Vulnos2 CTF Solution 

Now here is solution of vulnos2 ctf. Please watch ang give your review

Thanks

Here is video solution of Spydersec CTF

Please watch this and give review to what i do change in my next video. Because i am not good in making video solution

Thanks

Hello friends. I am CodeNinja a.k.a. Aakash Choudhary.

I am learning CTF these days and solving it. I am not much expert but i tried to learn. I also saw other's writeup to gain knowledge.

I know there are bunch of writeups of same ctf but i also want to contribute myself

NOTE :-> My next Writeup will be base on video. mean video solution

Solution in Pastebin

Hello friends. I am CodeNinja a.k.a. Aakash Choudhary.

Now we will learn all about nmap which is friend for pentester. In my upcoming post i will post solution of CTF and their we will learn practical usage of nmap.

So lets start :->

<====================NMAP Tutorial =======================>



Nmap is a network scanning and host detection tool that is very useful during several steps of penetration testing. Nmap is not limited to merely gathering information and enumeration, but it is also powerful utility that can be used as a vulnerability detector or a security scanner.


NMAP can be use for :->

1. host discovery
2. port discovery
3. service discovery
4. os,software version discovery
5. detect vulnerability and security holed  etc


Techniques uses by nmap :->
1. TCP Connect Scanning
2. TCP Reverse ident Scanning
3. FTP Bounce Scanning  etc etc


Some time during testing of website we dnt get any vulneability but still might be it vulnerable in case of might be important port might be open and vulnerable which can lead to serious problem

So nmap is the best tool and friend of PENTESTER which can be help to find ports and others uses etc.



<========= Practical USAGE of NMAP ========>

NOTE :-> For starting use virtual machine's ip. In my case i use OWASP Broken Web App VM

1. Simple scan :->  nmap 192.168.56.101

2. If want to scan entire subnet or range [0-255]

nmap 192.168.1.*  

or

nmap 192.168.1.0-255

NOTE :-> We can also use netdiscover :->
netdiscover -i vboxnet0 -P -r 192.168.56.0/24

Where
-i interface like  eth0,wlan,vboxnet0
-P send no packets out the network
-r range to scan

Why to use ?
When i solving vulnos2 CTF VM then i see that i can't see ip address then i use netdiscover to find ip address of vulnerable machine vulnos2

3. nmap 192.168.56.0/cidr ===>  nmap 192.168.56.0/24
24 is cidr

CIDR ? => Classless Inter-Domain Routing => https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

4. Multiple Target Scan =>
nmap 192.168.56.100 192.168.56.101  etc

or

nmap 192.168.56.100-101


5. Suppose you have some lists of IP for testing then save them in txt files and then use this command :->

nmap -iL targetip.txt

or

nmap -iL /home/ninja/AAKASH/nmap/targetip.txt

This will scan entire list of ip you saved in that text file


SCENARIO :->

Suppose i have a site for testing. I use knockknock python file to scan subdomains of this site.I got some subdomains and their ip addresses. I saved those ip in file and then scan using above command " -iL "

6. Scanning lists of all hosts =>  -sL

nmap -sL 192.168.56.101/24


7. Suppose if during scanning entire subnet i want to not scan a specific ip address then use this command

nmap 192.168.56.101/24  --exclude 192.168.56.102


For exclude files which you not want to scan :-> --exclude file target.txt


8. Scanning of some known PORTS like HTTP , FTP, TELNET

nmap -p80,21,23 192.168.56.101






NMAP SCANNING TECHNIQUES
======================================

1. -sS [SYN Scan] => also called half-open scanning

It get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions.

nmap -sS 192.168.56.101


2. -sT [Connect Scan]

It completes the normal TCP three way handshake process.
It find out the TCP ports, not the UDP ports.

nmap -sT 192.168.56.101


3. -sU [ UDP Scan ]

It is used to find an open UDP port of the target machine.

UDP scans send the UDP packets to the target machine, and waits for a response—if an error message arrives saying the ICMP is unreachable, then it means that the port is closed; but if it gets an appropriate response, then it means that the port is open.



nmap -sU -sS 192.168.56.101

I use -sS along with -sU because to make it more effective


4. -sF [ FIN Scan ]

Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine, but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the TCP handshaking.

nmap -sF 192.168.56.101



We can also perform xmas scan (-sX) and Null scan (-sN)


Differences between FIN Scan & XMAS Scan & Null Scan

the FIN scan sends the packets containing only the FIN flag

the xmas sends FIN, PSH, and URG flags

the Null scan does not send any bit on the packet


What is FIN Flag , PSH Flag , URG Flag ?

Better to learn some networking concepts to know better about them.

http://stackoverflow.com/questions/9153566/difference-between-push-and-urgent-flags-in-tcp


I can't give answer in detail as much like that above link give :P



5. -sP [Ping Scan]

Just like we do ping google.com we can do Ping Scan using nmap

it is only used to find out whether the host is alive or not

nmap -sP 192.168.56.101



6. -sV [ Version Detection]

It  is used to find out what software version is running on the target computer and on the respective ports.

nmap -sV 192.168.56.101


7. -sI [Idle Scan]

Advance scan which provide completely anonymity.

