On Friday February 5, 2021, I provided a training on teaching Application Security concepts using the OWASP Top 10.
The Open Web Application Security Project or OWASP is a non-profit organization whose mission is to make application security better. Members of OWASP meet every few years to create a top 10 list of the prevalent vulnerabilities in the industry. The last list was from 2017.
The structure of my training is the first part is to present the theoretical part – concepts and definitions. The last part of the training is a practical or application of the first part of the training (theoretical).
For the practical piece I used the website – BodgeIt Store. The BodgeIt Store is an insecure app, that should NOT be deployed in commercial servers. Many will say that the BodgeIt Store is a SUPER old insecure app (it’s close to 10 years old).
The app is close to 10 years old, but I find this app is good to teach application security as there’s a scoreboard and 12 challenges to complete.
Anyway, without further ado below are my slides from my training
I also provided documents that provide a walkthrough of the BodgeIt store as well as installing and using an interception proxy such as Burp Suite.
Finally, I included instructions on how to import the OWASP Broken Authentication VM which have a series of insecure apps.
Today’s blog post I will be solving the Pickle Rick CTF on TryHackMe.com. Click HERE to be redirected to the challenge.
After hitting the deploy button we now have our IP address.
We see that this challenge is focused on finding vulnerabilities in a web server.
Let’s run nmap, nikto, and dirbuster to see what we find…
Executing nmap, we see that there are two port open – 22 (ssh), and 80 (http).
Moving on to nikto…
Running nikto we see that there is an login php file which is interested.
Finally, let’s look at dirbuster.
With dirbuster we have an access directory, as well as an index.html, and robots.txt file (both returning a 200 which is good). We also have a server-status which is returning a forbidden http code of 403.
We’ve done basic enumeration let’s move to the web app and see if we can find more clues.
Let’s answer the first question.
Navigating to the IP address in a browser we see the following.
Nothing really stands out, except for the burping :-). Let’s view the source code and see what we find.
Viewing the source code (Right click on page, select view source code) we see at the bottom there’s a username. Let’s see if we can find a password. Maybe our dirbuster results will come in handy…
Going back to our results in dirb we notice there’s a robots.txt file. Going to this file, we see the above. Hmm, this is a strange robots.txt file. Maybe this could be the password, let’s see if it works.
In our nikto results, we had a login page. Navigating to that page and entering our username from the index.html page, and a password from the robots.txt page we get the following.
Success! We’re in the application.
Let’s run the ls (listing) command with the options of all and long listing and see what we have.
Opening the Sup3rS3cretPickl3Ingred.txt file we have the first ingredient below.
Also notice that the directory shows the asset directory that we found in dirbuster. Navigating to that webpage we see the following
The directory have gifs and jpgs, nothing of importance to solve the challenge.
Let’s move on to question 2.
We know this application is vulnerable to command injection, let’s see if we can perform a directory traversal to view other parts of the application. Going back to the directory listing we notice there’s a clue.txt file. Opening the file we see the following
Our hunch was correct, we need to look around the file system to find the next ingredient.
In the above command we’re doing a directory traversal to move up to the root directory, list all of the files in long form (ls -al), and print the working directory to make sure we’re in the correct folder (pwd). Doing this we get the below screenshot.
We’re viewing the root level directory, so our command(s) were a success! We notice a lot of folders, but at this time two are useful for us. The first is home, which in every Linux system ever user has a home directory. The second is root (admin/super user) which can only be accessed through the admin. We’ll come back to root later. Let’s see if we can navigate to the home directory.
Executing the command above, we’re now in the /home directory! We notice there are two folders, rick and Ubuntu. The Ubuntu folder is from the operating system. Let’s explore the rick folder and see what we can find.
Changing to the rick directory we see the second ingredient!
Using the less command we open the second ingredient. Note: The filename is in quotations due to spacing. Without the quotations Linux would interpret the second in second ingredients.
We now have our second ingredient, let’s answer the final question.
Remember in the beginning of this walkthrough, I mentioned that another folder – root is of particular interest to us and only the admin or superuser is the only user to access this folder. Let’s see if we can elevate our privileges to the admin and view this folder.
Before we can access this folder, let’s run the sudo -l command to see what privileges we have on this box.
