Burp Suite: Repeater - TryHackMe Junior Penetration Tester 4.2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay now let's go in the background here a little bit I want to take some blue this is Prussian Blue I'm going to mix in some Brown this is Van Dyke brown and some green it's a sap green about equal parts it should look dark it should look black on your palette you know with the fan brush here we'll make some let's make some evergreens there's many ways to make them so we'll show you a bunch of ways to make them on the series all right we load the brush pan full of paint and decide where you want your tree to be touch the canvas turn the brush sideways and just begin building your tree look at that back and forth there isn't that easy as it goes into the bottom of the canvas it'll fade into that grass and trees get lonely too they need a little friend so we'll give them a little friend right here and you know sometimes you don't want to have a bunch of distinct tree oh it's that time one moment hi there in our last lesson we had an introduction to burp suite for web application pen testing in today's lesson we're going to learn how to use repeater to duplicate requests and burp Suite I'm Brock from Brock card security and let's get hacking foreign you know what to do log into your Junior pen testing dashboard and get started in the brick Suite module click on the room burp Suite repeater welcome to the burp repeater room having covered the basics of using burp Suite this room will dive into one of the more powerful aspects of the framework namely the burp Suite repeater module we will be covering how to use repeater to manipulate and arbitrarily recent captured requests as well as looking at some of the other Nifty or options available in this cool tool finally we will encounter a series of examples including a real world extra mile exercise which we will use to consolidate the more theoretical aspects of the room if you have not used burp tweet before and if not completed the burp Basics room you may wish to do so now before continuing you can click on that here because this room builds upon the foundations covered there deploy the machine and the attack box if you're not using your own attack VM and let's get started click the green start machine button hooray alright now we can go ahead and click the blue start attack box all waiting for that to initialize note if you're not using the attack box and want to connect to this machine without the VPN you can do so using this link once the machine has fully loaded and an IP address is displayed so go ahead and use that link if you're not using the attack box you don't want to use the VPN once your machine is up and running go ahead and smash that completed button alright task two what is repeater we're having a whole lesson on it what is it before we start using repeater it will help to have a good idea of what it does in short burp Suite repeater allows us to craft and or relay intercepted requests to a Target at will in layman's terms it means we can take a captured request and proxy and send the same request repeatedly as many times as we wish alternatively we could craft requests by hand much as we would from the CLI command line interface using a tool such as C URL to build and send requests this ability to edit and resend the same request multiple times makes repeater ideal for any kind of poking round at an end point providing us with a nice graphical user interface for writing the request payload and numerous views including a rendering engine for a graphical view of the response so that we can see the results of the handiwork in action the repeater interface can be split into six main sections let's go ahead and go to Applications web and burp tweet Community Edition click temporary project start burp leave it to fall and click on repeater go ahead proxy and open up now if you'll remember from the last lesson to use proxy we're going to have to turn off sandbox if we go to Project options and misc go ahead and scroll down remember the last lesson we have to allow the embedded browser to run without a Sandbox if we want to use the embedded chromium web browser this will just make things a lot easier so that we can just use the attack box to forward any traffic to our web proxy and we'll just go to try hackme.com and while that's still in we can see in Brave Suite that it's already picking up traffic right click anywhere in that traffic and just do send to repeater now click the repeater Tab and you can see that we have something to work with at the very top left of the tab we have a list of repeated requests right now we just have one we can have many different requests going through repeater each time we send a new request to repeater it will appear here directly underneath the requester list we have the controls for the current request these allow us to send a request cancel a hanging request and go forwards backwards in the request history still on the left hand side of the tab but taking up most of the window we have the request and respond font view we edit the request in the request view then press send the response will show up in the response view so for example we could change something in the request like this and then hit send and then the response will show up in the response view above the request response section on the right hand side is a set of options allowing us to change the layout for the request and response views by default this is usually side by side horizontal layout is in the screenshot however we can also choose to put them above below each other in a vertical layout or in separate tabs with the combined View at the right hand side of the window we have the inspector which