Road to Pentester – INE Lab – BurpSuite

Lab Intro

A local police department has hired you to pentest their website. They had a new website created by a web development company and they want to make sure that everything is secure and in order.

In this lab you will practice with Burp Suite, configuring the scope of the engagement, intercepting the communications with a webserver and spidering a target web application. You can access the target web application at the following address 10.100.13.5.

Goal

The goal of this lab is to test the given web application in order to find a hidden path that contains a restricted area. Once the hidden path is discovered, your goal will be to bypass the authentication exploiting a "feature" left over by the developers while "debugging" the area.

Solution

Burp

Examine the webapp. The home page is like this.
在这里插入图片描述Click around, try to build the site map. And add the host to scope per request of the task.

Right click on the domain and select add to scope.
在这里插入图片描述Click on the filter and choose show only in scope.
在这里插入图片描述Let's check if there's a robots.txt file.
Yes, there is.
在这里插入图片描述Let's visit the path in the file. It's a login page. And the backend is php.

在这里插入图片描述Try to login as admin:admin shows error.
在这里插入图片描述There's nothing in the home page's source.

Let's use repeater to check the login page again. Try to login, and intercept the request.
在这里插入图片描述Press Ctrl + R to send the request to repeater.
在这里插入图片描述After sending a request to the server, I got a message on the bottom of the response.

在这里插入图片描述Requesting with the parameter shows the restricted area on the server.
在这里插入图片描述

ZAP

Set ZAP to intercept requests by clicking the dot.
在这里插入图片描述Make a request.
在这里插入图片描述Now, the target is in sites panel.
在这里插入图片描述Let's right click the site and select Attack -> Spider. Click Start Scan.
在这里插入图片描述After a while, the path has been discovered.

在这里插入图片描述
In Messages tab, find the URL and open it in browser.
在这里插入图片描述The login page shows up.
在这里插入图片描述ZAP hub provides live view of the requests and response. But it's not too user friendly cause there's no syntax highlighting.
在这里插入图片描述
Back to ZAP, I got the same message.

在这里插入图片描述Task completed.

Time elapsed, one and half hours.

在这里插入图片描述