Cyber Security: An Offensive Mindset [Week 3

Page Title

Cyber Security: An Offensive Mindset [Week 3 - Sprint]

Monday

Summary [Mon 3rd Feb]

Stand Up in front of class.
Max (facilitator) assisted me use FoxyProxy to make using Burpsuite much easier toggling the proxy feature on and off easily in FireFox.
Solved 5 of the OWASP Juice Shop tasks, with a lot of research on how to spoof a .pdf or .zip file extension without much luck executing.
Completed 9 minute of YouTube video resource to learn further about mastering the VIM (advanced text-editor) language.

Stand Up

Strengths

Thoroughly impressed with the quality of work I produced for sprint and reflection.
Strong team and collaborative skills in group setting, getting work done in a short timeframe.

Weaknesses

Succeeded highly for first 4 days of the week but struggled to do any work at all on Friday and over the weekend.
Commitments and burn out got the better of me even though the motivation was there.
Lack of rehearsal and cohesion between team when presenting.

Goals and expectations

A big focus on sustained time management throughout this week (marathon not a sprint).
Planning out a balance in my daily tasks so that I don't get burnt out as I did last week.

Resources to use this week

How to use Burp Suite

Burp Suite comes pre-packaged with Kali Linux, but to put it to use we need to set up proxy settings in Firefox.
To do this I have downloaded an addon for Firefox called foxyProxy which allows you to toggle proxy for Burp Suite on and off.

Before Burp Suite proxy works, we'll also have to download the CA certificate from below link while burp is running:

Now that the CA certificate has been downloaded we need to add it to our Firefox browsers trusted certificates.

Go to preferences -> Press Privacy & Security -> View Certificates

Now that we're in Certificate Manager simply import the CA cert that we downloaded before and the certificate will now be trusted.

OWASP Juice Shop

https://spacesnottabs.herokuapp.com

Error Handling

Basic SQL Injection was able to successfully beat the error handling challenge on the OWASP juice shop.

'1' OR 1 = 1

Score Board

Go to inspect webpage, use the find tool to look up "score".

If you then add "/score-board" to the end of the URL the scoreboard will now be unlocked.

Login Admin

Use the below SQL injection shown below to login as admin.

' or 1=1--

Missing Encoding

If you go to photowall part of the webpage one of the images isn't loading properly, below when we inspect the image and find the word "images".

We now see that the weblink to has #, because the symbol hasn't been decoded we need to change the # to %23.

Zero Stars

To achieve the below zero star rating we had to remove the submit disabled="true" component of below code:

It should look like the code below:

Upload Type

Researching how to spoof a file extension to pass a .pdf or .zip verification on OWASP juice shop.

The below shows a unique way to spoof the file extension, but I didn't have any luck with this method. I tried with many different file types not just .exe as was suggested.

http://www.sheepshellcode.com/blog/2015/01/15/spoofing-file-extensions/

The next attempt involved using file.php%00.pdf to bypass the sanitation that was put in place by OWASP juice shop but it also failed.

https://pentestlab.blog/2012/11/29/bypassing-file-upload-restrictions/

In a final attempt I looked up OWASP itself to see if they noted any useful information I found the use of missed (uncommon) extensions that can be executed on server side can be dangerous.

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

I was able to post a .php file with an extra ;pdf extension but this didn't actually beat the upload type challenge.

Vim Learning

Verbs in VIM

d = delete
c = change
> = indent
< = outdent
v = visually select
y = yank (copy)

Nouns in VIM (motions)

w = word (move forward by a word)
b = back (move back by a word)
2j = down 2 lines

Using below command will let you delete a word that is after the cursor in VIM editor.

d + w

The benefit of VIM editor is it is repeatable and undoable.

If you use a . after previously using a command it will repeat the command.
Deleting words instead of character by character makes undoing the delete [ctrl] + z more effective.

Resource used: https://www.youtube.com/watch?v=wlR5gYd6um0

CURRENTLY: 9 minutes into video.

Tuesday

Summary [Tuesday 4th Feb]

To use my time more productively during the rest of the week I am trialling from today onwards to write how long I spent on work that I completed.
I worked all day today and had errands to take care of so I tried to fit in some Natas practice where I could.
Natas levels 0 → level 4. [10:15pm to 11:10pm]

OverTheWire: Natas

Level 0 → 1

My first instinct when reading the webpage as seen above was to use Firefox browser (better for web application testing) and inspect the page.
Simply Right click and click inspect element to see the contents of webpage.

Now look through each line to see if we can find the password or anything suspicious.

