Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Chatterbox”.
Solution
1. Initial Enumeration
TCP Port Scanning:
2. Getting User
By running searchsploit, we can find a vulnerability one is for the Metasploit, one is for the manual exploit.
This time, the manual exploit script “36025.py” was used.
For this purpose, we need to create the payload for reverse shell at first.
Then, put the payload into the python exploit code.
To achieve a reverse shell, we have to launch a netcat listener and run the custom exploit code.
Now we got a reverse shell as a user “alfred”.
“user.txt” is in the directory “C:\Users\Alfred\Desktop”.
3. Getting Root
We can figure out that we can go to the Admin directory even though we got just a general user.
By using “icacls” command, we can figure out Alfred has the following permission for the directory “C:\Users\Administrator”.
Full Permission
Object Inheritance (Permission for this folder and subfolders)
Container Inheritance (Permission for files in this folder and subfolders)
On the other hand, Alfred doesn’t have any permission for “root.txt”
However, by the following command, we can figure out that root.txt is owned by Alfred.
I was wondering how “Q” is possible to be “ownership” but that’s how it is.
According to the fact, we can change the file permission of “root.txt” to read it.
OWASP Security Shepherd is a vulnerable web application for the practice.
Unlike other vulnerable webapp like DVWA, Juice Shop, WebGoat,
has also challenges for mobile app security
focuses on the vulnerability of web application “spec”. not like ordinary XSS, SQLi and so on.
more focused on learning local proxy(like Burp Suite), request validation
We have several ways to set up this platform but this time Docker compose was used.
This is a personal memo for the setup procedure.
Environment
OS: Kali linux 2019.4
Docker: 19.03.4
OWASP Security Shepherd: v3.2
Solution
1. Installing prerequisits
2. Initial setup
3. Login
We can use the following credential for login.
After that, change the current password.
Now we can start the challenges.
By clicking “Get Next Challenge”, we cam proceed to the challenges.
First challenge is for the HTTP request modification with local proxy.
4. Select Open Floor mode
To see all challenges, we have to change the mode to the “Open Floor mode”.
Click “Admin” and go to “Module Management” -> “Challenge Module Layout”.
Enable the “Open Floor mode” by clicking the button.
OWASP Juice Shop is one of the vulnerable application from OWASP written in Node.js, Express and Angular for the practice.
The application contains a vast number of hacking challenges from 1 star challenge to 5 star challenges.
This is a writeup of 2 stars challenge.
Perform an XSS attack with <script>alert(xss)</script> on a legacy page within the application.
Login as any user and go to http://localhost:3000/#/profile.
Set “<script>alert(‘xss’)</script>” as a Username and submit. We can get the following output.
This sanitaization is not enough.
By setting the following payload, we can execute stored XSS.
3. Deprecated Interface
Prerequisite
login as a user
Use a deprecated B2B interface that was not properly shut down.
After logged in, go to http://localhost:3000/#/administration which we found in the previous challenge.
By clicking the trash bins, delete the 5-star feedback.
5. Login Admin
Log in with the administrator’s user account.
The login console has SQL injection.
Go to http://localhost:3000/#/login and use following username and random password for login credential.
we can login as a user “admin@juice-sh.op”.
6. Login MC SafeSearch
Log in with MC SafeSearch’s original user credentials without applying SQL Injection or any other bypass.
Guessing task I don’t like.
If we google the word ‘MC SafeSearch’, we can find this video.
In this video, we can find out that the name of MC’s dog is “Mr.Noodles”.
With the following credential, we can login as a user “mc.safesearch”.
7. Password Strength
Prerequisite
2 star Challenge 5: “Login Admin”
Log in with the administrator’s user credentials without previously changing them or applying SQL Injection.
If the prerequisite is done already, we already know the username is “admin@juice-sh.op”.
Launch Burp Suite and go to http://localhost:3000/#/login, try to login with random password.
Then, We can find the following traffic.
This time, use Burp Intruder.
At first, right click the traffic and go to “Send to Intruder”.
Specify just “password” with the tab “Positions”.
Next, go to “Paylad” tab. Load “/usr/share/durb/wordlists/others/best1050.txt”.
Then, start attack
By filtering, we can find the correct password “admin123”.
8. Security Policy
Prerequisite
login as a user
Behave like any “white-hat” should before getting into the action.
We have to just go to “Account” -> “Privacy & Security” -> “Privacy Policy”.
9. View Basket
Prerequisite
login as a user
View another user’s shopping basket.
Launch Burp Suite and open the page http://localhost:3000/#/basket.
We can find the following traffic. By changing the sending uri to “/rest/basket/2”(With Burp Repeater or whatever), we can clear the challenge.
10. Weird Crypto
Prerequisite
login as a user
Inform the shop about an algorithm or library it should definitely not use the way it does.
We can send the following message and it completes the challenge.
To use Burp interception just for the localhost application, install browser extension “FoxyProxy”
This time, “FoxyProxy” was used for OWASP Juice Shop on the localhost:3000.
Environment
OS: Kali linux 2019.4
Burp Suite: Burp Suite Community Edition v2.1.04
Browser: Google Chrome 78.0.3904.108 (Official Build) (64-bit)
FoxyProxy: FoxyProxy Standard 3.0.7.1
Solution
1. Installing FoxyProxy
At first, go to the Chrome webstore and install Chrome extension FoxyProxy.
2. Launch Burp Suite
Next, launch Burp Suite.
This time, default setting (IP: 127.0.0.1, port: 8080) was used.
3. Edit “/etc/hosts”
Add following line to the “/etc/hosts” to give an additional name “juice-shop” for localhost.
(We can’t use the name “localhost” for this purpose.)
4. Setup FoxyProxy
Then, open the extension icon on the right of Chrome header and select “options”
Click “add New Proxy” and open the “Proxy settings” window.
Go to “Proxy Details” and set configuration for running Burp Suite.
Next, go to “URL Patterns” and “Add new pattern”.
We can use Wildcard for the domain name for the proxy.
Finally, go to top page of FoxyProxy configuration and enable the proxy configuration.
Choose “Use proxies based on their pre-defined patterns and priorities” as Proxy mode.
5. Check the configuration with Burp Suite.
Access “http://sec-juice:3000” with Google Chrome and take a look at “HTTP history” tab on Burp Suite.
We can confirm that we can analyze the traffic to localhost.