Web Hacking

Today's Challenges

  • Beginner-Intermediate: Natas
    • Wargame. More structured. Better for trying out and learning.
  • Intermediate-Advanced: w3challs
    • Standalone challenges. More like CTF competitions.

If you are doing Natas, then read the respective homepage, which tells you how to get started. Each level has a password you need to enter it, so make sure to write them down as you find them!

Each challenge on w3challs has its own page that links to the challenge. If you want to submit flags and earn points then you will need to make an account. Remember, generally, less solves = harder challenge!

If you are struggling then talk to your friends and the people around you! Remember you can always look stuff up too, and if you're really struggling then feel free to ask someone in an AFNOM hoodie. We want everyone to have fun and have a good time learning something new!

Happy Web hacking!

Web proxies

Some web challenges are easier to solve if you have a proxy to capture and edit web requests. We recommend ZAP (a free and open source tool). Alternatively, you can install Burp Suite which is a proprietary tool with similar features. For this session, you probably won't need a proxy but if you want to install one, here are instructions for recent versions of Ubuntu (the process is similar for other Linux distros):

ZAP

  • On some systems, you can install ZAP with your package manager by installing the zaproxy package but if it isn't available (like on Ubuntu), follow the instructions below
  • First, you'll need to install Java, to do this on Ubuntu, run the following:
sudo apt install default-jre
  • Then, download the ZAP installer from https://www.zaproxy.org/download/, select the "Linux Installer" option
  • Once the file has downloaded, open the terminal, navigate to the directory you downloaded the file in and run
chmod +x ZAP_*_unix.sh
sudo ./ZAP_*_unix.sh
  • You can run the above commands with the exact name of the file you downloaded, the example above uses the wildcard (*) so it works regardless of the version of the installer
  • Go through the setup wizard and leave all options as their defaults
  • Launch ZAP as you would launch any other app, select 'no' when asked if you would like to persist your session
  • Click 'Manual explore' and type in the URL of the challenge's website, click 'Launch Browser'
  • If it works, you're done! On Ubuntu, however, it's likely you'll get an error saying it can't find the browser
  • To fix this, click on 'Tools' in the toolbar, find 'Options', select 'Selenium' and change the geckodriver path to /snap/bin/firefox.geckodriver, the browser should now be able to launch
  • ZAP should now be working

Burp Suite

chmod +x burpsuite*.sh
./burpsuite*.sh
  • Go through the setup wizard and leave all options as their defaults
  • Launch Burp Suite as you would launch any other app, (reluctantly) accept the terms and conditions and click next and then 'Start Burp'
  • Select the 'Proxy' tab of the top bar and click the 'Open browser' button
  • If the browser launches, you're done! However, if you're on a newer version of Ubuntu, it's likely nothing will happen when you press that button
  • To fix this, run the following commands:

Warning! These commands give the browser's sandbox root permissions which makes it less secure. After running this, don't use Burp browser for anything other than hacking challenges.

sudo chown root:root ~/BurpSuiteCommunity/burpbrowser/*/chrome-sandbox
sudo chmod 4755 ~/BurpSuiteCommunity/burpbrowser/*/chrome-sandbox

If you want a more secure (but more complicated) fix, see this page: https://anthonyhanel.me/posts/Fixing-Burp-Suite%27s-Default-Browser-Ubuntu-24.04/

  • Burp Suite should now be working