn't work, but we get enough information to be able to see where it's located in the filesystem
- With some directory traversal, we can dump the password file
- Challenge: Security Shop
- We can exploit the Search Product field
- Once again, we want to cause an error that gets information from the backend.. we can use a single quote again
- This indeed gives us the SQL query, including part of the database schema
- You can use UNION to concatenate two adjacent tables
- We can try using UNION SELECT 1 --
- We can see from the error message that the UNION isn't matching up with a table w/ 5 columns
- We can now try using UNION SELECT 1,2,3,4 --
- Another query that works often is VERSION()
- If we replace 3 with VERSION(), we can now see the Ubuntu version running
- USER() also leaks information
- Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called
- You can query the password this way
- Challenge: Herman Vluchtbeveiliging
Informational Links
Web-Hacking Wargames
- https://www.certifiedsecure.com - Start with this one!
- OWASP Web Goat (requires setting up a VM)
- https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW
- http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice
- http://webappsecmovies.sourceforge.net/webgoat/ - solutions
- http://www.hackthissite.org
