I’ve been playing around in HTB and root-me.org to help me learn the skills I need to do my job. And also, because figuring things out is fun! I have people that I work on these with to learn what I don’t know and get better at what I do know.
These are all great places. The issue I am coming up against is I can’t share what I have done to work through most of these challenges. Yes, when working on a team, we can share to get the results we need, but when I am working it out, I can’t write it out for others for later. This is what we do in the real world when we get a good solution.
Root-me does give the option to share how it was done afterward, which I think is a great idea. I can even see what others had done to get the answer. I learned the other day after using Dominic Breuker’s stego-toolkit, that just running a file through strings would have gotten me the results with a lot less resources and time. I can’t complain, because I learned a lot and will come back to use the toolkit. Plus, it looked real cool to me when it did work with the toolkit.
Tonight I worked for a few hours on a HTB web challenge that probably would take most people a good 10-15 minutes. I used three different tools, googling and looking back on notes about the options to use – but I got the result I was looking for. I can’t say much past that though without breaking the rules.
And that is where the problem is starting to lie. I need to find a way to share what I have done – without breaking the rules of the game. Even though the game is about breaking the rules.
I can write it up for myself. I will write it up for myself, because I will forget it if I don’t. But, I didn’t do it all on my own. No, I didn’t get the answer from a web site. I got direction from other people’s posts or man pages based on info gathering from the challenge.
Let’s see if I can break it down a bit – simply.
The name of the challenge is usually a good hint at some way to start. Googling the name led me to a tool to use — a brute force password tool.
Before I could use that tool though I needed to know what I was looking at. That let me try Burp Suite. I can say I used Burp Suite ’cause with a web attack I think that’s the go to tool. One I don’t have a lot of experience with, but here’s a good chance to get some.
Got my parameters and got my data, now onto the tool with so many options. Struggling to get the parameters correct took the longest amount of time.
Get that! I’m golden.
Nope. I’m not. It even tells me so. I get the password for the site – but just get told I am too slow. The site password is not the flag.
A few minutes later, with a refresher on
-d 'param=value' -X POST and I get the flag.
It’s a small victory, but a learning experience. A learning experience I can only vaguely share about before giving away too much in an information gathering challenge.