- You should have already read the previous guide, Breaking Web Applications for Beginners. Even if you’re not a beginner, you should at least skim that guide.
- You should be at the point where you’re able to get through the reconnaissance and identification phases quickly for all but the toughest challenges.
Overcoming hurdles as an experienced player
There are two main hurdles that experienced players tend to encounter:
- Easier challenges seem to get harder.
- You’ll have a pretty good idea of what you’re supposed to be attacking and a rough idea of how to do it, but you’ll have trouble nailing down the specifics.
Easier challenges are getting harder
As players get better at the National Cyber League (NCL) games, it’s not unusual for them to start to solve harder challenges with less difficultly than easier ones. This sounds backwards, but it often comes down to overthinking. As you advance and more of your time is spent on harder challenges, the thought process for tackling hard challenges becomes second nature. You’re likely to skip simpler tactics out of habit.
The solution is simple: jot down a generic plan of attack that works for challenges of all difficulty levels. When you find that you’re overthinking, go through each step of your plan without skipping anything. You’ll likely encounter something you missed. The Breaking Web Applications for Beginners blog post can serve as such a guide for web application exploitation challenges.
If that technique doesn’t work, it’s likely been a long time since you’ve approached challenges as a novice. Consider taking some time to mentor people with less experience than you; teaching them will force you to break down your thought process into the simplest possible components, which will benefit both you and your mentee.
An attack isn’t working
This happens a lot on hard challenges. You’re pretty sure you know what you need to do, and you have a basic idea of how to do it, but it’s just not working.
There are a few possible causes:
- You missed a hint in the questions. When a challenge contains multiple questions, the earlier questions are meant to guide you–they serve as hints. Focus on solving those earlier questions first. If you’ve narrowed down one such question to two possible answers, enter them to see which is correct; it’ll probably be worth the potential hit to your accuracy. Don’t save all your answers for the end, either; submitting answers for difficult challenges as you go allows you to quickly redirect yourself if you’re on the wrong track.
- You’re on the wrong track. No matter how certain you are that you’re taking the correct approach, there’s always a chance you fell for a red herring. If you’re getting the same error message or response code every time no matter what you do, chances are you need to find a different way in. That conspicuous login form might be completely ignoring your input.
- You skipped ahead. The attack you’re attempting to execute may require additional information that you don’t yet have; to obtain that information, you may need to look somewhere else. For example, you might need the username of an administrator or a special cookie. Go back to the identification phase; poke around a little more in each interactive part of the site to see if you can extract anything useful that you missed previously. In particular, keep an eye on response codes and headers.
- You thought you tested something that you didn’t actually test. Even if you record your steps, you might not have tested what you thought you tested. Start from the beginning: write down each variation of your attack you plan to perform, carefully recording any commands you need to run or data you need to enter. As you perform your attacks, copy everything directly from your plan so you can be sure your plan accurately reflects what you’ve done. You may find gaps in your plan as you go.
- You overlooked a piece of information because you thought it was irrelevant. Don’t take any information for granted; even license pages or other legal notices can contain key information about your target. Record every page you know exists in some form, and double-check the ones you dismissed previously. Pages that return errors are still important to record as long as they’re not generic 404 errors. Identify a new weak point.
- You need to vary your attack a little. Using single quote for SQL injection? Try double quotes. Expecting a source file to be in a specific directory? Maybe it’s in a slightly less standard directory.
- You need to research a very specific exploit. Sometimes challenges require knowledge of specific vulnerabilities that have received a lot of publicity. For example, in the season after the infamous
sudovulnerability (CVE-2019-14287) was announced, one challenge required knowledge of that particular vulnerability and how to exploit it.
- You may need to research new and upcoming technologies. Express.js, GraphQL, and MongoDB have all made appearances in Cyber Skyline challenges. These are popular technologies in the real world, but learning resources often target less novel technologies such as SQL and PHP. Open source intelligence is often a key component of web application exploitation.
- There’s been a correction or clarification. Copy the challenge description and questions, then refresh the page. Check to see whether anything has changed. You may even find that an attempt that was previously deemed incorrect has been retroactively marked as correct, and your score has been adjusted accordingly. Also, be sure to join the Cyber Skyline Slack; clarifications and other notifications are often posted there.
- You need a break. Play a video game, go out with friends, take a nap, or do something else entirely unrelated to the competition. Alternatively, you can work on other challenge categories and come back to web application exploitation later.
Makes notes of everything you’ve tried. Once the competition is over, a special group on the Cyber Skyline Slack will open up, allowing players to discuss how they approached challenges. The exact rules for the group vary from season to season, but typically answers can’t be discussed, only techniques. An announcement is made in the main NCL Slack group when the discussion group opens; it will contain any additional information or actions you need to take. As long as you comply with the current rules, you can compare your notes to those of other players. Add other solutions to your notes and save them as a reference for the next season.