๐๐๐ Whats Your Name? TryHackMe CTF walk through ๐๐
Table of Contents
Introduction
This tutorial will guide you through the TryHackMe Capture The Flag (CTF) challenge titled "Whats Your Name?". The focus will be on utilizing client-side exploitation skills, including JavaScript inspection, cookie manipulation, and launching Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. By following these steps, you will enhance your understanding of web application security and client-side vulnerabilities.
Step 1: Setting Up Your Environment
- Ensure you have a web browser with developer tools enabled.
- Familiarize yourself with the following tools
- Burp Suite for intercepting web traffic.
- Browser Developer Tools (usually found under F12) for inspecting elements and JavaScript.
Step 2: Inspecting JavaScript
- Open the target web application in your browser.
- Use the developer tools to examine the JavaScript code
- Navigate to the "Sources" tab to locate JavaScript files.
- Look for functions that handle user input or cookies.
- Identify potential vulnerabilities, such as functions that could be exploited for XSS attacks.
Step 3: Manipulating Cookies
- Locate the "Application" tab in the developer tools.
- Find the "Cookies" section and examine the stored cookies for the web application.
- Note any cookies that may be easily manipulated, such as session IDs or user roles.
- Consider using cookie manipulation techniques to gain unauthorized access.
Step 4: Launching an XSS Attack
- Identify a vulnerable input field on the web app (for example, a search bar).
- Craft a malicious script, such as:
<script>alert('XSS Attack');</script>
- Input the script into the vulnerable field and submit it to test if the application reflects it back.
- If successful, you may want to use more sophisticated payloads to extract session cookies or perform actions on behalf of the user.
Step 5: Executing a CSRF Attack
- Understand how CSRF works, which exploits the trust a web application has in the user's browser.
- Identify a form or action that can be triggered without authentication.
- Create a malicious HTML page with a form that submits to the target web application using:
<form action="http://targetwebsite.com/perform_action" method="POST"> <input type="hidden" name="param" value="malicious_value"> <input type="submit" value="Submit"> </form>
- Host this form and trick the user into submitting it.
Step 6: Using Provided Scripts
- Access the scripts mentioned in the video description for XSS and CSRF
- Review the code to understand how they operate and adapt them for your testing purposes.
Conclusion
In this tutorial, you learned how to exploit client-side vulnerabilities in a web application by inspecting JavaScript, manipulating cookies, and launching XSS/CSRF attacks. These skills are crucial for understanding web security. As next steps, consider practicing in other CTF challenges or exploring more advanced exploitation techniques. Keep honing your skills, and always stay updated on the latest security practices.