allows us to break requests apart to analyze and edit them in a slightly more intuitive way than with the raw editor we will cover this in a later task quite simply this is the IP address or domain to which we are sending requests when we send requests to repeater from other parts of burp Suite this will be filled in automatically don't worry if this isn't making too much sense just now you'll get plenty of chances to learn what it does in the upcoming tasks after you familiarize yourself with the repeater interface go ahead and click completed we know what the interface looks like now but how do we put it to use whilst we can craft requests by hand it would be much more common to Simply capture requests in the proxy then send that through to repeater for editing and resending with request captured in the proxy we can send to repeater either by right-clicking on the request and choosing send a repeater or by pressing Ctrl R go ahead and open up the chromium web browser and let's type in a different web address go ahead and type in tryhackme.com forward slash activities press enter now switch back to the repeater and we can see that our request is now available and now on the most recent capture we can go ahead and right click and send to repeater or do control R once we press Ctrl R you'll see that the repeater is now highlighted in Orange and now we can see we have a couple of requests that are available the Target and inspector elements are now also showing information however for this request we do not yet have a response since the proxy halted its traffic go ahead and click horizontal View and now click Send and now you'll see the response section line up if we want to change anything about the request we can simply type in the request window and press send again like changing the Mozilla Firefox browser from version 5.0 to version 3.0 go ahead and click Send and you'll see that the response changes if you want to go back to the original request you can just simply click the go back button if you scroll down there should be an IP address that they give you go ahead and type in that address and hit enter and now go back to your burp proxy and Go to http history and where it shows the IP address go ahead and right click that then to repeat it or press Ctrl R now you'll see that we have a third request and now you can practice modifying and resetting the request so it says close down here at the bottom but we can actually change the connection header we're going to put open this will force the connection header to have a value keep alive and if we hit send sure enough we see the connection type is keep alive what if I don't know when HTTP keep alive is so by default when you're using HTTP to browse the internet it's not a consistent Connection by default HTTP connections close after every request by turning the HTTP header to open instead of closed it's making HTTP connection persistent allowing a single TCP connection like the one we have from burp Suite to remain open for multiple HTTP requests and responses meaning that as pen testers we get to play around and have fun testing different web pages instead of the connection just closing right away in HTTPS this is a little different it's more secure a little fun fact is that keep alive connections were enabled by default an HTTP version 1.1 however HTTP 1.0 was designed to close the connection after every request between the client and server feel free to try whatever you want you can change from HTTP to https as we can see here HTTP version 1.1 theoretically if we just delete the connection type altogether and hit send we still get that connection header of keep alive and then we can still send multiple HTTP requests and responses change the accept header to include binary forward slash and then we hit send and just play around with it have fun you can use the history buttons on the right side of the send button to go forwards and backwards in your modification history after you've experimented they'll go ahead and click the completed button repeater views repeater offers us various ways to present the responses to our requests these range from hex output all the way up to a fully rendered version of the page we can see the available options by looking above the response box we have four display options here pretty is the default option it takes the raw response and attempts to beautify it slightly making it easier to read raw the pure unbeautified response from the server hex takes the raw response and gives us a bite view of it especially useful if the response is a binary file render renders the page as it would appear in your browser well it's not hugely useful given that we would usually be interested in the source code when using the repeater this is still a neat trick in most instances the pretty option is perfectly adequate however it is still well worth knowing how to use the other three options just to the right of the view buttons in the show non-printable characters button backslash and this button allows us to display characters that usually wouldn't show up in the pretty or raw views for example every line in the response will end with the characters backslash R backslash and dash dash these signify a carriage return followed by a new line and are part of how HTTP headers are interpreted well it's not required for most tasks this option can still come in handy don't forget prettier raw we can actually show the non-printable characters by clicking this little button here and as you can see we can see all those carriage returns followed by a new line it's part of how HTTP headers are interpreted just like if you open a Word document there's a similar button right here in the Home tab it says show hide