Level 1 → 2

For this level once again inspect the page and poke around to see if I could find anything.
After investigating within one of the <script> tags I found the password for the previous level, it tricked me very well. Reminder to self don't overlook finer details when you think you found the issue.

After further testing I actually found the password in <div> tag as shown:

Level 2 → 3

After much trial and error I found an image but it was just a pixel with no exif or metadata attached to it. I also gave hexeditor a go with the image to see if I was missing something but also no luck.

Then I decided to check out what will show if I just use the /files/ extension at the end of the URL and to my surprise there was also a users.txt file on the webpage.

Level 3 → 4

This level was really confusing it was almost identical to the previous level apart from the hint, to do with google not being able to find their webpage.
My only thought was something to do with googles web crawlers that they use to index the internet, specifically the robots.txt file (that google requires).
So I tried adding /robots.txt at the end of the URL so sure enough.. it gave me another directory with users.txt file.

Contents of users.txt file contained password for next level.

Wednesday

Summary [Web 5th Feb]

Practical Ethical Hacking - TheCyberMentor (Udemy) [10:25am - 11:00am]
Presentation work with group [11:30am - 1:00pm]
Presentation Slides (This took awhile as I wasn't used to using Canva, which is my groups preference for presentation software) [2:00pm - 3:30pm]
Complete the demonstration video for group presentation [9:00pm to 9:35pm]

Presentation work with Group

How does it work?

Broken access control is exploitable by different attack vectors and can be sophisticated or very simple.
Summary of common access control vulnerabilities:

Modifying URL.
Force browsing (viewing privileged pages as standard user).
Allowing another user's primary key to be altered.
Elevation of privileges.
Misconfiguration allows unauthorised API access.
Metadata manipulation.

Examples:

Predicting name structure for potential URLs (before it has been indexed).

Curious users note structure to access other users' account pages (changing number or character in URL).

Hacksplaining research:

Access control decisions need to be evaluated every time a resource is accessed.
Predictable naming structure, potential URLs can be checked before official publication date (before indexing).

Circumvent access control rules, and writes script to periodically check for quarterly reports on all the companies in his portfolio.
Getting early access to reports give him an edge over other investors and soon he is consistently beating the market.

Research

Presentation slides

Demonstration Video

Press Link to watch the demonstration video that I made for my groups Broken Access Control web application presentation.

https://drive.google.com/open?id=1EehmHiz0PstAhEnj54k8mJeMKhBWg75T

Thursday

Summary [Thur 6th Feb]

Natas levels 4 → level 6 [1:00pm to 2:45pm]
Natas level 6 → level 7 [6:30pm - 7:30pm]

OverTheWire: Natas

Level 4 → 5

So as seen in the objective above we need to replicate the contents of "http://natas5.natas.labs.overthewire.org/" in order to do this we will need to use burp suite.
If we turn our proxy and intercept [on] in burp suite, then go to the firefox browser and click the refresh page link.

The Request will then show in burp suite. If we change the Referer line in above image to replicate http://natas5.natas.labs.overthewire.org/, we should see a change on the web browser.

Level 5 → 6

Again burp suite will be used for this exercise, when checking the request I noticed a variable called Cookie: loggedin=0, so instinctively I changed the 0 to a 1 to symbolise that loggedin is '1' or true.

Level 6 → 7

REMEMBER Turn off FoxyProxy when you first authenticate logging into natas6, then reapply the burp suite proxy otherwise packets wont forward and authentication will timeout.

When inspecting the webpage on Firefox browser I noticed that there is some logic behind the secret that is required to be inputted, OR you can press View sourcecode as seen above.

After many attempts and looking through source code and inspecting the webpage html code, I found that the answer was right in front of me the entire time.
Add the following as seen above in image to the end of the URL includes/secret.inc, making sure that when the page loads you inspect the element to find the commented out secret hidden.

If we then go back to the initial webpage and submit the above secret we are given the password for the next level of natas.

Friday

Summary [Fri 7th Feb]

Natas levels 7 → level 8 [10:30pm to 11:00pm]

OverTheWire: Natas

Level 7 → 8

This time the webpage is very basic but we have different pages we can access, my first instinct is to inspect the webpage.

After seeing this hint I was expecting that remote code execution was expected for this challenge so I turned on Burp Suite, I added a "." to the end of the URL and this was the result:

For this very reason due to no actual error and the webpage still loading, we may be able to get remote code execution.
After no luck with this avenue I did notice that file path /var/www/natas/natas7/ and from the hint shown previously we may be able get the contents of /etc/natas_webpass/natas8 by adding ../, before the file path.