π–ˆπ–žπ–‡π–Šπ–—π–Œπ–šπ–—π–šπŸ’€~$

Hamza's Blog

View on GitHub

API 01

This exercise is the API version of an exercise you already solved in the Essential Badge. You should use it to get more confident with discovering vulnerabilities without any hint on

what to look for.

1695208793429.png

This lab is about API vulnerabilities, the first lab is about getting the secrets stored in the admin account.

we navigate to the provided lab link and created an account as a normal user, we then logged in and created a new secret after creating the secret we check the content of the secret and intercept the request using burp, our current index of secret was 3 as shown in the graphic:

1695210972885.png

Response:

1695211006275.png

we could see that the response contains the contet of our secret and the time stamp

we then try changing the value of the api endpoint from 3 to one using repeater :

1695211042161.png

and got the following response containing our key:

1695211073360.png

API 02

This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what

to look for.

1695212064048.png

This simillar lab with API 01 but in this case user verification is performed and so we can’t access the content of admins secret from a random account since doing the same procedure as the previous lab gives us an authorization error, we decided to fuzz and end up checking the cookie, from the graphic below we could see that the cookie contians our user id which is 2 in the inspector feild we need to change the id to 1 in order to read the secrets of admin:

1695212100434.png

we copy this value and head over to jwt, pasted the whole cookie value and edited the id to 1:

1695212130442.png

we copy the edited cookie and plug it into our request token:

1695212157430.png

and we got our key!!

1695212175100.png

this challenge highlights weak verication of cookie hash signature against repudation or modification.

API 03

This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.

1695212278949.png

This challenge is simillar to the previous lab API 03, but in this case a verication mechanism was implemented to check if the cookie value was modified, to by pass the wall we need to crack the key used to sign this cookie; we made a request, intercepted it using burp and copied the cookie token, we then use hashcat and the rockyou.txt wordlist to crack the hash

steps in graphich below:

1695213099994.png

1695213127820.png

Doing so revealed to us the key used to sign the hash.

we used this key to sign the hash after modifing it:

1695213364971.png

we plug the modified cookie token into the request:

1695213389978.png

and we got our key:

1695213420881.png

This lab highlights weak key’s used in signing cookie tokens and strong key should be used to prevent against this type of attacks.

API 04

This exercise covers how one can inspect JavaScript code to identify unused endpoints.

1695213491225.png

This lab has to do with endpoint discoveries, hardcoded in the source code, we navigate to the challenge link and inspect the JS code, we then search for an endpoint that has to do with our desired key:

1695215085379.png

we make a post request to this endpoint and got our key:

1695215101504.png

Response :

1695215148415.png

This challenge highligts the effect of hardcoding endpoints in the source code of the page.

API 05

This exercise covers how one can inspect JavaScript code to identify unused endpoints.

1695215214248.png

This challenge is simillar to the previous lab, same endpoint identification but in this case the source code is obfuscated is some way

sample:

1695215360251.png

we use js beautify to restructure the whole source code and then properly perfom our search:

1695215334739.png

the above graphic revealed to urs the endpoint, we then made a post request to the endpoint and got our key:

1695215425641.png

Response:

1695215461465.png

API 06

This exercise covers how one can inspect JavaScript code to identify unused endpoints.

1695215698675.png

This challenge is simillar to the previous lab, only more obfuscation, we use same method and got our endpoint:

1695215670831.png

made a post request to this same endpoint and got our key!!

Solving API 07

This exercise covers how one can inspect JavaScript code to identify information leak.

1695273688387.png

This lab has to do with examining the page source code for hard coded key, we skim through and did just that and got our key:

1695273636424.png

API 08

This exercise covers how one can inspect HTTP responses to identify information leaks.

1695273767044.png

This lab is simillar to an info leak challenge, we navigate to the challenge site and saw a login screen, the challenge told us to try logging in as an admin and provided us with the admin email, using this information we try to reset the password of the admin and intercepted the response using burp:

1695274545738.png

the link for reseting the password was linked to the response, we opened it in a browser and put in our desired password

1695274591805.png

we then use this information to login as admin and got our key:

1695274645093.png

This marks the end of the api labs in pentersterLab

Thanks for following!!!