it shows paragraph marks and other hidden formatting symbols which you may be familiar with if you've used word and as we can see there's a backwards P indicating that there's a new paragraph and that there's a carriage return however that formatting is not normally seen it's just there to interpret for word go ahead and click completed which view option displays the response in the same format as your browser would that would be render in many ways inspector is entirely supplementary to the request and response fields of the computer window if you understand how to read and edit HTTP request then you may find that you rarely use inspector at all that said it is a superb way to get a printified breakdown of the request and responses as well as for experimenting to see how changes made using the higher level inspector affect the equivalent raw versions inspector can be used in the proxy as well as repeater in both cases it appears over at the very right hand side of the window and gives us a list of the components in the requests and responses as you can see to pop it out you just click this expand button of these the request sections can nearly always be altered allowing us to add and delete items for example in the request attributes section we can edit the parts of the request that deal with location method and protocol example changing the resource we're looking to retrieve altering the request from get to another HTTP method or switching protocol from HTTP version 1 through HTTP version 2. the other section actions for viewing and editing are query parameters which refer to data being sent to the server in the URL for example in a get request to https admin.tryacme.com redirect equals false there is a query parameter called redirect right after the question mark with a value of false using the query parameter we can change that redirect equal to True Body parameters would do the same thing as query parameters but for post requests anything that we send as data in a post request will show up in this section once again allowing us to modify their parameters before resending request cookies contained as you may expect a modifiable list of the cookies which are being sent with each request request headers allow us to view access and modify including outright adding or removing any of the headers being sent with our request editing these can be very useful when attempting to see how a web server will respond to unexpected headers some of the request headers include post upgrade and secure requests user agents accept accept and coding language content length content type response headers show us the headers that the server sent back in response to our request these cannot be edited as we can't control what headers the server returns to us note that this section will only show up after we have sent the request and received a response these components can all be found as text within the request and response sections however it can be nice to see them in the tabular format offered by inspector it's well worth adding removing and editing headers in inspector to get a feel for how the raw version changes as you do so be comfortable with inspector and practice adding or removing items from the various requests section once you've done that go ahead and click completed repeater is best suited for the kind of task where we need to send the same request numerous time usually with small changes in between requests for example we may wish to manually test for a SQL injection vulnerability which we will do in the upcoming task attempt to bypass a web application firewall filter or simply add or change parameters and form submission for now let's start with an extremely simple task using repeater to alter the headers of a request we assign to a Target go ahead and open your Chromium browser if it's not open you can go to proxy and then intercept open browser type in the IP address they give you once you press enter you should get a stalled web page that's loading back to the proxy intercept and a right click and you can press Ctrl r or send to repeater once you see that request pop up any repeater you can go ahead and click completed now send the request once from repeater you should see the HTML source code for the page you requested in the response tab by viewing this in one of the other view options for example render the completed using inspector or manually if you prefer add a header called flag authorized and set it to have a value of true it should look something like this so we can open up inspector and click it request headers and click the plus sign to add a new request header the name you can go ahead and put flag authorized and leave that colon out and for the value we're going to do true click add and now if you click Send it didn't work I tried going into inspector and adding a request header using the plus button adding a name and value and then sending it but for some reason it didn't work this just goes to show that if you're having problems with inspector it's better to just do it manually and you'll probably have better luck so we're going to manually enter in that request header all we have to do is under upgrade and secure requests one go ahead and do enter and then do flag authorized coin space true if we were to look at the hint it says make sure you leave the two blank lines at the bottom of the request to make sure that there's two blank lines you can go to the bottom and press enter twice just to make sure that we have those two blank lines also add that header right below upgrade insecure requests like they show in their examples so we'll add the flag authorized header and make it true so the flag should return to us when we click Send and view it in the Raw response go ahead and copy that flag and paste it in and then submit nice job guys moving on to the next task task seven practical challenge in the previous task we use repeater to add a header and Center request this should serve as an example for using repeater now it's time for a very simple challenge with your proxy deactivated head over to the URL that they give products and try clicking on some of the see more links did you notice that it redirects you to a numeric endpoint example product forward slash three this endpoint needs to be validated to ensure that the number you tried to navigate to exist and it's a valid integer however what happens if it's not adequately validated go ahead and capture a request to one of the numeric product endpoints in the proxy then forward it to repeater we'll go back into burp Suite turn on The Intercept once the intercepts on go back to the chromium web browser and click one of the see more links for me I'm going to do the cloud storage products forward slash Five page once I've said the request looks like we got some action going on in burp Suite sure enough we can take this traffic and send to repeater and click completed on that step see if you can get the server to air out with a 500 internal server error by changing the number at the end of the request to extreme input pop over different repeater the idea here is to enter unexpected inputs to see how the server would react for example instead of a number you could enter a piece of text or simple alternatively you could try entering a number greater than the number of products available for example 1000 or a number less than or equal to zero for this specific web page the integer to be validated is forward slash AI on the product tree branch so if we go to burp and change the 5 to a question mark and then go ahead and send that I still seem to get somewhat normal feedback let's try another symbol how about the plus symbol go ahead and send we are changing the responses we're getting this case we're getting a 404 error but still not getting the fly let's try a random series of text and press send and it's not found there's only six product pages so what if we tried seven press send the hint suggested we enter a number that's greater than the number of products available what if we tried a 3 000 press send nothing I don't know if I'm putting in the right area well we're getting an error but flag what if we try doing a negative number negative one percent this time instead of a 404 error we're getting a internal server here so it's changing the air type at least Aha and there we have our flag by entering a number less than or equal to zero it didn't make sense to the server because there can't really be a negative number of products throughout this error code and in our case the flag in a real world situation this could give us feedback that could help us test the weak points of this web page and possibly find a vulnerability go ahead and copy that flag and paste it in good work team let's go on to the next one task 8 SQL y with repeater this task contains an extra mile challenge which means that it is a slightly Harder real world application for burp repeater if you feel comfortable performing a manual SQL injection by yourself you may skip to the last question and try this as a blind challenge otherwise I'll be going through the guide before we start on this challenge if you don't already know the principles of SQL I then it'll be well worth your time to check out the room on the top SQL injection is a very important attack method I'll put a link to it here and I recommend you check out that room however full steps will be provided so you do not need in-depth knowledge of the principles of SQL injection to complete this task there is a union SQL injection vulnerability in the ID parameter of the about ID and find this vulnerability and execute an attack to retrieve the notes about the CEO stored in the database we know that there is a vulnerability and we know where it is now we just need to exploit it let's start by capturing a quest to VIP slash about Slash two the proxy once you've captured the request send it to the repeater with control r or by right clicking and choose send to repeater guys my machine is just going wacko right now hold on we'll get that back up and running open up a chromium web browser and type in the IP address that they provide forward slash about forward slash two click enter now we're getting some action in burp Street after you see it and repeat it go ahead and click complete now that we have a request Prime let's confirm that a vulnerability exists adding a single apostrophe is usually enough to cause the server to error when this simple SQL wise press so either using inspector or by editing the request path manually add an apostrophe after the 2 at the end of the path and send the request forward slash about forward slash two and then put in the apostrophe I'm going to go ahead and click horizontal layout so I can see my response immediately once you press send you should see that the server responds with a 500 internal server error indicating that we successfully broke the query but completed if we look through the body of the server's response we see something very interesting at around line 40. the server is telling us the query we tried to execute invalid statement select first name last name from it looks like the table people where ID equals two they're definitely using some kind of SQL here and it looks like a table with people's credentials this is an extremely useful error message with the server should absolutely not be sending us but the fact that we haven't makes our job significantly more straightforward the message tells