Burpsuite room on Tryhackme

11 min readJan 9, 2022

as i have already installed kali linux vm i open the burspuite room and joined it

installed the foxy proxy extension on the firefox then add new in the ‘add new’ menu named it to ‘burp’ and the port to ‘127.0.0.1’ with port ‘8080’

after saving it there is the bar named ‘burp’ shown when i select the foxy proxy entesnion clicked on it after clicking it got enabled

and enter http://localhost/8080 and download the certificate by clicking on CA CERTIFICATE

after downlaoding the certificate install it on authorities certificates via importing. after it got install

there are some important component of the burpsuite which need to understand first

Proxy: allow us to funnel trafic through burpsuit

Target: this came in handy to create the site map of the application we are testing. Intruder: incredible powerful tool for everything from field fuzzing to credentials stuffing.

Repeater: as names indicate to repeat the request with or witout modification often used in fuzzing intruder

Sequencer: to analyze the randomness present in the under testing app usually for testing cooking session

Decoder: as name indicate it help in decoding and encoding the pieces of URL. Comparer: use to compare sites maps or proxy histories or responses.

Extender: allow us to add components such as tools and additional scan informtaion. Scanner: Automated web vulnerablity scanner only in promode.

so its time to saw these components in action

Task 6 Proxy:

as i have already mention above the default interface where burpsuire listen all request is

ip:port 127.0.0.18080

and as i have already enabled the proxy now im going to the burpsuite proxy tab panel after clicking on the proxy there you can see intercept sub-tab and along with its tabs too

as mine intercept is on already and burpsuite have a request so if i want to forward the requester to the repeater or to intruder i have two option either use these shortcuts

CTRLR for repeater CTRLI for intruder

or i can click on the action button to perform these operations

after performing several request it is impossible to keep them in your memory so burpsuite have a sub section named as “HTTP HISTORY” along with varying information which came in handy when we want to have a proof or we want to modify certain request which we have made in past

there is another section in burpsuite to named as WEBSOCKET HISTORY which

what are w ebsocket

where we can saw information related to real time update as in websocket the traffic is asynchronus.

Target Defination:

Target tab

it help in

defining the scope

site map and issue definations

so when we start testing any web application we have been provided with these things already:

URL

List of different USERS roles

test accounts with credentials

list of forms in the application which are out of our scope and should be avoided

after this we are now gonna start to build the scope with in BURP it is important if we are on performing an automated test.

typically this is done in tiered approach in which we work from lowest privieged account to way up it includes

un unauthenticated access browsing the site as normal user

browsing like aid in discovering the full extent of the site and commonly referenced as HAPPY PATH

we are doing this to create the site map after this we are gonna follow up the client defined scope and remove various items from the scope. those certain items includes:

 pages, forms and other items designated out of the scope from client provided documentaion.
 automated exploitation(sending hundread of password reset emails)
 automated exploitation lead to damaging and potentialy crashing the web app.

once we removed any potentially dangerous items from our scope now we can move to other areas of testing in burp suite

so i have already started the OWASP JUICE SHOP machine of tryhackeme

and as mine burp intercept in proxy section was ON so i normally forward the requsest forward after there is not any forward request i simply off the intercept

when i move to the target section here it can clearly be seen that OWASP JUICE SHOP with ip 10.10.117.192 is in the sitemap

to add it into the scope simply

right click it and click on the “add to scope”menu

after clicking on it their is a pop-up windows which is asking do you want to stop sending out-of-scope items to butp history or its tools

select yes to close the pop-up as the site is added in the scope

2nd day as i shutdown the tryhackme machine so after reinstantiating it new ip address is asigned ip: 10.10.24.89

put in the repeater

repeater allows you to repeat the request we have already made, we can either reissue them or made modification in them.

repeater is used for the experimentation or more fine tuned exploitation where automation is not desired

we are gonna use repeater to find a proof of determining that Juice shop is vulnerable to SQL injection

now here we go

here i click on login after it

enter username and password whatever u want

then log in

after entering the username and password which we dont know this error will be shown

so as we have add the 10.10.24.89 already in the scope there is no need to enable the intercept as what ever we are doing is already in the scope and passing through HTTP history

after searching the request in HTTP history sub tab

just right click on it and send it to repeater so we can made further modification on it which we cant do at this point

after send it to repeater just move to repeater tab

so in order to edit and just select the username and password field and enter the value

i added the (‘) in both field in order to check either login is sql injection vulnerable now im gonna send the request

after sending the request it can be clearly seen that the error we got is

so the login is sql vulnerable and we got this

thus the next step is go the customer feedback this is in the contact us menu

click on it

after clicking on it you are gonna have this form

just fill the form and search for the post request in http history

and then send it to repeater by right clicking on it and then click on (send to repeater) then

after sending it to repeater its clearly shown that one can easily modify the rating star

so what im gonna now is just change the rating field to zero and send again the request to saw wether its possible???

so after sending the request the response is

so its possible to submit the zero star review

 Intruder

the most important tools in burpsuite is INTRUDER can be used for many things ranging from fuzzing

and it only serves one master AUTOMATION and repeat it self no matter what happen in order to establish proof of concept

so if you wanna learn more about it may the force be with you i ntruder

so here its basics common uses:

 Enumerating (username, password guessing, password recovery tokens)
 harvesting useful data from user profiles
 Fuzzing for (SQL injection, XSS and file path traversal)
so to accomplish these intruder have these following types of attacks
 sniper- most popular one, allows us to cycle through our payload set, putting the next available payload in each position in turn.
 Battering ram, allows us to use one payload set in every single position we’ve selected simultaneously.
 Pitchfork: allows us to select multiple payload sets (one per position) and iterate through them simultaneously.
 Cluster Bomb,allows us to select multiple payload sets (one per position) and iterate through all possible combinations

so there is a payload list attact to the room just downlod the list

after downloading it go tho the intruder as we have already add a login form request there

i simply pressed the clear button to clear the highlited field and then again highlit the email field between the double quotes as it is show in the above screenshot

after highliting it just click on the ‘add’ button

now switch to payload sub-tab

here click on the load button and add the previous downloaded file

after this scroll down a little and uncheck the “URL-encode these characters” we dont want to sent in our payload to be encoded as these characters in the payload are already encoded

what next go back to the positions sub-task and click on the ‘start attack’

so after clicking and just wait why not its gona take some time and by the way as we are using community edition we have some restrictions

just press ok

after getting the result enter

a’ or 1=1- - in the email field and PASSWORD in the password field and here we are

loged in

Task 10 machines are better than us

Task 11 decode and comparer:

decoder allow us to perform various transforms on pieces of data.

B urp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.

where comparer is used to compare different responses or pieces of data such as site maps or proxy histories

so here is b urp documentation on comparer

we use it during enumerating when we wanna compare failed logins using valid and invalid usernames or looking for subtle differences. also useful when enumerating password recovery forms

when after intruder we got different lengths we can compare them to see the difference

while comparing the sites maps or proxy generated by different user to check access control issue either the users can access certain pages

during SQL injection during boolean condition and other simillar ones to compare the responses whether injecting different conditions has resulted in a relevant different in response.

so here we go to use decoder go to target then the the url you add to the scope then api-challenges-/-name=Score%20Boardand