week-7

This week I spent a pretty large amout of time on both the lab and getting a first crack at the final! Near the end of the week, I was finally available to sit down with the web goat and inflict some damange in what turned out to be a really fun experience.

I had heard of OWASP before from my first company’s head of security. When I started there, we had a brief hour long seminar on what to do and what not to do. That was quite a while ago, but the basic gist of it was, please don’t use raw queries when using django. Stick with teh ORM because the sql statements are prepared in a way where they are much less vulnerable. Additionally, don’t blindly render use input. Make sure that the attributes for the display models are properly escaped to prevent cross site scripting. He also recommended we parse through OWASP and see if anything is interesting. Now to be fair, this was years ago and I really don’t remember much else of what he said or how in depth the conversation really went, but it’s been really fun to get back into that mindset and work on some web based security issues.

Final: Hackthebox - Lernaean Challenge

Before I get into the webgoat, I wanted to spend some time going over what I learned while doing my first hackthebox challenge. I chose the lernaean web attack where hackthebox spins up a docker container which exposes a single website page. The background is pink and there is a password input box with some text along the lines of “Please don’t try and guess the password”.

For about 2 days I made very little progress. I scoured the html, I read every key on the window object in the console, I tested a few endpoints that I thought might contain some interesting files (/static /index.html /routes come to mind) but no no avail. There wasn’t any javascript loaded on the page and the only thing to communicate back to the server with is the form post against the route ‘/‘.

My first attempt to try guessing the password didn’t go very well. I started out building a simple script that iterates over a list of passwords and curls against the form submission endpoint, writing their results to a directory.

curl -XPOST -d "password=$testpw" $host >> passwords/$testpw

When the curls were all done, I tried to use grep to find a result that did not contain the bad string “Invalid password!”

This didn’t turn out to be very reliable, as my computer kept going to sleep or the connection would get dropped and then the password files would be empty. I tried extending the script to handle empty pw files and retry them but this didn’t actually end up getting me any closer. I was feeling a bit defeated.

I took a step back and googled Lernaean and found out it was from a greek story about hercules and a hydra. I googled hercules hack and hydra hack and bingo, found out about the hydra hacking tool. As it turns out, this tool does pretty much exactly what I tried to do by hand! Fantastic. With this tool in hand, I set out to do pretty much the same thing I had attempted to do before. My tests on a simple small lists showed that hydra was much much faster than my original attempt. I then downlaoded a much muuuuch larger password list and set hydra to work.

After only a couple minutes, I had a hit! I couldn’t believe it! I’ll add it to my final project so I won’t spoil it here, but I went ahead and added it into the form submission and was once again thrown into dispair. A page rendered saying oops too slow. Sigh. I went back to hackthebox and restarted the vm, reset hydra only to come back with the same password as before with the same results.

I opened the network panel to see if there were any redirects but no luck. I decided to try my old friend curl on a last ditch effort and bingo! As it turned out there was some javascript embedded in the page that set a window.location when the page loads. With curl, I was able to capture the original html page and find the flag. I’m not sure why I couldn’t see the redirects in the browser, maybe I didn’t have my preserve network history option box checked, or maybe I just didn’t notice it because the pages ook mostly the same. Anyway, it was a very pleasing experience on the whole.

Webgoat

I decided to try some XSS attacks against the webgoat to see how far I get.

Stage 1: Stored XSS

The goal here is to try and edit Tom’s profile and have it update the database record for Jerry! I decided to try the first basic attack that I’ve learned which revolves around finishing an entry with a statement like 1==1; and then adding a sql update statement. The first attempt didn’t go so well

Toms name is now
Tom OR 1=1; UPDATE users SET stree="moose street" where first_name="Jerry"

After poking around, the server shows some interesting info, specifically that the field first_name is not correct, I should be targetting firstName.

I think instead of trying to update jerry straight away, I’ll try a more straight forward query, like DROP TABLE users;

TOM; DROP TABLE users;
and
TOM] DROP TABLE users;
both did not work.
I tried a lot more stuff but to no avail and at this point I decided to reread the instructions. Sometimes as it turns out, I need to read the directions more carefully. What the ask is, is for me (tom) to add a javascript vulernability to my information, so when Jerry goes to my page (or any time my info is loaded) my injected javascript will load. This turned out to be way easier than what I was trying before.

Yay!

The rest of the stages require a server side developer version of th web goat so I decided to move on to a separate portion of the webgoat.

Stored XSS Attacks

This one is not staged so here is a reference to the one I’m attempting.

This one turned out to be pretty much the same as the last one.

By entering

1
moose;"<script>alert('hello')</script>

I was able to trigger the xss attack when a user goes to click on the message board to view the message. hurrah!

Just to make sure it didn’t just blindly add all scripts, I tried just so the ;” seems to be important.

I’m going to get back into working the final, as I’m finding the hackthebox challenges particularly interesting and hard. Until next week!