Protected: Pentest – Exercise 5 – Metasploitable, LaCasaDePapel, Conference report

This content is password protected. To view it please enter your password below:

Advertisements

Pentest – Exercise 3 – More WebGoat

I’m currently attending an intensive penetration testing course in Haaga-Helia summer semester. The course is held by Tero Karvinen (http://terokarvinen.com/) and it takes 1.5 weeks. Every day there’s 8 hours of lectures and these assignments. Every exercise should be available from our lecturer’s site, from this link: http://terokarvinen.com/2019/penetration-testing-tunkeutumistestaus-ict4tn027-3004-intensive-summer-course-2019-w21w22-5-credits.

Today’s assignment was plain an simple: Complete WebGoat exercises. A specific count wasn’t given, so I’ll just do as many as I feel like and that should be that. I had my Docker running WebGoat so I don’t need to start it this time.

Silent Transactions Attack

This WebGoat lesson was in fact quite hard. I struggled to figure out, what was the objective. I tried using HTTP proxy to intercept the request and modify it but I was not use. As the purpose of this lesson was hard for me to get, I had to take the hint. The hint said: “Check the javascript in the HTML source.” That is exactly what I did.

First, I highlighted everything on the site with Ctrl + A and then clicked “View selection source”. It looked like this:

There were so many useless things, so I doubted that this would help me. I then proceeded to Firefox’s inspector tool. I managed to find this processData() function:

I figured, that maybe it is the function we want to bypass. So, what now? What is needed to be put there instead to bypass this function?

I had no idea, what could that be replaced with. So I opened Firefox’s console to see what other functions are run on that specific site. I started to go through every letter to see, what does the console auto fill suggest, if there’s anything usable or interesting. Bingo! I found quite shortly after a function submitData().

Then I just replaced the current processData() function with submitData() and then this happened:

In my understanding, the objective has been reached. Now to the next lesson.

Dangerous Use of Eval

As this lesson’s name suggests, this has something to do with Eval. I didn’t exactly know, what was Eval. This post (https://medium.com/@eric_lum/the-dangerous-world-of-javascripts-eval-and-encoded-strings-96fd902af2bd) had nice and short way of saying “Eval() takes a string and attempts to run it as Javascript code.” That is interesting – it’s a Javascript function to create a JSON object.

We need to find a way to abuse Eval() in this form:

My first thought was that, if Eval() takes a string as an argument, maybe we can just put alert(document.cookie) there. I tried all fields, pushed all buttons and nothing happened. I suppose there’s more to this than I thought. I tried to use script symbols like < and > but the form filtered them. Need to search deeper.

I tried to intercept the request in Burp to see, if my modifications there could help. I once again, tried to set all arguments to alert(document.cookie), but still, nothing. I’m sure this shouldn’t be hard, so I need to just try harder.

Next I tried to update cart with only one of the field including my that code with all the other values being default. Nothing.

I used quite some time to this and all I could find were direct WebGoat answers, which I really didn’t want to look at. Finally, after quite some time, I found this post: https://www.netsparker.com/blog/web-security/remote-code-evaluation-execution/. There you can see that this kind of Eval attack is not only specific for JS but also for PHP as well. There he showed example input: de';phpinfo()//

It awfully seems similar to SQL injection. The user input is with a quote. So probably we need to use some form of quote as well.

I tried to visualize it inside my head for it to look correct in JS. If there’s Eval(‘something’), then we can just input what ever the form wants and then put quotes to insert our arbitrary code. In this case I first tried it on the quantity fields, in which I was unsuccessful. Then I proceeded to access code field. I tried submitting the field with this: 123′); alert(‘EVAL’); //. What happens here is that I first submit the 123 part, which the application wants. Then I unquote it and end that line of code by closing the parentheses and ending that bit with a semicolon. Then we can insert our own code, which could be in this case would be to alert document.cookie, but for clarity, I use alert string EVAL. After the arbitrary code has been set, the rest can be commented with //.

There, it works! I don’t really have time to any more of these today, if I want to relax before next lecture. More pentesting tomorrow.

Pentest – Exercise 2 – WebGoat

I’m currently attending an intensive penetration testing course in Haaga-Helia summer semester. The course is held by Tero Karvinen (http://terokarvinen.com/) and it takes 1.5 weeks. Every day there’s 8 hours of lectures and these assignments. Every exercise can be found from our lecturer’s site, from this link: http://terokarvinen.com/2019/penetration-testing-tunkeutumistestaus-ict4tn027-3004-intensive-summer-course-2019-w21w22-5-credits.

This day’s assignments were 1. Solve some WebGoat exercise and then reporting, if you used any of the OWASP 10 vulnerabilities (https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf). 2. Mention an example from MITRE’s ATT&CK technique (https://attack.mitre.org/), that could be used for web.

WebGoat and OWASP 10

I started this assignment by starting my WebGoat server in docker. Then I headed over to http://localhost:8080/WebGoat/ and started looking for an interesting exploitable section. My eye was caught on XXE, as I’ve seen it been done but have never actually performed it myself.

This was the page that popped up:

I tested by entering some test data, but as could be expected, nothing happened. Then I started Burp Suite to see the request better – what is really happening.

It’s XML as could’ve been guessed. I tried the correct parameter “BOS”, which was mentioned in the assignment.