Executing this command we see that we can execute ANY command on this box WITHOUT a password (ALL NOPASSWD: ALL). This surely is NOT good security! Let’s use the sudo command with the listing (ls) with the root folder and see what we can find.
Executing the command, we see that there are two files in the /root folder. One of them is named 3rd.txt. Could this be our third ingredient? Let’s see.
Executing the sudo command in conjunction with the less command on the 3rd.txt file, we see that we do indeed have the third and final ingredient.
Starting the VM, we’re presented with the following login screen.
Going back to the login screen the disclaimer states that we need to modify the /etc/hosts to include our IP address that our kioptrix3 vm is running.
Let’s see which services are running on the virtual machine
Hmm… we have two services open – ssh and http. Let’s go to the web application and do a manual crawl of the site.
Navigating to kioptrix3.com we see the following:
Clicking the Login button we’re presented with a login screen. At the bottom we notice the page is using LotusCMS. Let’s keep this in mind, just in case we it to exploit the application.
Let’s run nikto to see if we can find more vulnerabilities in the web application.
We see that the application found a phpmyadmin folder. Let’s go to the folder and see what we can find.
Going to the php page, we realize we don’t have login credentials, so at this point we can’t log into the phpmyadmin page. We know the application is using LotusCMS let’s see if there’s a LotusCMS module that we can use in Metasploit.
After opening and searching Metasploit for LotusCMS we see there’s a perfect remote code execution we can use.
After selecting the exploit let’s review the options to see what we need to add to the module to make the exploit work. We need a remote host (RHOST), remote port (RPORT) and the URI. Let’s add the information below.
After entering the information, and typing run, we notice that we’re presented with a meterpreter shell! Let’s go to the home directory and see how many users are on the box.
We have three users, dreg, loneferret, and www (web). Let’s see what’s in the dreg folder.
Searching the dreg folder we don’t see much. We see a bash_logout, bashrc, and profile scripts. Let’s move on to loneferret.
Hmm… Loneferret has a lot of information. We see there’s a file titled, “.sudo_as_admin_successful”, a company police readme, and a checksec script. Let’s review the company policy readme.
Well… it seem if we want to edit, create, or view files we need to use the command sudo ht. Let’s keep this in our toolbox because I am sure we will use it later. Remember we found a phpmyadmin page, let’s see if we can find a config file with login credentials.
Doing a search on the kioptrix3 folder, we see there are three config files. Let’s review the last file, gconfig.php.
Opening the gconfig.php file we notice there are login credentials for the phpmyadmin page! Let’s keep this in our toolbox because we might have to use it later.
At this point, we have php login credentials, but that’s not enough to gain root privileges. Let’s see if we can review the web application again for more clues.
We notice there’s a gallery section of the application. Maybe we can be lucky and the application is susceptible to sql injection.
Adding an apostrophe to the end of the number there’s no change in the application. We notice at the bottom of the page there’s a sorting option. Let’s see if changing the sorting option will invoke a SQL injection.
Changing the sorting option to Photo Id, and adding the apostrophe to the end of the number, we get the following…
Success! The application is susceptible to SQL injection. Let’s fire up sqlmap and see what goodies we can find.
Executing a preliminary SQLMap run we see that SQLMap verified our manual testing results that the application is susceptible to SQL injection. SQLMap also found the technologies the application is using. Let’s do a more extensive probe. Firing SQLMap again we use the dump all to see what data we can find.
We found the dev accounts database, and notice that we have two users dreg, and loneferret, along with their passwords. Remember these are the same users we found when we used Metasploit with the LotusCMS remote code execution.
Now that we have login credentials, and we know that loneferret has more promising information than dreg, let’s connect to loneferret’s account through ssh.
Connecting to loneferret’s account, we try to access the root folder, but receive a permission denied (we’re not root… yet). We also try to execute the sudo ht command that was listed in the company readme file, and we get the error, “error opening terminal: xterm-256color”.
Doing a quick google search we find that we need to use the following command “export TERM=xterm”. Doing this and running the sudo ht command again we’re presented with the following screenshot. Let’s see if we can view and modify the /etc/sudoers file and see if we can escalate our privileges from loneferret to root.
Opening the /etc/sudoers file we notice that the loneferret has a user privilege escalation where a password is not required. Right now it’s for the commands: su, and sh. Let’s add our ht command to the list. After adding the command, saving, and exiting we’re presented back to the command prompt.
