WebGoat exercises (h2)

WebGoat

LAB: Role Based Access Control

In this post I completed Stage 1 and Stage 3. To complete the stages I attacked against OWASP 10 2017 A5: Broken Access Control vulnerability – the application had flaws so that I could do admin-stage actions as a normal user.

Screenshot from 2019-05-21 15-25-08

My solution to Stage 1:

Screenshot from 2019-05-21 15-32-10.png

I logged in as Tom Cat. I browsed to “Staff List page” and looked the source code from inspector for “ViewProfile” and “Logout” buttons. The first name guess for a button to delete a user would be “DeleteUser”. I modified “ViewProfile” html code in inspector and changed value to “DeleteProfile”:

<input name=”action” value=”DeleteProfile” type=”submit”>

And then I clicked ViewProfile button and completed the Stage 1.

 

My solution to Stage 3:

Screenshot from 2019-05-21 15-31-48.png

The solution for Stage 3 was similar to the solution for Stage 1. I looked the source code for the same view, this time for the selected employee (Tom Cat). It had value 105 for the parameter which was most likely to be Tom Cat’s employee id. I tried to change that to 104:

<option selected=”” value=”104″>Tom Cat (employee)</option>

And then I clicked ViewProfile and got Eric Walker’s profile page instead of Tom’s – Stage 2 succeeded.

 

 

 

Mitre Att&ck: Exploit Public-Facing Application

“The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior.” https://attack.mitre.org/techniques/T1190/

The vulnerabilities above (WebGoat LAB) use Mitre Att&cks technique “Exploit Public-Facing Application”. The application in WebGoat had design vulnerability that enabled to access sensitive, admin-stage data as a normal user. I used inspector to modify html code and send requests, but also for example mitmproxy could be used to exploit this kind of vulnerability.

 

 

This post is a homework 2 for Tero Karvinen’s courseĀ Penetration Testing.

// Irene Kunnari

Advertisements

LAMP with Salt

This is week’s 6 homework from Tero Karvinen’s course about Salt. The exercise was to install LAMP stack using salt.

 

PHP

Creating state that install PHP in /srv/salt/apachephp:

Screenshot 2019-05-15 at 21.04.22.png

And state succeeded.

Screenshot 2019-05-15 at 20.58.45.png

 

MariaDB

Then state that install MariaDB-server and client in /srv/salt/mariadb:

Screenshot 2019-05-15 at 21.05.06.png

And succeeded:

Screenshot 2019-05-15 at 20.57.10.png

 

Apache (I had problem..):

Also apache directory that has init.sls that install apache:

Screenshot 2019-05-15 at 21.07.08.png

 

Other installations succeeded, but with this one I had problem. It said the following and I didn’t manage to figure out the problem. Seemed right to me… :

Screenshot 2019-05-15 at 21.06.51.png

Windows as Salt-minion (h5)

Installing salt-minion on Windows

 

From this link I installed proper salt-minion version for windows: https://repo.saltstack.com/windows/. Salt-minion has to be same version than salt-master or otherwise it won’t work.

I executed the .exe file and got to install salt-minion. At the installation part you tell the minion it’s master and minion id. After the installation was done, I accepted the slave-key from master and new minion was ready.

 

Minion can be pinged locally from windows cmd:

salt-call ping

 

I wanted to install Putty and Firefox with salt to Windows10 minion. I created a winpkgs directory to master’s /srv/salt and added there init.sls:

Screenshot 2019-05-08 at 19.22.05

 

Then I applied the state:

Screenshot 2019-05-08 at 19.44.02

 

Windows10 minion had some issues responding and it returned “Not connected”. By expanding the timeout and running minion in debug mode I got an answer. The state succeeded and it had already installed the programs and I was able to find putty and Firefox from desktop.

 

 

 

Salt-minion script and Vagrant (H4)

This post include:

– Creating a script that makes my computer a salt-slave

– Vagrant installation and setting up Vagrant VirtualBox box

This is part of Tero Karvinen’s course about server administration and homework 4: http://www.terokarvinen.com.

 

In these exercises I used my desktop computer running Linux Ubuntu:

master

 

Creating a script that makes my computer a salt slave

 

Before this I have installed salt-master on my computer and it’s necessary if want to have this working.

I created a directory “scripts” under my /home where I created a file named salt-minion.sh. Inside the file I wrote following text lines:

 

script_saltminion.png

 

When executing the script, it installs salt-minion and writes master IP and slave id to minion primary configuration file. Then it also restarts salt-minion to make changes valid.

