GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Corb3nik → Web-Exploitation-Workflow

Corb3nik / Web-Exploitation-Workflow

Licence: other
Web Exploitation Workflow for CTF Challenges

Labels

ctfweb-exploitation

Projects that are alternatives of or similar to Web-Exploitation-Workflow

webcocktail
An automatic and lightweight web application scanning tool for CTF.
Stars: ✭ 28 (-15.15%)
Mutual labels:  ctf, web-exploitation
ctf writeups
No description or website provided.
Stars: ✭ 25 (-24.24%)
Mutual labels:  ctf
TomatoTools
TomatoTools 一款CTF杂项利器,支持36种常见编码和密码算法的加密和解密,31种密文的分析和识别,支持自动提取flag,自定义插件等。
Stars: ✭ 66 (+100%)
Mutual labels:  ctf
bento
Bento Toolkit is a minimal fedora-based container for penetration tests and CTF with the sweet addition of GUI applications.
Stars: ✭ 74 (+124.24%)
Mutual labels:  ctf
ructfe-2019
RuCTFE 2019. Developed with ♥ by HackerDom team
Stars: ✭ 24 (-27.27%)
Mutual labels:  ctf
robot hacking manual
Robot Hacking Manual (RHM). From robotics to cybersecurity. Papers, notes and writeups from a journey into robot cybersecurity.
Stars: ✭ 169 (+412.12%)
Mutual labels:  ctf
ctf4noobs
Resumão da massa sobre Capture the Flag.
Stars: ✭ 18 (-45.45%)
Mutual labels:  ctf
Enum.py
A tool to enumerate network services
Stars: ✭ 23 (-30.3%)
Mutual labels:  ctf
BinV
👓 Yet another binary vulnerbilities checker. An automated vulnerability scanner for ELF based on symbolic execution.
Stars: ✭ 25 (-24.24%)
Mutual labels:  ctf
FastPwn
CTF中Pwn的快速利用模板(包含awd pwn)
Stars: ✭ 18 (-45.45%)
Mutual labels:  ctf
spellbook
Framework for rapid development and reusable of security tools
Stars: ✭ 67 (+103.03%)
Mutual labels:  ctf
BerylEnigma
一个为渗透测试与CTF而制作的工具集,主要实现一些加解密的功能。
Stars: ✭ 329 (+896.97%)
Mutual labels:  ctf
CTF-Script-And-Template-Thrift-Shop
[180+ scripts] There are a few genuine gems in there. And a lot of spaghetti code. Most of these scripts were for solving CTF's. If you googles something for a CTF and landed here look at the scripts they're all fairly malleable. Sorry for the shitty naming conventions (not really). If you are a recruiter stop. I wont be able to rewrite half thi…
Stars: ✭ 38 (+15.15%)
Mutual labels:  ctf
winpwn
CTF windows pwntools
Stars: ✭ 137 (+315.15%)
Mutual labels:  ctf
tosh
Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...
Stars: ✭ 406 (+1130.3%)
Mutual labels:  ctf
echoCTF.RED
A platform to develop, run and administer CTF competitions. The online echoCTF.RED platform user interfaces and codebase
Stars: ✭ 33 (+0%)
Mutual labels:  ctf
ctf
CTF programs and writeups
Stars: ✭ 22 (-33.33%)
Mutual labels:  ctf
How-to-Hack-Websites
開源的正體中文 Web Hacking 學習資源 - 程式安全 2021 Fall
Stars: ✭ 291 (+781.82%)
Mutual labels:  ctf
fhq-server
This is an open source platform for competitions of computer security.
Stars: ✭ 33 (+0%)
Mutual labels:  ctf
watchman
AML/CTF/KYC/OFAC Search of global watchlist, sanctions, and politically exposed person (PEP)
Stars: ✭ 167 (+406.06%)
Mutual labels:  ctf
View All Similar Projects ➔

CTF Tactics

This guide describes a basic workflow on how to approach various web CTF challenges. Throughout the CTFs that I have participated in this year, there has been alot of moments where I would spend too many hours on an easy challenge mainly because of oversight, or insufficient recon.

This guide tries to cover these oversights, in order to get gain as much relevant info as possible before charging into exploitation.

I suggest writing notes throughout each step of this guide. By the end of the recon phase, you should have a good overview of what the app does and what vulnerabilities we should test next.

Recon

What web server/programming language/backend is used?

This part will help determine what vulnerabilities you're most likely to see... For example, template injections are more likely to occur in python web apps than in PHP apps.

We can test what programming language is used by changing the extension on the main page of the app. Try various extensions like :

  • index.php
  • index.cgi
  • index.html
  • ...

If none of these work, we're most likely dealing with technologies using action dispatchers like RoR and Django. To validate this, we can take a look at what 404 page is generated. This will also be useful to determine what server is being used.

Try to browse to a non-existant URL like /THIS_PAGE_DOESNT_EXIST to see what comes up. On Apache/NGINX servers, default 404 pages can leak which OS is used, as well as the server's version.

At this point, if we still don't know what backend is running, we can check the headers of the HTTP responses for the Server header.

Understand how the application works

At this stage, we need to understand how the webapp works. What features are available? How do we use them?

While browsing through the webapp, imagine what the underlying code looks like and what vulnerabilities come to mind for each feature.

Note : Do not forget that this is a CTF, and that the author probably designed each page with a goal in mind... If you see an interesting comment in the footer or a note of some sort in the webpage, there is probably a reason for its existance. It could be a hint!

Testing for common files/folders

Usually in CTFs, you aren't allowed to use automated tools like dirbuster or nikto. So if there are any hidden files that the author wants us to find in his challenge, it'll probably be obvious. With that in mind, these are the following files that I test first in a web challenge :

  • /robots.txt
  • /.git/ (Git repository)
  • /.svn/ (Subversion repository)
  • /.hg/ (Mercurial repository)
  • /admin
  • /login

If you don't find anything interesting in these files, we can safely assume that the challenge relies elsewhere.

Checking the source code and headers

Source files

The last thing we'll want to do in our recon phase is to analyze each file (HTML, JavaScript, CSS) for interesting comments, hidden features, weird scripts, etc. I usually use burpsuite to analyze both the source code and the request/response headers.

Note : It's important to check the CSS files too, as they can contain links to other files via background statements. Sometimes, the classes or IDs themselves could be revealing : a CSS file containing the classes .login, .register and .adm1n might suggest that an adm1n page exists.

Headers

While going through each file, check the request and response headers for anything out of the ordinary. The more CTF's you'll do, the better you'll be at pinpointing what's important and what's not.

Directory listing

Once we've gone over all of the files, we can also test for directory listing to uncover hidden/unused files.

Template notes

Here is what my notes would look like after a quick recon of a web challenge :

Backend : 
- Server : Apache 2.4.6 (CentOS)
- Language : PHP

Webapp description :
- The app is a messaging system, you can send messages to specific users and read messages.

Site map :
- /register.php (GET/POST)
- /login.php (GET/POST)
- /read_message.php (GET)
  - /read_message.php?messages=2 (GET)
- /send_message.php (GET/POST)
- /users.php (GET)
- /admin (Unauthorized)

- /js/ (Directory listing enabled)
- /css/ (Directory listing enabled)
- /images/ (Directory listing enabled)

Interesting Headers :
- Access-Control-Allow-Origin: http://127.0.0.1:9876
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].