Executing the command sudo /bin/sh, and running a whoami we see that we’ve been escalated to root! Running the ls command we see that we’re presented with the same information we had in our meterpreter shell. Changing our directory to /root we notice there’s a Congrats.txt file.
Opening the Congrats.txt file we have found the flag and completed the challenge!
After entering the username/password we see the following screen:
On the right side there’s a link that says, “view sourcecode”.
Clicking this link we see the following:
First, you should notice that there is weird syntax (language) of “<? and ?>” What is this? Well, this is PHP (Personal Home Page). Which is a server-side programming language.
What exactly is passthru? Passthru is a function that executes a command. To learn more about the passthru function click HERE. In this case we’re using the word in the first screenshot to look through a file named dictionary.txt.
Let’s try to enter the word “test” to see what we get…
The code returns all of the words that have test in it. OK. Let’s see if we can get ALL of the words in the dictionary.txt file.
Let’s try the word of “” instead of test. Doing that we get the following:
We have all the words in the dictionary.txt file. Why did I pick “” ? Well if you look in the passthru function the command was enclosed in quotes. I figured that if I entered quotes we would break out of the command which would produce all of the words in the file.
So now we have all of the words, what do we do now?
The challenge seems to be vulnerable to command injection. To learn more about command injection, go to the link HERE.
Let’s try to add another command to list all of the directories in the folder. The command to enter is: ls%20-la; (%20 is the URL encoding of space). This command is listing all of the files in the directory include hidden ones (in Linux hidden files start with the “.”).
We have listed all of the directories, and have a potential gem. There’s a file named .htpasswd. Let’s add on to the command sequence to open this file. To do that we add the following: cat%20.htpasswd;.
We have received the password! Which is: $1$p1kwO0uc$UgW30vjmwt4x31BP1pWsV.
In today’s challenge we’re going to solve level 8 from the Natas wargame.
Let’s begin.
Going to the following link, and entering the username “natas8” and password “DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe” we get the following:
OK, we see a page that is asking for an input secret. Clicking the view sourcecode link we see:
Looking at the screen, there’s PHP code with an encoded secret variable that seems to be in hexadecimal. There’s also a function titled “encodeSecret” that does the following steps:
Change the binary to hex (bin2hex)
Reversing the string (strrev)
Base64 encoding (base64_encode)
From there the code is checking to see if our input secret equals the encoded secret. If it does then we get the code for level 9, otherwise we need to try again.
So, how are we going to solve this?
Going to Google and looking for a PHP interpreter, we’re presented with the following link.
From there, We’re going to do the reverse the steps of above. Our new steps are:
Convert the hex to binary (hex2bin)
Reverse the string (strrev)
Base64 decode (imap_base64)
Below is the screenshot that depicts the above steps.
Doing the steps, we are presented with the decoded secret which is “oubWYf2kBq”
Going back to the level 8 page, and entering our decoded secret we get the following:
In today’s blog post we will solve level 7 from the Natas wargame challenge.
Let’s begin.
Going to the following link, and entering username “natas7” and password “7z3hEENjQtflzgnT29q7wAvMNfZdh0i9” we see the following:
Hmm… we see a Home and About links. Let’s click the links and see what happens.
After clicking the links we see there’s not much that’s showing on the screen.
Let’s view the source and see if there are any hints there.
Doing a right click, view page source we see:
Hmm… we see a comment that says, “password for webuser natas8 is in /etc/natas_webpass/natas8”
How can we use this information?
Looking at the above screenshots of Home and About – we notice that at the end of the URL it’s referencing a page. For instance for the home page it’s “page=Home” and for About it’s “page=About”. Let’s try to change the page name to the hint that was provided to us.
In today’s blog post we’re going t solve level 6 in the Natas wargame.
Let’s begin.
Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:
Doing a right click, view source we see:
Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…
Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.
Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:
… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.
Doing a right click, view page source we see the following:
Hmm… looks like we find the secret.
Let’s enter this into the input box and see if this unlocks the level.
Entering the secret above into the input box we get:
After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:
Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.
In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.
We’re going to use Tamper Data for this challenge.
Starting Tamper Data, and going to the level 4 we see:
We see that the referrer shows natas4, what happens when we change it to natas5?
Changing the referrer to natas5, and clicking OK we see:
You must be logged in to post a comment.