💻

Demonstration of Cryptographic Failures

Jun 27, 2024

Demonstration of Cryptographic Failures / Sensitive Data Exposure

Introduction

  • Previous Video: Covered the theory of cryptographic failures aka sensitive data exposure.
  • Position: Second place in top vulnerabilities.
  • Focus: Demonstration of how the vulnerability works.

Connecting to TryHackMe

  1. Setting Up:

    • Search for OWASP Top 10 in TryHackMe.
    • Start machine by clicking the start button.
    • Connect to the server using the downloaded .ovpn file.
    • If unsure, refer to previous videos on VPN connections.

  2. Running Commands:

    • Use OpenVPN in the download directory to start the machine.
    • Wait for IP assignment to connect to the vulnerable machine.

Sensitive Data Exposure (Cryptographic Failures)

  • Introduction: Known as man-in-the-middle attacks.
  • Technique: Hacker intercepts communication between your machine and the website.
    • Example: Hacker compromises router to capture data (web pages, images, etc.)

Database Access

  • Command: Query table information to obtain details like customer ID, name, credit card, and password.
  • Hash Format: Customer data including hashed passwords.
  • Cracking Hashes: Use tools like CrackStation to decrypt hashed passwords.
  • Example Output: Username and hashed password retrieved from database.

Page Navigation & Hidden Directories

  1. Accessing Web Pages:

    • Identify hidden directories (e.g., /assets, /CSS, /images).
    • Use Kali Linux tools to find and access these directories.

  2. Database Files:

    • Download relevant database files (e.g., webapp.db).
    • Use SQL commands to extract table information (e.g., sqlite3, SELECT * FROM users).

  3. Extracting Information:

    • Decrypt hashed passwords using CrackStation.
    • Example: Retrieve admin password for login.*

Logging In and Retrieving Flags

  • Login: Use retrieved admin credentials to log in to the admin panel.
  • Flag: Access the flag as part of the demonstration.

Conclusion

  • Disclaimer: Educational purpose only. Do not perform on unauthorized systems.
  • Call to Action: Like, subscribe, and share for more educational content.

Full transcript