Open in app

Sign in

Write

Sign in

TryHackMe — Jr Penetration Tester — Burp Suite — Part 1 — Room 1 to 3

Deepak Kushwah
9 min readOct 24, 2021

Room 1 — Burp Suite: The Basics

Task 1 — Introduction Outline

This is ready only part which privide brief about Burp Suite.

Task 2 Getting Started What is Burp Suite?

This artical provides us detailed introductiion about Burp Suite and it’s community, pro and enterprise editions.

Answer the questions below

Q 1. Which edition of Burp Suite will we be using in this module?

Ans. Burp Suite Community

Q 2. Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

Ans. Burp Suite Enterprise

Q 3. Burp Suite is frequently used when attacking web applications and ______ applications.

Ans. mobile

Task 3 Getting Started Features of Burp Community

This artical provides us basic introdution to all Burp Suite features.

Answer the questions below

Q 1. Which Burp Suite feature allows us to intercept requests between ourselves and the target?

Ans. Proxy

Q 2. Which Burp tool would we use if we wanted to bruteforce a login form?

Ans. intruder

Task 4 Getting Started Installation

It is read only artical which provides us a detailed intoduction related to installation Brup Suite on Mac, Linux and Windows.

Task 5 Getting Started The Dashboard

It is ready only artical which provide us a breif about dashboard of Burp Suitte.

Task 6 Getting Started Navigation

It is ready only artical which provide us a breif about GUI and shortcuts.

Task 7 Getting Started Options

This task gives us a brief about options available for configuring Burp Suite.

Answer the questions below

Q 1. Change the Burp Suite theme to dark mode

Ans. do pratice in Burp

Q 2. In which Project options sub-tab can you find reference to a “Cookie jar”?

Ans. Sessions

Q 3. In which User options sub-tab can you change the Burp Suite update behaviour?

Ans. misc

Q 4. What is the name of the section within the User options “Misc” sub-tab which allows you to change the Burp Suite keybindings?

Ans. hotkeys

Q 5. If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?

Ans. Aye

Q 6. There are many more configuration options available. Take the time to read through them.

Ans. No ans needed

Task 8 Proxy — Introduction to the Burp Proxy

This task provides us a basis detailed introduction of Burp Proxy feature like few configurations we need to make before we can use the proxy.

Answer the questions below

Q 1. Which button would we choose to send an intercepted request to the target in Burp Proxy?

Ans. forward

Q 2. [Research] What is the default keybind for this?

Note: Assume you are using Windows or Linux (i.e. swap Cmd for Ctrl).

Ans. Ctrl+F

Task 9 — Proxy Connecting through the Proxy (FoxyProxy)

This artivcal gives us a installation and configuration steps for FoxyProxy (browser extention)

Answer the questions below

Q 1. Read through the options in the right-click menu.

There is one particularly useful option that allows you to intercept and modify the response to your request.

What is this option?

Ans. Response to this request

Note: The option is in a dropdown sub-menu.

[Bonus Question — Optional] Try installing FoxyProxy standard and have a look at the pattern matching features.

Task 10 — Proxy Proxying HTTPS

It is read only module.

Task 11 — Proxy The Burp Suite Browser

Read only module

Task 12 — Proxy Scoping and Targeting

Read only module

Task 13 — Proxy Site Map and Issue Definitions

Control of the scope may be the most useful aspect of the Target tab, but it’s by no means the only use for this section of Burp.

There are three sub-tabs under Target:

  • Site map allows us to map out the apps we are targeting in a tree structure. Every page that we visit will show up here, allowing us to automatically generate a site map for the target simply by browsing around the web app. Burp Pro would also allow us to spider the targets automatically (i.e. look through every page for links and use them to map out as much of the site as-is publicly accessible using the links between pages); however, with Burp Community, we can still use this to accumulate data whilst we perform our initial enumeration steps.
    The Site map can be especially useful if we want to map out an API, as whenever we visit a page, any API endpoints that the page retrieves data from whilst loading will show up here.
  • Scope: We have already seen the Scope sub-tab — it allows us to control Burp’s target scope for the project.
  • Issue Definitions: Whilst we don’t have access to the Burp Suite vulnerability scanner in Burp Community, we do still have access to a list of all the vulnerabilities it looks for. The Issue Definitions section gives us a huge list of web vulnerabilities (complete with descriptions and references) which we can draw from should we need citations for a report or help describing a vulnerability.

Answer the questions below

Take a look around the site on http://10.10.170.40/ -- we will be using this a lot throughout the module. Visit every page linked to from the homepage, then check your sitemap -- one endpoint should stand out as being very unusual!

Visit this in your browser (or use the “Response” section of the site map entry for that endpoint)

Q 1. What is the flag you receive?

Ans. THM{NmNlZTliNGE1MWU1ZTQzMzgzNmFiNWVk}

Solution: — Just browse the URL http://machine_ipand intercept traffice with Burp and see response of unusal page.

Look through the Issue Definitions list.

Q 2. What is the typical severity of a Vulnerable JavaScript dependency?

Ans. low

Task 14 — Practical Example Attack

Read only

Task 15 — Conclusion Room Conclusion

Read only

Room 2— Burp Suite: Repeater

Task 1 — Introduction Outline

We will be covering how to use Repeater to manipulate and arbitrarily resend captured requests, as well as looking at some of the niftier options available in this awesome tool. Finally, we will encounter a series of examples, including a real-world, extra-mile exercise which we will use to consolidate the more theoretical aspects of the room.

Read only module!!

Task 2 — Repeater What is Repeater?

In short: Burp Suite Repeater allows us to craft and/or relay intercepted requests to a target at will. In layman’s terms, it means we can take a request captured in the Proxy, edit it, and send the same request repeatedly as many times as we wish. Alternatively, we could craft requests by hand, much as we would from the CLI (Command Line Interface), using a tool such as cURL to build and send requests.

Read only module!!

Task 3 — Repeater Basic Usage

Read only module!!

Task 4 — Repeater Views

Answer the questions below

Q 1. Which view option displays the response in the same format as your browser would?

Ans. Render

Task 5 — Repeater Inspector

Read only module!!

Task 6 — Practical Example

Answer the questions below

Capture a request to http://10.10.230.66/ in the Proxy and send it to Repeater.

Send the request once from Repeater — you should see the HTML source code for the page you requested in the response tab.

Try viewing this in one of the other view options (e.g. Rendered).

Using Inspector (or manually, if you prefer), add a header called FlagAuthorised and set it to have a value of True. e.g.:

Headers with FlagAuthorised Added

GET / HTTP/1.1
Host: 10.10.230.66
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
FlagAuthorised: True

Send the request.

Q 1. What is the flag you receive?

Ans. THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Solution: -

Task 7 — Practical Challenge

Answer the questions below

Capture a request to one of the numeric products endpoints in the Proxy, then forward it to Repeater.

See if you can get the server to error out with a “500 Internal Server Error” code by changing the number at the end of the request to extreme inputs.

Q 1. What is the flag you receive when you cause a 500 error in the endpoint?

Ans. THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

solution: -

Task 8 — Extra Mile SQLi with Repeater

Exploit the union SQL injection vulnerability in the site.

Q 1. What is the flag?

THM{ZGE3OTUyZGMyMzkwNjJmZjg3Mzk1NjJh}

Room 3— Burp Suite: Intruder

Task 1 Introduction Room Outline

Read only module !!

Task 2 Intruder What is Intruder?

Answer the questions below

Q 1. Which section of the Options sub-tab allows you to define what information will be captured in the Intruder results?

Ans. Attack Results

Q 2. In which Intruder sub-tab can we define the “Attack type” for our planned attack?

Ans. Positions

Task 3 — Intruder Positions

Read only module !!

Task 4 — Attack Types Introduction

Let’s switch to the “Positions” sub-tab and look in the “Attack types” drop-down menu.

There are four attack types available:

  • Sniper
  • Battering ram
  • Pitchfork
  • Cluster bomb

We will look at each of these in turn. Read only module !!

Task 5 — Attack Types Sniper

Answer the questions below

Q 1. If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?

Ans. 300

Q 2. How many sets of payloads will Sniper accept for conducting an attack?

Ans. 1

Q 3. Sniper is good for attacks where we are only attacking a single parameter, aye or nay?

Ans. aye

Task 6 — Attack Types Battering Ram

Answer the questions below

As a hypothetical question: you need to perform a Battering Ram Intruder attack on the example request above.

If you have a wordlist with two words in it (admin and Guest) and the positions in the request template look like this:
username=§pentester§&password=§Expl01ted§

Q 1. What would the body parameters of the first request that Burp Suite sends be?

Ans. username=admin&password=admin

Task 7 — Attack Types Pitchfork

Answer the questions below

Q 1. What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?

Ans. 20

Task 8 — Attack Types Cluster Bomb

Answer the questions below

We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines.

Q 1. How many requests will Intruder make using these payload sets in a Cluster Bomb attack?

Ans. 6000

Task 9 — Intruder Payloads

Answer the questions below

Q1. Which payload type lets us load a list of words into a payload set?

Ans. Simple List

Q 2. Which Payload Processing rule could we use to add characters at the end of each payload in the set?

Ans. Add suffix

Task — 10 Practical Example

Read only module !!

Now log in using above credentials-

Open any ticket: -

Answer the questions below

Which attack type is best suited for this task?

Configure an appropriate position and payload (the tickets are stored at values between 1 and 100), then start the attack.

You should find that at least five tickets will be returned with a status code of 200, indicating that they exist.

Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag.

Q 1. What is the flag?

Ans. THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzJl}

Solution: -

Task 12 — Extra Mile CSRF Token Bypass

Read and try !!

Task 13 — Conclusion Conclusion

Read and complete it !!

Tryhackme
Burpsuite
Jrpenetrationtesterpath
Thm
Tryhackme Walkthrough

--

--

Deepak Kushwah

Written by Deepak Kushwah

7 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams