Today we will be looking at web exploitation. Burp Suite is a the go to when performing web application testing. This tools allows you to intercept requests and modify them before being sent to the website. There’s a lot of useful other features to such as brute forcing web forms or automating searching for directories.
Let’s open up burp suite and take a look. The Proxy tab allows us to view the requests that are being intercepted. The newer versions of burp allow you to open up your own browser that is already configured to work with Burp. This saves us from having to set up a proxy on the web browser. Click on the Open Browser to open Burp’s special browser.
Under the Proxy tab click on Intercept is on button to turn it off. We want to simply visit the website without looking at the request, which we will look at later.
Let’s try to login with admin:admin.
Interesting it tells us our password is incorrect. Let’s login with the username HackerMan and a password of Hacked.
Now it tells us that our username is incorrect. So one thing we know for certain is that this web application has a vulnerability around username enumeration. This is where you can just continually try various usernames and the error message will tell you whether or not they are correct. This can help attackers make lists of usernames and then attempt to login with various passwords.
A secure web application should respond with error message that says “Your username or password” are incorrect. This allows the application to inform the user there was something wrong with your username / password combination without telling the user which was incorrect.
While we now know that admin is a username, maybe we can still find other usernames. Let’s turn intercept on in Burp Suite, and then attempt to login with test:test.
We can see that the username and password are both test. Here we could modify them, but there’s no reason to, because we were the ones who entered the login combination.
Looking at the request we notice it’s a POST request. This is expected, because we are sending our information to the server. If you just visit a page you are making a GET request to go fetch the data. For this challenge the only parts we care about is username and password. If you right click on the white area you can send this request to multiple different tools within Burp Suite. For this we will send it to intruder. Intruder allows use to give a list of payloads that we can try for specific places in the request. We want to modify the username and password fields to see if we can find a valid login.
We want to change the Attack Type to Cluster Bomb. This will attempt to combine all our words we supply as username / password combinations. Hit the Clear button, and then highlight test for username and click add. Now do the same for test in the password field. You’ll notice that test gets some additional symbols around the word. This shows that we now have those fields set as the target positions for our attacks.
For Payload set 1 under Payload Options create a small wordlist for possible usernames such as admin, administrator, root.
Now change the Payload set to 2. This will be the password list. Now make a small list of passwords such as password, admin, 12345, 123456.
Now we can click Start attack in the right corner.
We can see the responses tell us whether use username or password were incorrect.
Looks like our username is admin. When the password of 12345 is tried it has a different length then all the other responses.
Finally you can look at the Response and notice that the Location has changed to /tracker, which means we have successfully authenticated!
Now we can login with the username of admin and a password of 12345 in a web browser.
Finally we have our flag! Thanks for joining me on this walk through. I hope you are starting to see how powerful Burp Suite can be!