![]() ![]() Refresh the page to successfully logging in. We can manually create the cookie on the login page named “SessionToken” and assign it any value as there is no code to validate our cookie. There is an alternate method to login as the login.js is creating a cookie in case of successfully logging in. Wow! we got access to the page without the credentials. We get the response as expected now change it to anything else or delete “Incorrect Credentials” and again forward the request. Now, as we want to change the response, not the request so choosing Action > Do intercept > Response to the request.įorwarding the request to get the response: Here lies the vulnerability as a user can change the response of /api/login from “Incorrect Credentials” to anything else using BurpSuite and trick the server to run the else part of the code. Till here, everything seems perfect now in the Conditional statement it checks if the response from the server is “Incorrect Credentials” then it will not allow access otherwise, it will set a cookie named “SessionToken” to statusOrCookie and redirect us to the admin panel. The variable creds take the credentials, and variable response sends them to /api/login for validation, and the statusOrCookie variable takes the response. The function login() in the box is the vulnerable code that will let us bypass the login form. Just enumerating the files associated with the source code shows us an exciting file named login.js containing the function used in the login form on the /admin page. Now no clue on credentials, also brute-forcing is not the solution as mentioned in the hint. Dirsearch Scanĭirectory scanning showed many pages but /admin/ seems interesting. This shows a normal webpage with some information about overpass password manager.There are only two pages linked with homepage which seems usual,so starting a directory scan. Simultaneously starting nikto scan till then but got nothing unusual. EnumerationĪs always starting with a nmap scan.Only two 22 with SSH and 80 with Http are open.Rest are filtered.Initially no clue on SSH so moving to Enumerate Http. Also, using some automated Privilege Escalation scripts like linpeas.sh makes it more interesting. It is worth solving this room as it contains some essential Owasp Top 10 vulnerability, i.e Broken Authentication. Hello, today we are going to solve an exciting room Overpass, which is quite different for me than other challenges. You should find that you get an alert box from the site indicating a successful XSS attack !Ĭongratulations, you bypassed the filter ! Don't expect it to be quite so easy in real life, but this should hopefully give you an idea of the kind of situation in which Burp Proxy can be useful.Here is a walkthrough of the TryHackMe room “Overpass.” If you haven’t already completed the challenge, you can do so here. This process is shown in the GIF below :įinally, press the "Forward" button to send the request. It does this by providing the ability to capture and manipulate. After pasting in the payload, we need to select it, then URL encode it with the Ctrl + U shortcut to make it safe to send. Burp Suite is a framework written in Java that provides a great package of tools for penetration testing of web and mobile apps. With the request captured in the proxy, we can now change the email field to be our very simple payload from above: alert("Succ3ssful XSS"). ![]() Submit the form - the request should be intercepted by the proxy. For example: as an email address, and "Test Attack" as a query. Now, enter some legitimate data into the support form. For example: 'pentesterexample.thm' as an email address, and 'Test Attack' as a query. If you haven’t already completed the challenge, you can do so here. First, make sure that your Burp Proxy is active and that the intercept is on. First, make sure that your Burp Proxy is active and that the intercept is on. Writeup TryHackMe - Overpass Walkthrough Walkthrough of Overpass room - Tryhackme Overpass - Tryhackme Walkthrough Here is a walkthrough of the TryHackMe room Overpass. Now switch over to the Payloads sub-tab and load in the same. The other two positions will be handled by our macro. 2- Clear all of the predefined positions and select only the username and password form fields. Let's focus on simply bypassing the filter for now. Configure the positions the same way as we did for bruteforcing the support login: 1- Set the attack type to be 'Pitchfork'. There are a variety of ways we could disable the script or just prevent it from loading in the first place. You should find that there is a client-side filter in place which prevents you from adding any special characters that aren't allowed in email addresses :įortunately for us, client-side filters are absurdly easy to bypass. Try typing: alert("Succ3ssful XSS"), into the "Contact Email" field. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |