TryHackMe — Jr Penetration Tester — Burp Suite — Part 2— Room 4 & 5

Room 4— Burp Suite: Other Modules

Task 1 Introduction Outline

Read Only Module !!

Task 2 Decoder Overview

Read Only Module !!

Task 3 Decoder Encoding/Decoding

Answer the questions below

Statement: — Base64 encode the phrase: Let's Start Simple.

Q 1. What is the base64 encoded version of this text?

Ans. TGV0J3MgU3RhcnQgU2ltcGxl

Statement: — URL Decode this data: %4e%65%78%74%3a%20%44%65%63%6f%64%69%6e%67.

Q 2. What is the plaintext returned?

Ans. Next: Decoding

Statement: — Use Smart Decode to decode this data: %34%37.

Q 3.What is the decoded text?

Ans. 47

Statement: — Encode this phrase: Encoding Challenge.

Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.

Q 4. What is the final string?

Ans. 24034214a720270024142d541357471232250253552c1162d1206c

Task 4 — Decoder Hashing

Answer the questions below

Q 1. Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?

Convert this into an ASCII Hex string for the answer to this question.

Ans.6b72350e719a8ef5af560830164b13596cb582757437e21d1879502072238abe

Q 2. Generate an MD4 hashsum of the phrase: Insecure Algorithms.

Encode this as base64 (not ASCII Hex) before submitting.

Ans. TcV4QGZZN7y7lwYFRMMoeA==

Statement: — Let’s look at an in-context example:

First, download the file attached to this task.

Note: This file can also be downloaded from the deployed VM with wget http://MACHINE_IP:9999/AlteredKeys.zip -- you may find this useful if you are using the AttackBox.

Now read the problem specification below:

“Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 -- could you find it for me?"

Q 3. Submit the correct key name as your answer.

Ans. key3

Task 5 — Comparer Overview

Read Only module !!

Task 6 — Comparer Example

Answer the questions below

Navigate to http://10.10.136.72/support/login

Try to login with an invalid username and password — capture the request in the Burp Proxy.

Send the request to Repeater with Ctrl + R (or Mac equivalent), or by right-clicking on the request in Proxy and choosing to “Send to Repeater”.

Send the request, then right-click on the response and choose “Send to Comparer”.

In the Repeater tab, change the credentials to:

• Username: support_admin
• Password: w58ySK4W

Send the request again, then pass the new response into Comparer.

Q 1. Compare the two responses by word. How many differences does Comparer detect in total?

Ans. 9

Task 7 — Sequencer Overview

Read Only Module !!

Task 8 — Sequencer Live Capture

Read Only Module !!

Task 9 — Sequencer Analysis

Read Only Module !!

Task 10 — Conclusion Room Conclusion

Read Only Module !!

Room 5— Burp Suite: Extender

Task 1 Introduction Outline

Read Only !!

Task 2 Extender The Extender Interface

Answer the questions below

Q 1. Are extensions invoked in ascending (A) or descending (D) order?

Ans. D

Task 3 Extender The BApp Store

Read Only !!

Task 4 Extender Jython

Read Only !!

Task 5 Extender The Burp Suite API

Read Only !!

Task 6 Conclusion Room Conclusion

This room is basically depends on understanding BurpSuite in detail. Please go through all the Tasks, read carefully anf learn.

Happy Hacking !!