shad0w

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I accessed the server with rcity7 user.

2. There was no "flag" file. So I had to find a running network port as shown in the problem information.

3. I used the "netstat -a" command to check the network connection status, but the "netstat" command doesn't work. Therefore, I scanned the localhost using "nmap", a tool for scanning the network. Of the open ports, port 9999 was suspected.

4. I used "netcat" to access that port, and putted the password. 

[Review]

You could find more description or options about nmap, netcat using "man" command.

국방망에 연결된 인트라넷 PC는 설치할 수 있는 프로그램에 제한이 있다. 사이버 지식 정보방의 pc 조차도 인터넷이 느리고 포트가 막혀있어 막힌 사이트들이 있다. 그러면 어떻게 보안 공부를 해야 할까?

1. 국방망 자체가 브라우저에서 작동하기 때문에 노트패드를 이용한 웹개발 가능

2. 구름 ide로 서버 구축해 게시판 만들면서 웹해킹 공부 가능

3. 알고리즘 온라인 사이트에서 알고리즘 문제 풀기 or 크롬 개발자도구 콘솔창으로 js 알고리즘 공부 -> 코딩테스트 준비

4. 태블릿+마우스+키보드 조합으로 크롬원격 데스크톱 or 팀뷰어 사용해서 집에 있는 컴으로 공부

5. 구름 ide 사용해서 포너블 문제는 가능

6. github codespaces는 웹 컨테이너라 군대에서 외부랑 통신할 수 있어 CLI 환경으로 개발이나 nc, ssh 통신, nmap이나 메타스플로잇, 환경구축은 가능하다. 하지만, 문제나 머신이 웹서비스(드림핵 web vm 등) 일 때는 codespaces에서는 접속을 못하니, 군대 내의 망에서 접속을 해야 하는데 군대 컴퓨터는 포트가 거의 다 막혀있어서 사이트에 접속을 할 수가 없다.

7. tryhackme를 웹컨테이너에서 실습을 할 수는 있는데, 실습머신 만들어질 때 구동되는 웹페이지 접속은 많이 제한이 되어있다. 

8. Use Attackbox 이용하면 tryhackme 클라우드 인스턴스로 사용가능 하지 않을까?

9. 레드팀 인프라 구축이나 오신트 실습은 할 수 있을지도?
레드팀 구축방 https://tryhackme.com/room/grootredteamlab
OSINT방 :https://tryhackme.com/room/grootosint

10. 외국 소스 중에 웹해킹 전문 강의로 https://pentesterlab.com/ 가 있는데 이것도 클라우드로 돌리는 거라 검증되지 않은 외부 웹 서비스가 막히는 거면 힘들 수도..

11. 책으로 CS 공부하기

12. 보안에 있어서 영어공부와 건강은 꽤나 중요하다. 영어공부와 건강을 위한 운동하기 

아직 군대를 간 게 아니라 정확하지 않고 미리 대비를 해두는 것이다.

SQL injection (SQLi) is an Injection-based web vulnerability that allows an attacker to commit intended malicious behavior against a database by manipulating SQL queries used by web applications to query a database running on the backend. Successful exploitation of SQL Injection could allow an attacker to acquire sensitive data or privacy within the organization and, in severe cases, take full control or completely compromise the organization's data.

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

[Information]

[Problem solving]

1. Let's accessed the Lab server.

I selected the "Accessories" category. There was three product in it.

2. I used "Accessories' or 1=1--"  parameter to send request. After closing the category syntax through ' and making it always true through the phrase or 1=1, the back was annotated. All released accessories, including hidden ones, appeared on the screen because the number of accessories released through annotations has been invalidated.

These are SQL annotation types by database type.

Lab: SQL injection vulnerability allowing login bypass

[Information]

[Problem solving]

1. I accessed the Lab server.

And clicked on the "My account" hyperlink. There was a login form.

2. I puted "administrator'--" string to the Username input, "any text" to the Password input. It could access as an administrator user by typing "administrator" in the user name, closing the syntax to ' and annotating the password part.

Reference:

https://www.bugbountyclub.com/pentestgym/view/52 

1. find / -name "password": Serch for the file name "password" in the entire file system.

2. grep -r "password" /: Serch for the character "password" in the entire file system.

3. ls -IR | grep "password": Displays a list of files in the current directory and subdirectories, filtering and outputting the string "password" from that list.

4. chmod -R 777 / | grep "password": Trying to change permissions for all files and directories while also finding lines containing the string "password".

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I accessed the server with rcity6 user.

2. I listed the files, and there was a "flag" file. The problem information said that I shoud find out what type of this file is. So I used file command to find out what it is. "flag" file was a ELF type file. ELF files are executable files that run on Linux, such EXE files.

3. I tried to check the content of "flag" file using cat command, but the text came out broken.

4. Then I used strings command to print out all strings to the terminal. As a result, I could find the strings similar with flag pattern/lengths.

[Review]

It's quite easy.

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I Accessed the server with rcity5 user.

2. I listed the files, and there was a "flag.txt" file. So I printed the contents of that file to the terminal. There was a string encoded in base64. The base64 incoded string ends with '='. It looked like it would have to be decoded.

3. I used the base64 command to decode that string. 

4. There was another way to decode that text. That is using BASE64 decode web service.

(https://www.base64decode.org/)

[Review]

You can see options for the base64 command in the picture below.

The base64 encoding and decoding methods in the terminal are summarized as follows. 

-Base64 incoding: base64 'file name'

-Base64 decoding: base64 -d 'file name' 

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I Accessed the server with rcity4 user.

2. I listed the files, and there was a "flag.txt" file, so I checked the contents of that file. There were too many strings in it.

3. In the problem information, the flag was said to be near the string "flag is here". First, I tried to find the "flag is here" string in the "flag.txt" file using the grep command. But, there was nothing about that as a result. After that I added the -i option to ignore case distinctions in patterns and data for find the "flag is here" string. A string called "fLag Is HerE" string was derived, and a string presumed to be a flag could be identified next to it.

[Review]

You can see many options for the grep command in the picture below.

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I Accessed the server with rcity3 user.

2. As shown in the problem information, you need to find the "<flag-file>.txt" file among the numerous directories. In fact, there were many directories in the server. 

3. I used the find command to retrieve all files with the ".txt" extension under the current directory. There was only one ".txt" extension files. So I checked the content of the "f14g.txt" file.

[Review]

You can see many options for the find command in the picture below.

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I accessed the server by inserting the contents of the flag file of Operation RCity1 problem with a password.

2. I used the ls command to see which files or directories exist in the current path. There was nothing in it. So I used the -a option to list all files and directories, including hidden files. There were four hidden files.

3. Among hidden files, the ...catthisfile.txt file was very suspicious. That's like saying "Hey check the content of this file usi

ng cat command". Therefore I checked the content of this file. 

[Review]

The ls command has a number of options. You can see a description of the -a option as well. It says, "do not ignore entries starting with .". Most hidden files are files that begin with '.'. That means this option will also include the hidden files.

Index

1. Problem information

2. Problem solving

3. Review

[Problem information]

[Problem solving]

1. I accessed to the server using SSH. But the server required a password. There was a hint about password in problem information. It said "flag.txt file will contain the password". So I put the contents of the flag file obtained from the Operation RCity0 problem as a password.

2. I determined which files or directories exist in the current path. There were three directorys. In particular, there was a directory named flag. I accessed to it, but there was no files in it.

3. Then I checked the directory named 'maybe here'. There was a 'fl ag.txt' file in it. So I checked what was in there. 

[Review]

It's easy.