DEFEND-THE-WEB INTRO 1–7 CHALLENGES

Challenges

Intro 1:

By just looking over the page source we could find the credentials of the excercise.

We have got the credentials + we have got the csrf-token i.e static csrf-token we we can use it to plan an CSRF attack to this Login Page.

Intro 2

Same we need to find the credentials from the website using recon. This time found in the page source but in different way.

Logging it with the credential we could bypass the auth mechanism.

Intro 4

We don’t have Intro 3 in the platform, thus moving forward for Intro 4:

Same we need to find the credential for the login. Got something interesting in page source

Lets see what we have got in this location:

../../extras/playground/9d2K4Fw.json

Again, we have got credentials from the file of which location was available in Page Source

Intro 5

It is somewhat interesting, we have got directly a password popup for the
password nothing else.

Lets see what we have got in the page source and js

Got the password and solved the lab!!

Intro 6

Need to login as snipergod but we dont have the username in the drop down menu
Guess we need to edit the drop down menu and log in to system by the help of
Developer Tools

Edited JTAM value into snipergod and log in to system.
Completed the Intro 6

Intro 7

Question itself gives a hint of the robots.txt file which could be crawled by
search engine.
Using a password from the robots.txt (we have obtained credentials earlier) and logging into the system.

For more updates and blogs!! Stay Tuned..

Happy Hacking!!

--

--

--

Just an another security nerd… CEH MASTER | PENTESTER

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Launching FatMonks — NFT Launch Guidelines

How WhatsApp and Viber handle our private data

{UPDATE} `Spider Solitaire Hack Free Resources Generator

{UPDATE} 瘋狂猜成語2-天天答題 Hack Free Resources Generator

Probabilistic Encryption using the Goldwasser–Micali (GM) method

{UPDATE} Linotipia Lite Hack Free Resources Generator

Wayru — a review of a potentially X project

Our Critical National Infrastructure Is Possibly Not A Resilient As You Might Think

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vikas Sharma

Vikas Sharma

Just an another security nerd… CEH MASTER | PENTESTER

More from Medium

TryHackMe: [Day 6] Web Exploitation Patch Management Is Hard

Hack the Box: ScriptKiddie

Future of Pentesting: 5 Tips to Improve App Security

SmagGrotto Walkthrough