We get some data out. Now, how can we exploit this to show contents of root directory? I searched some examples to perform XXE and I found OWASP’s page (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) covering this topic. I took the example, I thought to be the most useful and it’s this one:

<!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

I inserted that to the request with few alterations first. I made my request look like this:

This however didn’t work. It’s most likely because it is expecting a file, but is handed a directory, I’m not sure. More searching required.

I noticed that I did it the wrong way, as this blog post helped me to figure it out (https://medium.com/bugbountywriteup/devoops-an-xml-external-entity-xxe-hackthebox-walkthrough-fb5ba03aaaa2). The entity is meant to be created before assigning the call to it:

However, it still didn’t work. I feel like I’m missing a way to assign system commands like “ls” to this entity. Even more research required.

I found this post https://enciphers.com/how-to-exploit-xxe-vulnerabilities/. There was an example, which happened to be this exercise. There the XML Entity part looked like this:

<?xml version="1.0"?>
<!DOCTYPE xmlattack [
<!ENTITY sname SYSTEM "file:/">
]>
<searchForm>
  <from>&sname;</from>
</searchForm> 

There’s a few differences. Apparently, my problem was the created element. In my case, I didn’t need to create the element, the element was already there. So here’s the actual solution:

That was only thing I was missing. I was creating and element but in this case the is the element we wanted to exploit, not create a new one where we would call it. The more you know.

So in this case, yes, I did use one of OWASP’s top 10, this happened to be number 4, so it really is a high priority one and good to know more of. Great learning experience.

MITRE ATT&CK

In this assignment, the point was to find an ATT&CK technique from MITRE’s website, that could be used for web. This task was far more difficult than I was expecting. There were so many techniques and most seemed to be focused around other than web. I chose the Browser Extension one (https://attack.mitre.org/techniques/T1176/).

Browser extensions are small applications installed in the browser to add some functionalities and benefits for the user. They have all the same rights as the browser does.

Malicious browser extensions can be masked as regular extensions. User can download these from browsers app store, where all the other legitimate extensions are as well. Once user has installed the extension, it can then steal credentials, monitor network traffic, browse other websites in the background and even install a Remote Access Troijan for persistent access.

Stolen Pencil (https://attack.mitre.org/groups/G0086/) group has used this technique in form of Google Chrome extensions. The malicious extension gave attackers the ability to read data from any site accessed.

Pentesting – Exercise 1

I’m currently attending an intensive penetration testing course in Haaga-Helia summer semester. The course is held by Tero Karvinen (http://terokarvinen.com/) and it takes 1.5 weeks. Every day there’s 8 hours of lectures and these assignments.

In this first assignment, we were meant to create a Kali Linux bootable USB stick and then we needed to take some tool from a CTF walkthrough and then test it on our own system.

USB stick for Kali

I already had a USB including Kali, since I have it on my laptop. For the sake of the exercise, I thought I would still format my USB and reinstall Kali. However, even though our lecturer Tero told us to get a Xfce desktop environment, I still am going to get myself the Gnome one. I do prefer it over Xfce.

First of all, it is needed to download an image from Kali’s website and find a suitable one for yourself: https://www.kali.org/downloads/. I use the “Kali Linux 64 Bit” one, but everyone should decide what ever fits them the best. When the image has been downloaded, we can start the formatting and installation process.

On Linux, as I perform this, give fdisk command:

Fdisk shows the storage devices you have plugged to your system. For me, there was my laptop’s hard drive and then my USB stick. You can also check them with command lsblk:

These give enough indication that my USB is device sdb, so that is the one I am going to install the image to. I knew there was a possibility to perform this on the command line so I googled and found this page: https://docs.kali.org/downloading/kali-linux-live-usb-install. It shows the command I recognize to format the USB and for installing the image.

The command is dd if=kali-linux-2019.1a-amd64.iso of=/dev/sdb bs=512k. IF is for input file, OF is for output file and BS is for block size (the recommended size is 512k).

Now the USB stick should be bootable. It can now be tested.

Seems to be working!

CTF tool/program

The second and last assignment was to check some CTF walkthrough, from which we need to take some tool to install and test on our own systems. I decided to pick one of my favorite CTF youtubers’, Gynvael’s (https://youtube.com/user/GynvaelEN) walkthrough on Google CTF 2018 (https://youtube.com/watch?v=qDYwcIf0LZw). However, on CTFs people don’t always use that interesting programs, so I decided to pick the one, which is used probably the most, IDA. IDA is a reverse engineering tool, which is used to extract binaries in to Assembly code. IDA freeware version can be downloaded from here: https://www.hex-rays.com/products/ida/support/download_freeware.shtml.

There’s also an alternative, which is open source and is developed by CIA. It is called Ghidra (https://github.com/NationalSecurityAgency/ghidra). It is basically same as IDA, but there’s differences, to which I’m not going to go any further.

After IDA has been downloaded, it needs to be executable, so run chmod +x to it. After that the installer can be started:

Go through with the installer and install the binary. After the binary has been installed, it can be started:

I created just for this purpose a binary of Hello World in C. After the C-file is compiled, it has been turned in to a binary.

Here’s the code:

Now we can choose a new assembler file in IDA, input our brand new Hello World binary and choose ELF64 binary:

I will just use the default settings.

After this, IDA has decompiled our C binary in to Assembly code:

There’s some functions because of C’s int main() method and the return 0 part, but those can be ignored in this code. It assigns string to %rdi register and then calls puts, which prints the string to standard output. That’s Hello world decompiled!