In idle scan, Nmap doesn’t send the packets from your real IP address—instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets



nmap -sI zombieHost targetHost

nmap -sI 192.168.56.1 192.168.56.101

zombie host :-> 192.168.56.1
target host :-> 192.168.56.101



8. -O [OS Detection]

Use to find out OS

nmap -O 192.168.56.101


Nmap OS fingerprinting technique discovers the:

Device type (router, work station, and so on)
Running (running operating system)
OS details (the name and the version of OS)
Network distance (the distance in hops between the target and attacker)



If target system use IDS IPS then use -PN

nmap -O -PN 192.168.56.101/24


We can also guess operating system using :-> --oscan-guess



9. To scan faster use :-> -T  option like

nmap -T5 192.168.56.101/24


and for depth scan :-> -v

nmap -v 192.168.56.101



=======================================================================


            <=== NSE [ Nmap Script Engine ] ===>
================================================


NSE is the most powerfull feature of Nmap Scanner.

The Nmap scripting engine allows us to write scripts that we can use with Nmap to automate any task

The Nmap main page contains the following regarding the Nmap scripting engine commands:

           SCRIPT SCAN:
           
             -sC: equivalent to --script=default
           
            --script=:  is a comma separated list of directories, script-files or script-categories
           
            --script-args=: provide arguments to scripts
           
             --script-trace: Show all data sent and received
           
             --script-updatedb: Update the script database.

             --script-trace command is used for debugging purposes to show all sent and received data



SCRIPT CATEGORIES :->

1. -auth : scripts that work with authentication credentials

2. -broadcast : scripts that discover active hosts by broadcasting on a local network
and adding them to a target list.

3. -brute : scripts that bruteforce the credentials of the remote hosts

4. -default : scripts that automatically run with -sC or -A options

5. -discovery : try to get more information about the target network

6. -dos : that may crash the target application and therefore cause a denial of  service to the                              target.

7. -exploit :scripts that may be able to exploit the target application


8. - external: scripts that send data to a third party server over the network (whois)

9. - fuzzer: scripts that send invalid random data to the target to find undiscovered bugs

10. - intrusive: scripts that can cause the target to fail

11. - malware: scripts that test whether the target is infected by malware or                                            backdoors

12. - safe: scripts that can be run safely, so they will not crash a server

13. - version: scripts that can determine the version of the application running on a target (they                                 are run only when -sV option is specified)

14. - vuln: scripts that can check whether the target is vulnerable to specific attacks


======================================================================

Hello Friends. I am CodeNinja a.k.a. Aakash Choudhary

If you want to increase your knowledge in web pentesting and finding bugs then i am sharing some important blogs and slides to read which can make your knowledge increase.

I will update this lists time to time.

Thanks

[BLOGS]

1. Shawar Khan
2. Ajay SIngh Negi
3. Ali Hasan
4. INFOSEC Resources [Always Follow]

[SLIDES]

1. Secret Life of a Bug Hunter
2. IDOR [Insecure Direct Object Reference]
3. Logical Attacks

                                                                [Youtube]

1. yaworsk

Hi friend I am CodeNinja a.k.a. Aakash Choudhary                     

Today i am sharing tips related to bug hunting which i learned from my brother "Shawar Khan" so full credits to him.

Browse Testing Site which you want to test the site and then try to find all APPLICATION ENTRY POINTS.

Example :

1. GET
2. POST
3. COOKIE
4. SEARCH BOX
5. Comment Section
6. Contact Us Section
7. Hidden POST in FORMS
8. LOGIN

After finding User Input Field or can say Application Entry Fields try to testing those fields.

Try to understand the Mechanism of those fields like what those fileds do actions.

Check JAVASCRIPT Validation and try to understand them.

Next thing to remember during TESTING is always try to test both CLIENT SIDE Request & SERVER SIDE Request

Try to intercept Request/Response through Burpsuite to understand them.

Example :->

A PASSWORD Change Field i am going to test.

Three Fields i see :->

1. Current Password
2. New Password
3. Confirm New Password

So in this MECHANISM we have to use current password.

As for testing Intercept this reuqest and using burpsuite remove the parameter :-> Current Passwod and then Forward Request and if we see

200 OK Response then its mean We Bypass Server Side Request Validation

Note that first input any text on current password and input our new password in next two fields and then intercept it.

About to understand MECHANISM see another MECHANISM example :-

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. 

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. 

Once the attacker have successfully stolen the Session Token of the user, the attacker is able to log into the victim’s session by using the cookies which he have stolen.

Conclusion :->

Check both Client Side Request & Server Side Request. Find Application Entry Points and then testing on them

I will give more tips on this in future

CREDIT :-> My brother [Shawar Khan]

Thanks