Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
A detailed step-by-step guide to solving the lab and capturing the flag.
This lab introduces you to the importance of examining web page source code and understanding how developers might accidentally leave sensitive information in HTML comments.
Let's start by gathering basic information about our target.
First, we'll try to ping the target IP to check its reachability:
ping <target-ip>
However, we discover that the target does not respond to ping. This is not uncommon, as many systems and networks block ICMP packets for security reasons. The lack of ping response doesn't mean the system is offline; it just means we need to try other methods to interact with it.
Since ping doesn't work, we need to use the -Pn
flag with Nmap to skip the ping check. Since this is a "Very Easy" lab, we can focus on scanning just the common ports:
nmap -Pn <target-ip>
The -Pn
flag tells Nmap to assume the host is online and skip the initial ping probe. This is essential when scanning hosts that don't respond to ICMP echo requests.
This command will scan the most common 1000 ports. The scan reveals that port 80 is open, which typically indicates a web server is running.
To get more information about the web server, we can use Nmap's version detection:
nmap -Pn -sV -p80 <target-ip>
This scan tells us that the web server is nginx version 1.25.4.
These initial findings give us a clear direction: we need to focus our efforts on exploring the web server running on port 80.
Now that we know there's a web server, let's examine what it's hosting.
Open your web browser and navigate to:
http://<target-ip>
Upon visiting the site, we see a single web page. At first glance, it might not seem very interesting or exploitable. However, in web application security testing, it's crucial to look beyond what's immediately visible.
Take note of any visible content, links, or functionalities on the page. Even if they seem unimportant, they might provide clues or lead to further discoveries.
Remember, not all valuable information is immediately visible in the rendered web page. Developers often leave comments, hidden fields, or other metadata in the source code that can be goldmines for security testers.
Since the visible content doesn't provide much to work with, our next step is to examine the HTML source code of the page.
To view the HTML source code:
Alternatively, you can use keyboard shortcuts:
When examining the source code, pay attention to:
In this case, we find a crucial piece of information in an HTML comment:
<!-- TODO: move the flag "/anwvdzqtcucr/flag.txt" in a more secure location -->
This comment reveals the location of our flag file. It's a common mistake for developers to leave sensitive information in comments, thinking they won't be visible to users. However, as we've just seen, anyone can easily view these comments in the source code.
Now that we've discovered the path to the flag file, we can attempt to access it directly.
In your web browser, navigate to:
http://<target-ip>/anwvdzqtcucr/flag.txt
This should display the contents of the flag.txt file, which will be your flag for this challenge.
If you prefer using the command line, you can use curl to retrieve the flag:
curl http://<target-ip>/anwvdzqtcucr/flag.txt
This command will output the contents of the flag file to your terminal.
The flag will likely be in a specific format, such as a UUID or a string with a particular pattern. Make sure to copy it exactly as it appears, paying attention to any uppercase/lowercase letters, numbers, or special characters.
This lab demonstrates several important concepts in web application security:
-Pn
flag with Nmap to continue your investigation.Real-World Relevance: Scenarios like this are not uncommon in real-world applications. Developers might accidentally leave sensitive information in comments, configuration files, or other locations that are accessible to users. This is why security assessments often include a thorough examination of all accessible content, including source code and hidden files.
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.