Introduction Outline

Deploy the machine attached to this task!
You should also deploy the AttackBox (using the "Start AttackBox" button at the top of the page) if you are not using your own local attack VM.

No answer needed

Decoder Overview

Familiarise yourself with the Decoder interface.

No answer needed

Decoder Encoding/Decoding

Base64 encode the phrase: Let's Start Simple.
What is the base64 encoded version of this text?

TGV0J3MgU3RhcnQgU2ltcGxl

Use Smart Decode to decode this data: %34%37.
What is the plaintext returned?

Next: Decoding

Use Smart Decode to decode this data: %34%37.
What is the decoded text?

Encode this phrase: Encoding Challenge.
Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.
What is the final string?

24034214a720270024142d541357471232250253552c1162d1206c

Decoder Hashing

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?
Convert this into an ASCII Hex string for the answer to this question.

6b72350e719a8ef5af560830164b13596cb582757437e21d1879502072238abe

Generate an MD4 hashsum of the phrase: Insecure Algorithms.
Encode this as base64 (not ASCII Hex) before submitting.

TcV4QGZZN7y7lwYFRMMoeA==

Submit the correct key name as your answer.

key3

Comparer Overview

Familiarise yourself with the Comparer interface.

No answer needed

Comparer Example

Navigate to http://10.10.35.43/support/login
Try to login with an invalid username and password -- capture the request in the Burp Proxy

No answer needed

Send the request to Repeaterwith Ctrl + R (or Mac equivalent), or by right-clicking on the request in Proxy and choosing to "Send to Repeater".

No answer needed

Send the request, then right-click on the response and choose "Send to Comparer".

No answer needed

Send the request again, then pass the new response into Comparer.

No answer needed

Compare the two responses by word. Can you identify the main differences?

** No answer needed**

Sequencer Overview

Familiarise yourself with the Live capture and Manual load interfaces. We will be looking more in-depth at the Live capture interface in the next task.

No answer needed

Sequencer Live Capture

Follow the steps above to perform entropy analysis on the loginToken set by the /admin/login route of our target web app.

No answer needed

[Bonus Question -- Optional] Try performing the capture again, but this time monitor your requests in Wireshark. Can you see why live capturing the requests for this analysis can be described as "loud"?

No answer needed

Sequencer Analysis

Take some time to look through the tests that Burp used to generate its summary. You don't need to understand all of these, but it is important to know that they exist.

No answer needed

Conclusion Room Conclusion

I understand how to use Decoder, Sequencer, and Comparer!

No answer needed

THM Burp Suite: Other Modules - grunt92/IT-Sec-WriteUps GitHub Wiki

Introduction Outline

Deploy the machine attached to this task!
You should also deploy the AttackBox (using the "Start AttackBox" button at the top of the page) if you are not using your own local attack VM.

Decoder Overview

Familiarise yourself with the Decoder interface.

Decoder Encoding/Decoding

Base64 encode the phrase: Let's Start Simple.
What is the base64 encoded version of this text?

Use Smart Decode to decode this data: %34%37.
What is the plaintext returned?

Use Smart Decode to decode this data: %34%37.
What is the decoded text?

Encode this phrase: Encoding Challenge.
Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.
What is the final string?

Decoder Hashing

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?
Convert this into an ASCII Hex string for the answer to this question.

Generate an MD4 hashsum of the phrase: Insecure Algorithms.
Encode this as base64 (not ASCII Hex) before submitting.

Submit the correct key name as your answer.

Comparer Overview

Familiarise yourself with the Comparer interface.

Comparer Example

Navigate to http://10.10.35.43/support/login
Try to login with an invalid username and password -- capture the request in the Burp Proxy

Send the request to Repeaterwith Ctrl + R (or Mac equivalent), or by right-clicking on the request in Proxy and choosing to "Send to Repeater".

Send the request, then right-click on the response and choose "Send to Comparer".

Send the request again, then pass the new response into Comparer.

Compare the two responses by word. Can you identify the main differences?

Sequencer Overview

Familiarise yourself with the Live capture and Manual load interfaces. We will be looking more in-depth at the Live capture interface in the next task.

Sequencer Live Capture

Follow the steps above to perform entropy analysis on the loginToken set by the /admin/login route of our target web app.

[Bonus Question -- Optional] Try performing the capture again, but this time monitor your requests in Wireshark. Can you see why live capturing the requests for this analysis can be described as "loud"?

Sequencer Analysis

Take some time to look through the tests that Burp used to generate its summary. You don't need to understand all of these, but it is important to know that they exist.

Conclusion Room Conclusion

I understand how to use Decoder, Sequencer, and Comparer!

⚠️ GitHub.com Fallback ⚠️

THM Burp Suite: Other Modules - grunt92/IT-Sec-WriteUps GitHub Wiki

Introduction Outline

Deploy the machine attached to this task!You should also deploy the AttackBox (using the "Start AttackBox" button at the top of the page) if you are not using your own local attack VM.

Decoder Overview

Familiarise yourself with the Decoder interface.

Decoder Encoding/Decoding

Base64 encode the phrase: Let's Start Simple. What is the base64 encoded version of this text?

Use Smart Decode to decode this data: %34%37. What is the plaintext returned?

Use Smart Decode to decode this data: %34%37. What is the decoded text?

Encode this phrase: Encoding Challenge.Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.What is the final string?

Decoder Hashing

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?Convert this into an ASCII Hex string for the answer to this question.

Generate an MD4 hashsum of the phrase: Insecure Algorithms.Encode this as base64 (not ASCII Hex) before submitting.

Submit the correct key name as your answer.

Comparer Overview

Familiarise yourself with the Comparer interface.

Comparer Example

Navigate to http://10.10.35.43/support/login Try to login with an invalid username and password -- capture the request in the Burp Proxy

Send the request to Repeaterwith Ctrl + R (or Mac equivalent), or by right-clicking on the request in Proxy and choosing to "Send to Repeater".

Send the request, then right-click on the response and choose "Send to Comparer".

Send the request again, then pass the new response into Comparer.

Compare the two responses by word. Can you identify the main differences?

Sequencer Overview

Familiarise yourself with the Live capture and Manual load interfaces. We will be looking more in-depth at the Live capture interface in the next task.

Sequencer Live Capture

Follow the steps above to perform entropy analysis on the loginToken set by the /admin/login route of our target web app.

[Bonus Question -- Optional] Try performing the capture again, but this time monitor your requests in Wireshark. Can you see why live capturing the requests for this analysis can be described as "loud"?

Sequencer Analysis

Take some time to look through the tests that Burp used to generate its summary. You don't need to understand all of these, but it is important to know that they exist.

Conclusion Room Conclusion

I understand how to use Decoder, Sequencer, and Comparer!

⚠️ **GitHub.com Fallback** ⚠️

Deploy the machine attached to this task!
You should also deploy the AttackBox (using the "Start AttackBox" button at the top of the page) if you are not using your own local attack VM.

Base64 encode the phrase: Let's Start Simple.
What is the base64 encoded version of this text?

Use Smart Decode to decode this data: %34%37.
What is the plaintext returned?

Use Smart Decode to decode this data: %34%37.
What is the decoded text?

Encode this phrase: Encoding Challenge.
Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.
What is the final string?

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?
Convert this into an ASCII Hex string for the answer to this question.

Generate an MD4 hashsum of the phrase: Insecure Algorithms.
Encode this as base64 (not ASCII Hex) before submitting.

Navigate to http://10.10.35.43/support/login
Try to login with an invalid username and password -- capture the request in the Burp Proxy

⚠️ GitHub.com Fallback ⚠️