Difference between revisions of "CTF-practice-evening:2014-01-13"

From Technologia Incognita
Jump to: navigation, search
 
(15 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
|Location=Tech Inc
 
|Location=Tech Inc
 
|EventType=Workshop
 
|EventType=Workshop
|Contact=Melanie,  
+
|Contact=Melanie,
 
}}
 
}}
 
= Capture The Flag evening - Part 4 =
 
= Capture The Flag evening - Part 4 =
Line 20: Line 20:
 
** 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m.  
 
** 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m.  
 
** http://quals.phdays.ru/
 
** http://quals.phdays.ru/
** TODO: Add to Tech Inc event list
 
  
 
* Let's meet at Tech Inc on Saturday
 
* Let's meet at Tech Inc on Saturday
 
** Jan 25 - 10 AM
 
** Jan 25 - 10 AM
 +
** TODO: Add to Tech Inc event list
 +
** Sunday is the Tech Inc ALV, so things won't be as organised that day..
  
 
* We are now registered for the Positive Hack Days, as team Knuffelhackers
 
* We are now registered for the Positive Hack Days, as team Knuffelhackers
Line 30: Line 31:
 
* Stuff to prepare
 
* Stuff to prepare
 
** Stepping stone box (for storing tools, and allowing lots of people access)
 
** Stepping stone box (for storing tools, and allowing lots of people access)
** Edit pad - le quadriture du net has one, etherpad
+
** Edit pad - etherpad or https://quadpad.lqdn.fr
 
*** We will want to archive this afterwards, for write-ups and stuff
 
*** We will want to archive this afterwards, for write-ups and stuff
 
** IRC channel - create a password-protected #techinc-ctf channel
 
** IRC channel - create a password-protected #techinc-ctf channel
Line 39: Line 40:
 
* Julius is talking about OWASP and Web Hacking this evening
 
* Julius is talking about OWASP and Web Hacking this evening
 
** Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking
 
** Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking
 +
 +
* Afterwards, Stef did some web hacking demonstrations, using Certified Secure
 +
** Challenge: Herman Vluchtbeveiliging
 +
*** Add a single quote at the end of a URL to see if it breaks
 +
*** Can we request a specific page?  Example: pagina=/etc/passwd
 +
*** This doesn't work, but we get enough information to be able to see where it's located in the filesystem
 +
*** With some directory traversal, we can dump the password file
 +
** Challenge: Security Shop
 +
*** We can exploit the Search Product field
 +
*** Once again, we want to cause an error that gets information from the backend..  we can use a single quote again
 +
*** This indeed gives us the SQL query, including part of the database schema
 +
*** You can use UNION to concatenate two adjacent tables
 +
*** We can try using UNION SELECT 1 --
 +
*** We can see from the error message that the UNION isn't matching up with a table w/ 5 columns
 +
*** We can now try using UNION SELECT 1,2,3,4 --
 +
*** Another query that works often is VERSION()
 +
*** If we replace 3 with VERSION(), we can now see the Ubuntu version running
 +
*** USER() also leaks information
 +
*** Trial and error works pretty well here…  we need to select things from other tables..  we can guess what these tables might be called
 +
*** You can query the password this way
  
 
== Informational Links ==
 
== Informational Links ==
Line 45: Line 66:
 
** http://w3schools.com
 
** http://w3schools.com
 
** http://yehg.net/lab/#toolbox
 
** http://yehg.net/lab/#toolbox
 +
* https://hackvertor.co.uk/public
  
 
== Web-Hacking Wargames ==
 
== Web-Hacking Wargames ==
  
* https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW
+
* https://www.certifiedsecure.com - Start with this one!
* http://webappsecmovies.sourceforge.net/webgoat/ - solutions
+
* OWASP Web Goat (requires setting up a VM)
 +
** https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW
 +
** http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice
 +
** http://webappsecmovies.sourceforge.net/webgoat/ - solutions
 
* http://www.hackthissite.org
 
* http://www.hackthissite.org
* Certified Secure
 

Latest revision as of 22:35, 13 January 2014

CTF-practice-evening:2014-01-13
Date 2014/01/13
Time
Location Tech Inc
Type Workshop
Contact Melanie

Capture The Flag evening - Part 4

  • 13 January, 2014 - 8 PM
  • Please bring along a laptop with you!!!

General CTF Info

Our 1st CTF

  • Positive Hack Days (PhD) qualifier
  • Let's meet at Tech Inc on Saturday
    • Jan 25 - 10 AM
    • TODO: Add to Tech Inc event list
    • Sunday is the Tech Inc ALV, so things won't be as organised that day..

Web hacking!!!!

  • Julius is talking about OWASP and Web Hacking this evening
    • Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking
  • Afterwards, Stef did some web hacking demonstrations, using Certified Secure
    • Challenge: Herman Vluchtbeveiliging
      • Add a single quote at the end of a URL to see if it breaks
      • Can we request a specific page? Example: pagina=/etc/passwd
      • This doesn't work, but we get enough information to be able to see where it's located in the filesystem
      • With some directory traversal, we can dump the password file
    • Challenge: Security Shop
      • We can exploit the Search Product field
      • Once again, we want to cause an error that gets information from the backend.. we can use a single quote again
      • This indeed gives us the SQL query, including part of the database schema
      • You can use UNION to concatenate two adjacent tables
      • We can try using UNION SELECT 1 --
      • We can see from the error message that the UNION isn't matching up with a table w/ 5 columns
      • We can now try using UNION SELECT 1,2,3,4 --
      • Another query that works often is VERSION()
      • If we replace 3 with VERSION(), we can now see the Ubuntu version running
      • USER() also leaks information
      • Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called
      • You can query the password this way

Informational Links

Web-Hacking Wargames