 

sudo sh salt-minion.sh

 

After executing the file, I can check if it succeeded:

 

sudo salt-key -A

 

salt-key-a.png

 

As the image shows, Salt announces of new unaccepted key. When accepting, my computer becomes a slave for its self.

 

Vagrant installation and setting up Vagrant VirtualBox box

 

“Vagrant is a tool for building and managing virtual machine environments in a single workflow.” https://www.vagrantup.com/intro/index.html

 

Vagrant installation:

 

sudo apt-get update

sudo apt-get install virtualbox vagrant

 

vagrant_version.png
Vagrant version 2.0.2 has been installed

 

Then I created a directory “testikone” where I could put my Vagrantfile. Inside the directory, I made Vagrantfile. I chose bento/centos-6.7 Vagrant box from https://app.vagrantup.com/bento/boxes/centos-6.7. I added the following inside Vagrantfile:

 

vagrantfile.png

 

Then I run:

 

vagrant up

 

It decided to download bento/centOS-6.7 box because I haven’t installed it before:

 

vagrantup.png

 

After installation completed, I took ssh connection to the box:

 

vagrant ssh

 

I was now connected to the Vagrant box via ssh and the next image shows output of ls -la command run inside vagrant box:

 

centos_box.png

 

 

 

 

 

 

Name-based virtualhost on Apache using Salt (h3)

In this post I created a salt state that creates name-based virtualhost on Apache. This is part of my homework for Tero Karvinen’s course about server administration.

 

Instructions “Setting up name-based virtualhost Apache”

The instructions above tell how to set up name-based virtualhost on Apache and I needed to figure out how to do it in salt state.

Prerequisite: Apache installed

 

In this exercise as a master I used my desktop computer running Linux:

master.png
master

As a slave I used VirtualBox and virtual machine running on the same computer as master:

minion.png

 

 

Creating virtualhost state

 

First, I created virtualhost directory to master’s /srv/salt where I could put all the files needed to configure virtualhost.

I started building init.sls file by creating http://www.virtualhost1.com directory inside slave’s /var/www/html/.

 

init_virtualhost

Next, the virtualhost need index.html file. I created one to /srv/salt/virtualhost. The following lines add index.html from /srv/salt/virtualhost to slave’s directory /var/www/html/www.virtualhost1.com:

 

init_virtualhost-2.png

 

 

Then I disabled slave’s 000-default.conf file and it happened by writing the command in the file and then cmd.run. (I tried after applying the state enabling 000-default.conf again and it didn’t make changes to my virtualhost):

 

init_virtualhost-4.png

 

I created http://www.virtualhost1.com.conf file to slave’s /etc/apache2/sites-available/ directory:

 

init_virtualhost-5.png

 

The source is from master’s /srv/salt/virtualhost and in the content is the conf information for the virtualhost:

 

h3_4.png

 

The next command I added to enable the virtualhost on slave:

 

init_virtualhost-6.png

 

Then I added the following line to slave’s /etc/hosts. The IP address in text is the localhost IP address and after that there is the name of virtualhost:

 

init_virtualhost-7.png

 

Latest, I wanted to restart apache service on slave to make the changes valid:

 

init_virtualhost-8.png

 

 

First test…

salt ‘*’ state.apply virtualhost

Didn’t succeed properly! When typing http://www.virtualhost1.com to browser and search, it saidĀ “Not Found: The requested URL was not found on this Apache server”.

I started to search what could be the matter and found this post: https://1netwiki.com/wiki/28. First instruction was to try to enable rewrite module in /apache2/mods-available.

I added the following lines to init.sls that enables rewrite module on slave:

init_virtualhost-9.png

Second test…

salt ‘*’ state.apply virtualhost

 

success.png

 

Succeeded completely! I was now able to view the virtualhost’s index page from browser:

h3_2

 

And this was the localhost default page:

h3_3.png

 

 

 

Final state file and content of /srv/salt/virtualhost

 

Here is the final init.sls file that worked:

 

init_virtualhost

 

And the content of /srv/salt/virtualhost:

 

content.png

Installing Chromium-browser with Salt

This is part of Tero Karvinen’s course about server administration: http://terokarvinen.com/2018/aikataulu-palvelinten-hallinta-ict4tn022-3003-ti-ja-3001-to-loppukevat-2019.

 

I used Linux Ubuntu 18.04.2 LTS as master running on my desktop computer. As a slave I used Linux Ubuntu 18.04.2 LTS running on VirtualBox.

 

I created very simple state to install Chromium browser to the minion. For this I created a chromium directory to /srv/salt and added there init.sls file. There I wrote the following lines:

chromium-browser

pkg.installed

Next, I applied the state:

chromium.png

It succeeded and now I had Chromium browser ready to use on VM.