LFGA Web
Introduction
Before we start I'm going to present more details about the guide. The most important thing I want you to note is the way the guide works. I will also present the CTF platforms we are going to use.Definitions
Content
In this guide we are going to cover the following vulnerabilities.
- Local/Remote File Inclusion - OWASP TOP 10
- Remote Code Execution
- SQL Injection
- Cross-site scripting(XSS) - OWASP TOP 10
- Session management
- File upload
- Authentication - OWASP TOP 10
- XML External Entity (XXE) - OWASP TOP 10
- Server side template injection
- PHP vulnerabilities
These vulnerabilities are the ones that we can find the most in CTF or machines and some are defined by OWASP
Platforms
The platforms that we are going to use through the guide are the following :
Hack the Box
An online platform to test and advance your skills in penetration testing and cyber security. From this machine we are going to use some challenges. We will create our account later, don't worry about it.
URL: https://www.hackthebox.eu/Try Hack Me
Hack Instantly. Learn, practice and complete! Get hands on and practise your skills in a real-world environment by completing guided and interactive tasks.
Feel free to go and create your account if you don't have one and also explore the platform.
URL: https://tryhackme.com/Root me
Root Me is a platform for everyone to test and improve knowledge in computer security and hacking.
Feel free to go and create your account if you don't have one and also explore the platform.
URL: https://www.root-me.org/Pico CTF
picoCTF is a free computer security game targeted at middle and high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge.
URL: https://picoctf.com/RingZer0 Team Online CTF
RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills through hacking challenges. Register and get a flag for every challenge.
Ctflearn
CTFlearn is an ethical hacking platform that enables tens of thousands to learn, practice, and compete.
We host an ever-changing array of user-submitted and community-verified challenges in a wide range of topics.
URL: https://ctflearn.com/Portswigger
This platform offers lots of things, but we only need the web academy, but you should see all the cool stuff in here.
URL: https://portswigger.net/CtfChallenge
CTFchallenge is a series of web application hacking challenges created by @adamtlangley. Each challenge is built on its own domain and acts like a real functioning website or application.
URL: https://ctfchallenge.co.uk/Pentesterlab
This is an academy with labs that have vulnerabilities, we are going to use this as practice.
URL: https://pentesterlab.com/Note: some descriptions we have not written, they are typical of the sites.
Requirements
Software
Feel free to jump this section if you have installed all the programs in this list or if you have a machine running Kali Linux.
I highly recommend to install Kali linux the only reason is because it comes with all the tools that we are going to need. I recommend these videos.
Video in English:
INSTALL KALI LINUX ON VIRTUAL BOXVideo in Spanish
Instalar KaliLinux 2020 en VirtualBoxSoftware that we are going to need:
We just need some installed software components, which I am going to ask you to do the research on how to install and make sure it works properly.
- SQLMap
- Burpsuite
- Python
Additional
- No prior knowledge needed.
- Patience
How it works?
The way I see it, it's not just playing CTF or try to solve CTF challenges, sometimes we can do it by doing some research and we'll learn something, but it's not the easiest way to do it. I highly recommend spending some time learning new concepts an the theoretical stuff that it's behind the CTF challenges, try to understand every behind a vulnerability. I consider that the theoretical information is really important, it's just as important the practical.
Knowing some theoretical information will mean that sometimes we can identify a vulnerability and know a better way to exploit it, which saves us time and frustrations.
This is just my opinion and experience. The guide then will have 2 sections the learning section and the challenge section for each vulnerability.
The learning section
This section will focus only on learning things, learn theory, learn how to use tools and everything that has to do with learning. This section will include CTF challenges, sites, blogs, videos and everything we may need.
In this section feel free to try everything, to explore, to read everything you need, to review and to break everything you find in your way. Remember something from Bob Ross!
Don't rush, it's worth it. In this section we are only here to learn, here it does not matter the places, skills or points on the CTF platforms. Take your time!
Feel free to DM me if you think that something could be added or changed in this section of any vulnerability.The challenge section
You'll get to this point once you have understood the vulnerability and the theory and you have a very good understanding. In this section You'll face CTF challenges, according to the vulnerability studied. You'll keep learning, but here you'll be able to identify the vulnerability and know how to exploit it. You'll never stop learning, and CTF challenges will help us here, to take your level of under to the next level.
I'll put little hints, but the challenge will be accorded the knowledge and level that you should already have. If you think that you're failing or if you are having a bad time, feel free to go back, do some research or try harder.
Feel free to DM me if you think that something could be added or changed in this section of any vulnerability.Tips
I'll share some tips, again based on my own experience.Take Ordered Notes
It's not only taking notes of everything, but instead try to do ordered notes. It is useless to have many notes if when you need something you can not find it or it takes a long time.
Your notes are for consultation things that you have not yet memorized
I also recommend taking notes with images, but if you add an image also add an explanation of what happens in the image, sometimes the text is useless without image and vice versa.
This is just a recommendation, you'll find a way that just fits you.
These are some applications that can help you with your notes, feel free to use any of them:
Cherry tree
A hierarchical note taking application, featuring rich text and syntax highlighting, storing data in a single xml or sqlite file.
A little blog about cherry tree
One note
Joplin
We use Joplin for our notes, just for the Markdown language.
Take your time
Just take your time, try harder and be patient.
Sorry for the long page but it was necessary.