us a couple of things that will be invaluable when exporting this vulnerability first off the database table we're selecting from is called people the query is selecting five columns from the table first name last name FP link roll bio those are the five columns we can guess where these fit into the page which will be helpful for when we choose where to place our responses with this information we can skip over the query column number and table name enumeration steps oh thanks try hack me although we have managed to cut out a lot of the enumeration required here we still need to find the name of our targeted column as we know the table name people in the number of rows we can use a union query to select the column names for the people table from The Columns table in the information underscore schema default database two tables one information underscore schema database a simple query for this is as follows it's going to be forward slash about forward slash zero space Union space all space select space column underscore name comma null null for each of the four rows space from information underscoreschema dot columns where where the table name is equal to people in other words this creates a union query and selects our Target which is the people's table then four null columns to avoid the query erroring out so those are not rows those are columns notice that we also change the ID that we are selecting from two to Zero by setting the ID to an invalid number we ensure that we don't retrieve anything with the original legitimate query this means that the first row returned from the database will be our desired response from the injected query once you've transcribed that query go ahead and press send and we'll see that we have a new response looking through the return response we can see that the First Column Name ID has been inserted into the page title you can take a look at that in the render viewed and sure enough there's the ID popping out right there click completed we've successfully pulled the First Column name out of the database but now we have a problem the page is only displaying the first matching item we need to see all of the matching items fortunately we can use our SQL I to group the results we can still only retrieve one result at a time but by using the group concat function we can amalgamate all the column names into a single output let's go ahead and change our query slightly right after the union all select we're going to do a space group underscore concat and then put column underscore name in parentheses go ahead and click Send and we have a new response looks like we have a lot more than ID now we have the first name last name pfv link roll short roll bio and note click completed we have successfully identified eight columns in this table considering our task it seems a safe bet that our Target column is probably a no finally we are ready to take the flag from this database we have all the information that we need the name of the tape people the name of the target column notes the ID of the CEO is one this can be found some people by clicking on Jameson Wolf's profile on the about page and checking the ID in the URL let's craft a query to extract this flag we can get rid of the group can cat function now that we know the eight column names and type in notes for the column name followed by four null columns and commas to avoid the query erroring out and we're going to be retrieving this from the people table where the ID which is our special identifier equals space one and no space is there and you can get rid of that people on the end and then HTTP forward slash one on one that should match up with CEO Jameson wolf what kind of a name is Jameson wolf anyways send that query off and if we look at the response Presto we have the flag go ahead and copy the flag at jamesonwolf did a list of CEOs that has been pwned by a sequel eye but nice job to you guys for completing this Mission and giving the flag we have now completed the Burke's week for Peter room you should hopefully Now understand how to use repeater to edit manipulate and resend a requests as well as having the idea for the many practical applications for us the next room in the module will look over the burp Suite Intruder tool I can use burp Suite repeater guys if you want more practice with the SQL I injection go ahead and check out my lesson here SQL injection is a Cornerstone of what that pen testing if you're curious about how to detect and exploit SQL injection vulnerabilities go ahead and watch that video we're all adults here like the video if you like it subscribe if you want to see more up until now we've been doing a lot of manual tasks and burp Suite but if you'll stick with me for the next lesson we're going to go over purpose through the Intruder where we get to play with things like the sniper the battering ram the Pitchfork and the cluster bomb no I'm not talking about Call of Duty I'm talking about burp street it's going to be a lot of fun so we'll see in the next one I'm Brock from Brock card security keep hustling and take care

Info

Channel: Brock Rosen

Views: 3,071

Rating: undefined out of 5

Keywords: tryhackme, jr penetration tester, penetration testing, jrpenetrationtster, pentester, howto, introduction, burp suite, burpsuite, burp, beginner, free course, foundation, ethical hacking, cybersecurity, web app pentesting, webapp, cyber security, how to hack, junior, free, training, the basics, what is repeater?, basic usage, views, inspector, practical example, challenge, sqli with repeater, tutorial, community, what is burp suite?, answers, explained, walkthrough

Id: dJy0dVlWGtI

Channel Id: undefined

Length: 26min 10sec (1570 seconds)

Published: Wed Mar 29 2023