So we can see that we have a password field and not much else. We also can see that the description mentions a password file. Without much knowledge of the site _(spoiler alert), _we may be inclined to view the source and find some interesting tidbits of information, but in this case, previous experience with hackthissite.org would point us to start sniffing out php pages. And that’s exactly what we’re going to do.
If we send the request to Intruder…
we can see hackthissite.org over 443 on the Target tab. If we take a look at the Positions tab, we see some interesting portions of the request highlighted in orange. These are assumptions BurpSuite makes for possible entry points. These are merely suggestions, but we just want to do some discovery, so let’s take a look at manipulating some of the information in the request.
First, clear the current field sections using the button to the right.
Then put your cursor after “GET /missions/basic/3/” and click “Add §” twice.
You’ll see two section signs (§) highlighted in orange, and you’ll want to append “.php”. Since we’re doing discovery and we have an idea that this is a php based site, we’re appending a file extension since it’s the most likely to occur.
It should look like this:
Now, a little explanation of what’s going on here. We’ve cleared all automatically created sections and added our own. This section sign pair (§§) indicates that we’re going to insert our payload between these two points. So if our payload was the word “admin” it would send the request with:
GET /missions/basic/3/admin.php Burp will send every word in our payload through that entry point. This means that Burp will be sending a large number of pre-determined requests to the server without having to manually enter each one into Repeater or through the proxy. We can then view the results in a consolidated view.
Next, let’s take a look at the Payloads tab.
Defining our Payload
First, we want to define our payload set. For this demonstration, we’re going to choose Simple list and load the list from SVN Digger.
Then we’re going to load the list under Payload Options. Click the “Load…” button and pick the all-extensionless.txt file. We are choosing this file because we defined our extension in the positions tab as “.php”
If done correctly, you should see a list like this pop up in the Payload Options section.
There are some other options, but nothing we have to worry about at this point.
Launching the Attack (or the Discovery in this case)
Let’s go ahead and run the attack. Beginning Intruder can be a bit unintuitive at first. Select “Intruder” from the top of the window in the menu, and click “Start attack”.
This will begin the attack, and you’ll be greeted with a results window. Click the Status column to sort by the response code.
It shouldn’t take too long to see that “password” returns a 200 response. If you take a look at the response in the web browser, you’ll see the password of the password file. Entering that into the password field will pass the challenge.
About that Throttle
I mentioned at the beginning of the post that this was going to be noisy, and I meant it. If you launched this sort of discovery on a pen-test, you would probably raise some alarms. Since we’re hitting a site that is meant to be attacked, we don’t have to worry about it so much. If you’re authorized to go full throttle on a site, this would also be fine, but if you’re trying to remain stealthy, it may be a good idea to take a look at the throttling options offered in the Options tab.
This Request Engine section gives you control over throttling, threads, and retry options, and even allows you to delay the start of the attack. This is useful if you want to send requests with a delay in order to limit the chances of defense discovering your attack.
Now, I want to end this post with the idea that this is simply a demonstration of BurpSuite’s Intruder to introduce newcomers to the interface. If you ran the page through the proxy, you may have noticed that the password.php file was referenced in the parameters and we could have achieved the same results without Intruder, but the beauty of offensive techniques is that you can arrive at a positive result in a variety of ways, some more complicated than others.
Intruder also has many other payload options, including BruteForcer, which allows you to specify a character set and length to your payloads. This is especially useful when attacking passwords where you know the complexity requirements, and it’s especially effective against sites with weak complexity requirements.
There are a few other, more advanced techniques that allow you to use Intruder with a great deal of imagination and creativity to get some interesting results. The tool is built to be versatile and it certainly succeeds in that respect. I don’t want to go down the rabbit hole, but I will be posting more information on some of the more advanced Intruder functions later in the series as we wrap up the modules. For now, we’re just getting warmed up, and I encourage you to stay tuned for more.