Burpsuite room on Tryhackme
as i have already installed kali linux vm i open the burspuite room and joined it
installed the foxy proxy extension on the firefox then add new in the ‘add new’ menu named it to ‘burp’ and the port to ‘127.0.0.1’ with port ‘8080’
after saving it there is the bar named ‘burp’ shown when i select the foxy proxy entesnion clicked on it after clicking it got enabled
and enter http://localhost/8080 and download the certificate by clicking on CA CERTIFICATE
after downlaoding the certificate install it on authorities certificates via importing. after it got install
there are some important component of the burpsuite which need to understand first
Proxy: allow us to funnel trafic through burpsuit
Target: this came in handy to create the site map of the application we are testing. Intruder: incredible powerful tool for everything from field fuzzing to credentials stuffing.
Repeater: as names indicate to repeat the request with or witout modification often used in fuzzing intruder
Sequencer: to analyze the randomness present in the under testing app usually for testing cooking session
Decoder: as name indicate it help in decoding and encoding the pieces of URL. Comparer: use to compare sites maps or proxy histories or responses.
Extender: allow us to add components such as tools and additional scan informtaion. Scanner: Automated web vulnerablity scanner only in promode.
so its time to saw these components in action
Task 6 Proxy:
as i have already mention above the default interface where burpsuire listen all request is
ip:port 127.0.0.18080
and as i have already enabled the proxy now im going to the burpsuite proxy tab panel after clicking on the proxy there you can see intercept sub-tab and along with its tabs too
as mine intercept is on already and burpsuite have a request so if i want to forward the requester to the repeater or to intruder i have two option either use these shortcuts
CTRLR for repeater CTRLI for intruder
or i can click on the action button to perform these operations
after performing several request it is impossible to keep them in your memory so burpsuite have a sub section named as “HTTP HISTORY” along with varying information which came in handy when we want to have a proof or we want to modify certain request which we have made in past
there is another section in burpsuite to named as WEBSOCKET HISTORY which
what are w ebsocket
where we can saw information related to real time update as in websocket the traffic is asynchronus.
Target Defination:
Target tab
it help in
defining the scope
site map and issue definations
so when we start testing any web application we have been provided with these things already:
URL
List of different USERS roles
test accounts with credentials
list of forms in the application which are out of our scope and should be avoided
after this we are now gonna start to build the scope with in BURP it is important if we are on performing an automated test.
typically this is done in tiered approach in which we work from lowest privieged account to way up it includes
un unauthenticated access browsing the site as normal user
browsing like aid in discovering the full extent of the site and commonly referenced as HAPPY PATH
we are doing this to create the site map after this we are gonna follow up the client defined scope and remove various items from the scope. those certain items includes:
pages, forms and other items designated out of the scope from client provided documentaion.
automated exploitation(sending hundread of password reset emails)
automated exploitation lead to damaging and potentialy crashing the web app.
once we removed any potentially dangerous items from our scope now we can move to other areas of testing in burp suite
so i have already started the OWASP JUICE SHOP machine of tryhackeme
and as mine burp intercept in proxy section was ON so i normally forward the requsest forward after there is not any forward request i simply off the intercept
when i move to the target section here it can clearly be seen that OWASP JUICE SHOP with ip 10.10.117.192 is in the sitemap
to add it into the scope simply
right click it and click on the “add to scope”menu
after clicking on it their is a pop-up windows which is asking do you want to stop sending out-of-scope items to butp history or its tools
select yes to close the pop-up as the site is added in the scope
2nd day as i shutdown the tryhackme machine so after reinstantiating it new ip address is asigned ip: 10.10.24.89
put in the repeater
repeater allows you to repeat the request we have already made, we can either reissue them or made modification in them.
