Tooling via Browser Automation

The ability to create your own custom tooling is critically important for web application red teaming. Rarely will you be able to find a tool or plugin that will do exactly what you need. This then calls for you to develop custom tooling! This custom tooling module will showcase different ways you can approach this problem. Each option is unique and has its benefits and drawbacks.

In this room, we will focus on using Browser Automation to create tools and exploits. Browser automation tools allow you to write software that will interface with your browser as a normal human does. This provides some distinct advantages as the browser will already take care of a significant amount of the processing for you, such as running JavaScript and updating the Document Object Model (DOM) as requests are made, leaving you to focus on the exact actions that you want to automate. While this is a more popular option with unit and quality test cases for developers, threat actors can leverage this same tooling to create exploits. In this room, we will showcase Selenium. However, there are several different types of browser automation tools that you could use! Let's dive in and use Selenium to create our very own custom tools and exploits!

Prerequisites

• Custom Tooling using Python

Learning Objectives

• Understand how Selenium works and how it can be used to create custom tools and exploits.
• Learn about the considerations when using browser automation.
• Learn how to create a custom Selenium script to brute force CAPTCHAs.

Starting the Machine

Deploy the target VM attached to this task by pressing the green Start Lab Machine button. After obtaining the machine's generated IP address, you can either use the AttackBox or your own VM connected to TryHackMe's  VPN.

Note: This room requires you to start two VMs simultaneously. If you're not using your own machine, be sure to extend the time of the current VM in this room.

You can find and start the second VM from this room.