/d/hacking icon

/d/hacking

8,772 subscribers

Everything related to hacking, opsec, and programming. Malware, phishing, DDoS, coding, research and news.

Ways to learn

by /u/Gostu · 6 votes · 2 weeks ago

The question "how to hack" is brought up a lot usually by the lazy population. One great way to get started is by reading CTF write ups, Reading bug bounty bug reports and the writings of other hackers. I'll use Phineas fisher in this example.

For finsupport.finfisher.com the process was:

* Start nikto running in the background.

* Visit the website. See nothing but a login page. Quickly check for sqli in the

login form.

* See if WhatWeb knows anything about what software the site is running.

* WhatWeb doesn't recognize it, so the next question I want answered is if this

is a custom website by Gamma, or if there are other websites using the same

software.

* I view the page source to find a URL I can search on (index.php isn't

exactly unique to this software). I pick Scripts/scripts.js.php, and google:

allinurl:"Scripts/scripts.js.php"

* I find there's a handful of other sites using the same software, all coded by

the same small webdesign firm. It looks like each site is custom coded but

they share a lot of code. So I hack a couple of them to get a collection of

code written by the webdesign firm.

At this point I can see the news stories that journalists will write to drum

up views: "In a sophisticated, multi-step attack, hackers first compromised a

web design firm in order to acquire confidential data that would aid them in

attacking Gamma Group..."

But it's really quite easy, done almost on autopilot once you get the hang of

it. It took all of a couple minutes to:

* google allinurl:"Scripts/scripts.js.php" and find the other sites

* Notice they're all sql injectable in the first url parameter I try.

* Realize they're running Apache ModSecurity so I need to use sqlmap [0] with

the option --tamper='tamper/modsecurityversioned.py'

* Acquire the admin login information, login and upload a php shell (the

check for allowable file extensions was done client side in javascript), and

download the website's source code.

Looking through the source code they might as well have named it Damn Vulnerable

Web App v2. It's got sqli, LFI, file upload checks done client side in

javascript, and if you're unauthenticated the admin page just sends you back to

the login page with a Location header, but you can have your intercepting proxy

filter the Location header out and access it just fine.

Source: The Anarchist Library | Author:Phineas Fisher | Hackback - A DIY GUIDE II

Take the time to read it's a great way to develop tips and tricks and further your skills. Practice using CTF's those of THM, HTB and VulnHub.

Work on a strong methodology and read up on the cyber kill chain. Get started here by looking at Jason Haddix.

Comments (3)
/u/specialname · 1 votes · 2 weeks ago · Link

I appreciate this

/u/Dejavoo · 1 votes · 2 weeks ago · Link

Good sharing +1

/u/BadEnglish · 1 votes · 2 weeks ago · Link

Nice mate