LAB: Role Based Access Control
In this post I completed Stage 1 and Stage 3. To complete the stages I attacked against OWASP 10 2017 A5: Broken Access Control vulnerability – the application had flaws so that I could do admin-stage actions as a normal user.
My solution to Stage 1:
I logged in as Tom Cat. I browsed to “Staff List page” and looked the source code from inspector for “ViewProfile” and “Logout” buttons. The first name guess for a button to delete a user would be “DeleteUser”. I modified “ViewProfile” html code in inspector and changed value to “DeleteProfile”:
<input name=”action” value=”DeleteProfile” type=”submit”>
And then I clicked ViewProfile button and completed the Stage 1.
My solution to Stage 3:
The solution for Stage 3 was similar to the solution for Stage 1. I looked the source code for the same view, this time for the selected employee (Tom Cat). It had value 105 for the parameter which was most likely to be Tom Cat’s employee id. I tried to change that to 104:
<option selected=”” value=”104″>Tom Cat (employee)</option>
And then I clicked ViewProfile and got Eric Walker’s profile page instead of Tom’s – Stage 2 succeeded.
Mitre Att&ck: Exploit Public-Facing Application
“The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior.” https://attack.mitre.org/techniques/T1190/
The vulnerabilities above (WebGoat LAB) use Mitre Att&cks technique “Exploit Public-Facing Application”. The application in WebGoat had design vulnerability that enabled to access sensitive, admin-stage data as a normal user. I used inspector to modify html code and send requests, but also for example mitmproxy could be used to exploit this kind of vulnerability.
This post is a homework 2 for Tero Karvinen’s course Penetration Testing.
// Irene Kunnari
Kali bootable USB-stick
I downloaded Kali Linux 64-bit from here: https://www.kali.org/downloads/
And then looked instructions for making the USB from here: https://docs.kali.org/downloading/kali-linux-live-usb-install
I used my Ubuntu desktop to make a bootable USB stick. I had to be extra careful to choose the correct location to write:
dd if=kali-linux-2019.2-amd64.iso of=/dev/sdb bs=512k
And when it was ready, I tried booting. And I was able to boot into Kali Linux:
This is week’s 6 homework from Tero Karvinen’s course about Salt. The exercise was to install LAMP stack using salt.
Creating state that install PHP in /srv/salt/apachephp:
And state succeeded.
Then state that install MariaDB-server and client in /srv/salt/mariadb:
Apache (I had problem..):
Also apache directory that has init.sls that install apache:
Other installations succeeded, but with this one I had problem. It said the following and I didn’t manage to figure out the problem. Seemed right to me… :
Installing salt-minion on Windows
From this link I installed proper salt-minion version for windows: https://repo.saltstack.com/windows/. Salt-minion has to be same version than salt-master or otherwise it won’t work.
I executed the .exe file and got to install salt-minion. At the installation part you tell the minion it’s master and minion id. After the installation was done, I accepted the slave-key from master and new minion was ready.
Minion can be pinged locally from windows cmd:
I wanted to install Putty and Firefox with salt to Windows10 minion. I created a winpkgs directory to master’s /srv/salt and added there init.sls:
Then I applied the state:
Windows10 minion had some issues responding and it returned “Not connected”. By expanding the timeout and running minion in debug mode I got an answer. The state succeeded and it had already installed the programs and I was able to find putty and Firefox from desktop.