Exploiting. Part 2: Web & OS
================================

We discuss several cybersecurity subjects in a practical manner:

- Web application endpoint discovery
- Web static analysis
- Injection Attacks
- OS exploitation

Slides for this session:
  * handout_
  * handout_4on1_notes_
  * handout_8on1_

.. _handout: http://elf.cs.pub.ro/sis/res/04-exploit-2-handout.pdf
.. _handout_4on1_notes: http://elf.cs.pub.ro/sis/res/04-exploit-2-handout-4on1-notes.pdf
.. _handout_8on1: http://elf.cs.pub.ro/sis/res/04-exploit-2-handout-8on1.pdf

Tasks
-----

1. Instal ``dirb`` and ``wordlists`` via the following command::

     sudo apt install dirb wordlists

   Use the ``/usr/share/dirb/wordlists/common.txt`` wordlist and perform endpoint brute-forcing.

   The target is ``http://141.85.224.104:40000``.

2. The more you look at it, the less you see. This target is a *silent-speaker*.

   There might *invisible* things embedded in the web page.

   See if you can **GET** some **file**.

   The file that you want is located under the ``/flag`` path.

   Your target is ``http://141.85.224.104:40001/index.php``.

3. Give me a fixed *ping* and I will give the whole flag.

   a. Access ``http://141.85.224.104:40002/index.php`` and read the ``/flag`` file.
   b. Previous one was easy.

      Can you still do it when some characters are stripped?

      Access ``http://141.85.224.104:40002/harder.php`` and read the same ``/flag`` file again.

4. Could you please *inject* some *sql* into this target?
   Keep it simple.
   Like... really simple.

   At ``http://141.85.224.104:40003/index.php`` there is a vulnerable login page.

   You can login as ``ctf`` with password ``ctf``.

   However, the ``ctf`` user does not have access to any interesting information.

   Can you find out the secret of user ``admin``?

5. Download the vulnerable virtual machine `Ubuntu10-exploit.zip`_.
   Login as ``student`` with password ``student``.
   Try to exploit the kernel to obtain root shell.
   Alternatively, you can download `Ubuntu 10.04 desktop amd64`_ and set it up into your own virtual machine.

   Hint: `Exploit Database`_ is an archive of public exploits corresponding to vulnerable software.

.. _`Ubuntu10-exploit.zip`: http://elf.cs.pub.ro/sis/res/Ubuntu10-exploit.zip
.. _`Ubuntu 10.04 desktop amd64`: http://old-releases.ubuntu.com/releases/10.04.0/ubuntu-10.04-desktop-amd64.iso
.. _`Exploit Database`: https://www.exploit-db.com/

(**Bonus**): Do as many challenges from https://alf.nu/alert1 as you can :)