TryHackMe — Jr Penetration Tester — Burp Suite — Part 2— Room 4 & 5
Room 4— Burp Suite: Other Modules
Task 1 Introduction Outline
Read Only Module !!
Task 2 Decoder Overview
Read Only Module !!
Task 3 Decoder Encoding/Decoding
Answer the questions below
Statement: — Base64 encode the phrase: Let's Start Simple
.
Q 1. What is the base64 encoded version of this text?
Ans. TGV0J3MgU3RhcnQgU2ltcGxl
Statement: — URL Decode this data: %4e%65%78%74%3a%20%44%65%63%6f%64%69%6e%67
.
Q 2. What is the plaintext returned?
Ans. Next: Decoding
Statement: — Use Smart Decode to decode this data: %34%37
.
Q 3.What is the decoded text?
Ans. 47
Statement: — Encode this phrase: Encoding Challenge
.
Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.
Q 4. What is the final string?
Ans. 24034214a720270024142d541357471232250253552c1162d1206c
Task 4 — Decoder Hashing
Answer the questions below
Q 1. Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!
?
Convert this into an ASCII Hex
string for the answer to this question.
Ans.6b72350e719a8ef5af560830164b13596cb582757437e21d1879502072238abe
Q 2. Generate an MD4 hashsum of the phrase: Insecure Algorithms
.
Encode this as base64 (not ASCII Hex) before submitting.
Ans. TcV4QGZZN7y7lwYFRMMoeA==
Statement: — Let’s look at an in-context example:
First, download the file attached to this task.
Note: This file can also be downloaded from the deployed VM with wget http://MACHINE_IP:9999/AlteredKeys.zip
-- you may find this useful if you are using the AttackBox.
Now read the problem specification below:
“Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8
-- could you find it for me?"
Q 3. Submit the correct key name as your answer.
Ans. key3
Task 5 — Comparer Overview
Read Only module !!
Task 6 — Comparer Example
Answer the questions below
Navigate to http://10.10.136.72/support/login
Try to login with an invalid username and password — capture the request in the Burp Proxy.
Send the request to Repeater with Ctrl + R (or Mac equivalent), or by right-clicking on the request in Proxy and choosing to “Send to Repeater”.
Send the request, then right-click on the response and choose “Send to Comparer”.
In the Repeater tab, change the credentials to:
- Username:
support_admin
- Password:
w58ySK4W
Send the request again, then pass the new response into Comparer.
Q 1. Compare the two responses by word. How many differences does Comparer detect in total?
Ans. 9
Task 7 — Sequencer Overview
Read Only Module !!
Task 8 — Sequencer Live Capture
Read Only Module !!
Task 9 — Sequencer Analysis
Read Only Module !!
Task 10 — Conclusion Room Conclusion
Read Only Module !!
Room 5— Burp Suite: Extender
Task 1 Introduction Outline
Read Only !!
Task 2 Extender The Extender Interface
Answer the questions below
Q 1. Are extensions invoked in ascending (A) or descending (D) order?
Ans. D
Task 3 Extender The BApp Store
Read Only !!
Task 4 Extender Jython
Read Only !!
Task 5 Extender The Burp Suite API
Read Only !!
Task 6 Conclusion Room Conclusion
This room is basically depends on understanding BurpSuite in detail. Please go through all the Tasks, read carefully anf learn.
Happy Hacking !!