Over the past several years, I have spent countless hours analyzing youth social media trends to try and discover what’s “in” with the kids these days. Using data painstakingly collected in double-blind market research studies, I have created the next great cultural phenomenon that will take the Internet by storm:
the app that tells you the current time and lets you share your favorite clocks with your friends!
Unfortunately, my co-founders and I blew our funding on a collection of a few dozen gold-plated wristwatches to display around the office, so we ran out of money before we could hire a security team. Luckily, I have access to the next best thing: you!
This lab is part one of a two-part series. In the first part, your goal will be to discover as much information as possible about TickTock’s attack surface and complete a basic attack.
For this assignment, you will want to use the Lab 2 environment in Virginia
Cyber Range. Once there, you can access the TickTock server at
terminal.example.com in VCR. For example, visiting
http://terminal.example.com in your browser should show you a webpage that
looks something like the following:
In this lab, you will need to use (at a minimum) the following tools:
- A browser (e.g. Chrome or Firefox). You will probably want to get familiar with your browser’s developer tools for Problems 4 and 5.
These should all be pre-installed in your VM. In addition, you will want to have
access to some wordlists. The VM should come with the wordlists from the
SecLists repository, which you can
find in the
Grading and submission
Each problem asks you to complete different tasks and write a description of your findings. At the end of this assignment, you should submit a document with your answers to each of the problems through Collab.
Each problem is worth a different number of points, roughly based on difficulty and the amount of work you should put into them. You will be graded based on your ability to complete the assigned tasks and demonstration of understanding of basic network scanning and web exploitation techniques.
Problem 1 (3 points)
nmap, generate a list of all of the exposed services on the target
server (you should see 6 open ports in total). Provide the command that you used
as well as a description of all of the services you were able to identify,
- The service name,
- what port(s) it’s using,
- its version number (if available), and
- a description of what that service does and what it’s typically used for (you may have to do some Googling).
Each of these services is used in some form by TickTock. You should think about what role they might play in running the server.Hints:
- In some cases, you may find it useful to explore the services that you
identify with your initial
nmapscap using other tools, e.g.
ffuf, and your web browser. Note that not all of the services use HTTP and may not respond to HTTP requests.
- There are five services in total; one of those services uses two ports. You should be able to determine which of those services is running on two ports from your scans.
- Nmap will do its best to guess the service running on a port, but it isn’t always correct. You should look at the full output of your Nmap scan – not just the value in the “Service” column – to check what program is running on that port. If possible, you should try to verify that you have the service correct by connecting to it with other tools.
Problem 2 (1 point)
Enumerate all of the pages that you can find under
/ on the webserver using
ffuf. One of the pages should contain a flag (formatted as
Submit the flag, along with the command you used and a list of the pages you
for this and the next few problems,
you will have to use
ffuf to scan the webserver. You can learn about all of
the options available for
ffuf --help, or by checking the GitHub
page for ffuf.
To practice using
ffuf, you can try using it against
http://ffuf.me (which also contains tips on how to perform a
variety of other scans using
ffuf). For instance, here is how you would
perform basic page/directory discovery against
$ ffuf -w /path/to/wordlist -u http://ffuf.me/FUZZ
This is very similar to the command you will have to use for this problem.
The desktop should have some pre-installed wordlists that you can find in the
/usr/share/wordlists/ directory; these wordlists come from Daniel Miessler’s
SecLists repository. I would
suggest trying out some of the wordlists in
Discovery/Web-Content/, e.g. the
Here are some other flags you might find useful while using
-ic: some wordlists contain comments, which are typically prefixed by
#. You can use
-icto ignore lines that are commented out.
-c: colorized output.
Problem 3 (1 point)
Each post on the webserver has a unique integer ID. The flag for this problem is contained in the post with the highest ID.
Submit the flag, along with the command(s) you used to find the post.Hints:
- Start by figuring out how to see a post with a specific ID.
- Once you’ve figured out how to check whether a post with an ID exists, look up
how to use pipes to give custom wordlists to ffuf on
ffuf.me. You’ll probably want to use the
seqcommand. Another option is to use
seq ... > wordlist.txtto write the output of
seqto a file, and then pass that into
ffufthe normal way.
- The highest post ID is below 10,000.
Problem 4 (2 points)
Enumerate the users on the webserver (by default there should be six, in addition to any users that you create). One of the users should have a flag for their username.
Submit the flag, as well as a summary of how you discovered it. Your summary should include the commands that you used, as well as a description of how you figured out how to identify what users exist on the server.
Hints: For this problem, you’ll want to start by using the browser’s developer tools and look in the “Network” tab. This tab shows you what resources your browser loads whenever you visit a webpage.
Try visiting some pages on TickTock and see the various requests that your browser makes. Eventually, you should find something that will allow you to enumerate the users on the webserver very easily.
Problem 5 (2 points)
For the last problem, you will be demonstrating a cross-site scripting (XSS) attack against the website. To do this, you will need to go through the following steps:
Identification: identify a potential XSS vector in the site. You should look
for areas where you are able to upload arbitrary HTML, e.g.
<b>hello, world</b> (which should render “hello, world” in bold font).
Proof-of-concept: perform a simple proof-of-concept to demonstrate that you
can perform XSS using the attack vector that you previously identified. You
should try to run something simple, e.g.
alert("xss") (which should create a
Create a PoC that doesn’t require interaction: if you haven’t already, modify your proof-of-concept to work without requiring any user interaction. You may need to try some of the other methods described on the OWASP page linked in the hints.
Submit a summary of the attack vectors that you tried (even the incorrect ones!) and a description of your final proof-of-concept, as well as the process you used to arrive at it. Submit screenshots that demonstrate the proof of the validity of your proof-of-concept attack.Hints:
- You won’t be able to inject
<script>...</script>tags directly. You should try some of the alternative XSS mechanisms on OWASP’s XSS filter evasion page instead.