lab1

To download

• SwitchyOmega or SwitchyProxy or similar
• burp and/or zap (links up)
• curl
• dirbuster and/or gobuster (links up)
• wappalyzer
• docker

To read

• Bash Scripting: https://linuxconfig.org/bash-scripting-tutorial-for-beginners
• Python basics: https://python101.readthedocs.io/pl/latest/podstawy/index.html
• Model-View-Controller (MVC): https://realpython.com/the-model-view-controller-mvc-paradigm-summarized-with-legos/
• HTTP basics: https://sekurak.pl/protokol-http-podstawy/
• Dockera basics: https://infra.knbit.edu.pl/03-docker/

lab setup

• local: here
• remote at: aghws.jctf.pl

lab solutions

• find them here

The content

HTTP crash course (presentation here)

• TODO: read about stuff in presentation
• how it looks like
• urls and resources
• methods and response codes
• headers, cookies, params
• content types and encodings
• dev console

Local proxy

• TODO: setup the burp
• how do we catch requests
• burp
• zap

Encoding

• TODO: go to https://aghws.jctf.pl/lab1/strange-... somehow

  @app.route('/strange-!?"#$%&\'()*+,-./:;/<string:t1>')
  def strange(t1):
      is_ok = True
  
      t1 = unquote(t1)
      if t1 != '!?"#$%&\'()*+,-./:;':
          is_ok = False
  
      if 't2=' not in request.args or request.args['t2='] != ';:/.-,+*)(\'&%$#"?!<>':
          is_ok = False
  
      if is_ok:
          return 'Ok, you made it'
      else:
          return 'Nope'

Tips

• run the code locally
• complete the challenge step by step - first get to the valid route, then one param, then another
• make debug prints in the code to uderstand what is wrong

bruting & recon - wappalyzer, curl

• TODO: find what language/server the app uses
• TODO: didn't have time at the lab, but checkout curl tool and use it for bruteforcing
• curl
• seclists
  • wordpress
  • py
  • pycache

bruting & IDOR - busters

• TODO: use gobuster for the lab task
• dirbuster
• gobuster

python & IDOR - busting with automation

• TODO: use python for next lab task