repeater is used for the experimentation or more fine tuned exploitation where automation is not desired
we are gonna use repeater to find a proof of determining that Juice shop is vulnerable to SQL injection
now here we go
here i click on login after it
enter username and password whatever u want
then log in
after entering the username and password which we dont know this error will be shown
so as we have add the 10.10.24.89 already in the scope there is no need to enable the intercept as what ever we are doing is already in the scope and passing through HTTP history
after searching the request in HTTP history sub tab
just right click on it and send it to repeater so we can made further modification on it which we cant do at this point
after send it to repeater just move to repeater tab
so in order to edit and just select the username and password field and enter the value
i added the (‘) in both field in order to check either login is sql injection vulnerable now im gonna send the request
after sending the request it can be clearly seen that the error we got is
so the login is sql vulnerable and we got this
thus the next step is go the customer feedback this is in the contact us menu
click on it
after clicking on it you are gonna have this form
just fill the form and search for the post request in http history
and then send it to repeater by right clicking on it and then click on (send to repeater) then
after sending it to repeater its clearly shown that one can easily modify the rating star
so what im gonna now is just change the rating field to zero and send again the request to saw wether its possible???
so after sending the request the response is
so its possible to submit the zero star review
Intruder
the most important tools in burpsuite is INTRUDER can be used for many things ranging from fuzzing
and it only serves one master AUTOMATION and repeat it self no matter what happen in order to establish proof of concept
so if you wanna learn more about it may the force be with you i ntruder
so here its basics common uses:
Enumerating (username, password guessing, password recovery tokens)
harvesting useful data from user profiles
Fuzzing for (SQL injection, XSS and file path traversal)
so to accomplish these intruder have these following types of attacks
sniper- most popular one, allows us to cycle through our payload set, putting the next available payload in each position in turn.
Battering ram, allows us to use one payload set in every single position we’ve selected simultaneously.
Pitchfork: allows us to select multiple payload sets (one per position) and iterate through them simultaneously.
Cluster Bomb,allows us to select multiple payload sets (one per position) and iterate through all possible combinations
so there is a payload list attact to the room just downlod the list
after downloading it go tho the intruder as we have already add a login form request there
i simply pressed the clear button to clear the highlited field and then again highlit the email field between the double quotes as it is show in the above screenshot
after highliting it just click on the ‘add’ button
now switch to payload sub-tab
here click on the load button and add the previous downloaded file
after this scroll down a little and uncheck the “URL-encode these characters” we dont want to sent in our payload to be encoded as these characters in the payload are already encoded
what next go back to the positions sub-task and click on the ‘start attack’
so after clicking and just wait why not its gona take some time and by the way as we are using community edition we have some restrictions
just press ok
after getting the result enter
a’ or 1=1- - in the email field and PASSWORD in the password field and here we are
loged in
Task 10 machines are better than us
Task 11 decode and comparer:
decoder allow us to perform various transforms on pieces of data.
B urp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
where comparer is used to compare different responses or pieces of data such as site maps or proxy histories
so here is b urp documentation on comparer
we use it during enumerating when we wanna compare failed logins using valid and invalid usernames or looking for subtle differences. also useful when enumerating password recovery forms
when after intruder we got different lengths we can compare them to see the difference
while comparing the sites maps or proxy generated by different user to check access control issue either the users can access certain pages
during SQL injection during boolean condition and other simillar ones to compare the responses whether injecting different conditions has resulted in a relevant different in response.
so here we go to use decoder go to target then the the url you add to the scope then api-challenges-/-name=Score%20Boardand
click on it copy its first line and then paste it into the Decoder
after pasting it click on decode as select the certain type as we gonna decode it into URL
after clicking it we are gonna have it in decoded
so it can be easily be seen that it got decoded into plain url after:
GET /api/Challenges/?name=Score%20Board HTTP/1.1 before:
GET /api/Challenges/?name=Score Board HTTP/1.1
if you dont know which type to click just click on smart decode so it automatically attempt to decode the input.
ok what about comparer then
havent i mention above one can add the words or site maps in the comparer to check for users privallage access or access control issues.
we can also differ two different metrics just via comparing the words rather than breaking them into bytes
Task 12
what about extender aka mods here
similar to various games like GTA 5 you can add components in burpsuite too to add some extensions just follow me guys:
go to extender sub-tab options
scroll to or reach to “Python Enviornment” section as it need some files
just open this jython standalone extensions download the standalone ones
after downloading browse the directory where you download the file and add it to standalone section
now what
just switch to BApp store sub-tab and add the extension which you want
Task 13: what why not where is new scan
search is only available for pro but you can use this extension “logger ++ “ search in burp store oka
chal mera puttar chuti kar.