Posts

Showing posts from 2021

OverTheWire: Bandit Lab

Image
Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful) So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire  and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them. NB : this writeup doesn't include our thought process while solving the levels Level 26 Level Description When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it. Above is the ...

SSRF Notes: PortSwigger Labs Continued

Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.

SSRF Notes: PortSwigger Labs

Image
  Lab 2: Basic SSRF against another back-end system Task :  This lab has a stock check feature that fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user Carlos. This Lab is just slightly different from the previous lab , we need to use the SSRF vulnerability to scan the internal server and find the right host serving a web app on port 8080 and then delete the user Carlos. The stock check functionality remains the same as in the previous lab: The stock check URL is now different, pointing to an internal non-routable IP address. Using Burp Intruder we brute force and found the host at 192.168.0.170 . We then send a request to delete the user Carlos. And that's it we solved the lab. All of these labs feel too easy so am gonna skip the write-up on the easy ones from this point forward, otherwise, I feel I won't make significant progre...

SSRF Notes: An unexpected journey

Image
This will InshaAllah be the beginning of a series of posts on my Server Side Request Forgery SSRF research journey. Why SSRF? Well, I recently came across the 3-Months Microsoft Azure SSRF research challenge and because I strongly believe there are a lot of uncharted areas in SSRF research, I decided to partake and who knows maybe I might earn myself a little bounty along the way :). Game Plan Currently, the plan is simple, get myself up to speed with the current state of the art in SSRF research by solving CTFs and freely available Lab challenges to gather some intuition and then move on to asking questions with regards to the current limitations of known exploit techniques, hopefully, I will stumble on something new. I will start with Solving Portswigger Web Security Academy Labs in this post and then other CTF challenges in the subsequent posts. PS: most of the posts on SSRF will be fast-paced it's just meant to serve as self notes for reference and to organize my thoughts L...

Euclid's Algorithm

Image
Introduction I was recently going through the cryptohack  challenges when I came across the Greatest Common Divisor (GCD) challenge, this challenge is a novice level challenge where you are expected to code up a function to compute the GCD of two numbers, a link to Euclid's Algorithm was provided as a hint to solve the problem. Normally, as expected I followed the link just to brush up on my understanding, considering that it's something I already knew. Soon after I proceeded to code up the function and then realized I was missing a great deal of what was supposed to be intuitive, that is, I did not properly understand the algorithm as I thought, hence this post. So what is Euclid's Algorithm? It's an algorithm attributed to 300 B.C. Greek mathematician Euclid , for efficiently computing the greatest common divisor of two numbers, this algorithm has a wide array of uses especially in the field of cryptography. The GCD of any two numbers, for example, 5 and 12, is the l...