Tuesday, February 13, 2018

OWASP Omaha Feb 2018 - 002 - Deserialization with the JS for the lulz

The OWASP Juice Shop project is great to learn about web app vulnerabilities and how to exploit them. I gave an introduction to web app hacking with the OWASP Juice Shop last year at BSides Iowa which you can see here. The YouTube link discussed web app hacking 101 and demonstrated how to exploit the easier challenges. The intent of these posts and upcoming talk are to skip ahead to the end and tackle more difficult challenges like deserialization. Without further ado, let's go!

  1. Log into the JuiceShop VM

  2. Go to Applications and launch Firefox

  3. In Firefox, browse to

  4. As you can see, this application runs on demand and is not up

  5. Go to Applications and launch Terminal

  6. In Terminal, browse to the location of the Juice Shop (e.g. Downloads/js624)

  7. Now we need to start up the Juice Shop, in Terminal type in, "npm start"

  8. Go back to Firefox and refresh the page

  9. Now that the Juice Shop is up, let's create an account. Click "Login".

  10. On the login page, click "Not yet a customer?"

  11. Fill in the details for a user account and click "Register". You can have Firefox remember your login details.

  12. Log into Juice Shop with your newly created account

  13. Now that we're logged in, we have more options at the top. Let's get the score board and see our list of challenges. Normally you would find this by looking at the source code of the main page, or any number of methods to find this page.

  14. In Firefox, browse to

  15. We can see we have solved a challenge!

  16. You can see the list of challenges and there are 9 one-star challenges, only 8 to go! If you scroll down, you'll see there aren't any more challenges!

  17. At the top, click the blue buttons to make the rest of them darker. That'll reveal the rest of the challenges in this build.

  18. If we scroll to the bottom with the 5-start challenges, we can see what we came for, the RCE Tier 1 challenge. This is a deserialization attack, but without clicking "unsolved" to get hints, let's walk through the app and see how this all works.

  19. Scroll to the top and click on the OWASP Juice Shop logo

  20. Click on the cart sign for "Apple Juice" to add this to our cart

  21. Click "Your basket" at the top

  22. Click the "x" for the solved notification message and then click "Checkout"

  23. All done! No, not really

  24. Click the back button in Firefox to return to the Juice Shop

Well, now we're going to have to get to work and bust out some tools to help us. We can use the Firefox (ideally Chrome) Developer Tools to help us solve some challenges, but we're going to need a bigger boat.

  1. Open a new tab in Firefox

  2. Browse to https://www.getpostman.com

  3. Click "Linux" and choose "x64"

  4. Click "Save file" and click "Ok"

  5. Open a new tab in Firefox

  6. Browse to https://github.com/zaproxy/zaproxy

  7. Scroll down and click "Download ZAP"

  8. In the wiki Downloads page, scroll down a little and click "Download now" for the "Linux Installer" option

  9. Click "Save file" and click "Ok"

  10. Go to your Downloads folder to see the ZAP and Postman downloads

  11. Right click on "Postman..." and click "Open with Archive Manager"

  12. Click "Extract"

  13. Click "Extract"

  14. Click "Close" when the extraction finishes

  15. Close Archive Manager

  16. Move the tar.gz of Postman into the Postman folder

  17. Open a new Terminal application (since our first one is running Juice Shop)

  18. In Terminal, type in, "cd Downloads" and press Enter

  19. Let's see our contents; In Terminal, type in "ls -l" and press Enter

  20. We don't have execute permissions to run the ZAP installer. Let's give ourselves permissions.

  21. In Terminal, type in "chmod 577 ZAP_2_7_0_unix.sh"

  22. In Terminal, type in "ls -l"

  23. Let's run the ZAP installer; In Terminal, type in "./ZAP_2_7_0_unix.sh"

  24. We get an error when we run it as our user account saying that we need to be root. In Terminal, type in "sudo ./ZAP_2_7_0_unix.sh" and enter root's password

  25. Click "Next" in the installer

  26. Review, accept the license, and click "Next"

  27. Let's go "Custom" to see what options we have and click "Next"

  28. Leave the path as default and click "Next"

  29. Leave the symlinks path as default and click "Next"

  30. Desktop icons are fun, click "Next"

  31. I checked the option for "Automatically download new ZAP releases" and left everything else checked. Click "Next"

  32. Install!

  33. Click "Finish"

  34. Go back to the second Terminal window that is in our Downloads directory

  35. "cd" into the "Postman" directory

  36. If we do "ls -l" in the Postman directory, we can see the Postman binary. Let's launch it.

  37. In Terminal, type in, "./Postman"

  38. PC Load Letter?

  39. Let's find out what can provide this missing shared object. In Terminal, type in "yum whatprovides libXss.so.1".

  40. We can see that libXScrnSaver will provide this shared object. In Terminal, type in "yum install libXScrnSaver". NOPE. In Terminal, type in, "sudo yum install libXScrnSaver".

  41. Go through the prompts of the install

  42. Let's try this again, in Terminal, type in, "./Postman" and press Enter

  43. Yay! Postman works!

  44. To go further, you can sign in with a Postman account if you have one, sign up for one, or just skip this step for now. I'm going to skip this for now.

  45. You can choose to keep this helpful window on each launch; Go ahead and click the "x" in the upper right hand corner.

  46. Postman works, you can close this for now

  47. Go to Applications > Other and you should see "OWASP ZAP" in here

  48. Click on "OWASP ZAP" to launch it

  49. ZAP will load up and give you options of how you want to persist your sessions. Since this was just a test run to make sure the app runs, choose "No" and click "Start"

  50. Close ZAP

That's all I have planned for this post! The next post will actually do something! :)

Monday, February 12, 2018

OWASP Omaha Feb 2018 - 001 - Deserialization with the JS for the lulz

On Feb 16th, I'm going to present a discussion of deserialization attacks in a JavaScript based web application at the OWASP Omaha chapter meeting. My slides will cover a lot of the material below, but I won't spend too much time per slide. The purpose of these blog entries will be to show each step of the way as a reference for the upcoming talk.

We will start with preparing the environment. We're going to use CentOS 7 for the OS and the OWASP Juice Shop project for the web app to exploit. This series assumes you already have VirtualBox installed, but I would imagine that VMware would also work fine as well.

  1. Go to the downloads page for CentOS here

  2. Click on "DVD ISO" and download the ISO which should automatically pick a download mirror closest to you. At the time of this writing, CentOS 7, x86_64 1708 was used.

  3. Start VirtualBox and click "New"

  4. Type in "JuiceShop" as the name, change the type to "Linux", and select "Red Hat (64-bit)" as the Version.

  5. Click "Continue"

  6. Change the RAM to 2048 (or higher if you can) and click "Continue"

  7. Leave the default option of "Create ..." and click "Continue"

  8. Leave the default option of "VDI" and click "Continue"

  9. Leave the default option of "Dynamic" and click "Continue"

  10. Change the hard drive size to 30GB and click "Create"

  11. Click "Settings" for JuiceShop

  12. On the "General" tab, click "Advanced", and change both "Shared Clipboard" and "Drag n drop" to "Bidirectional"

  13. On the "System" tab, click "Processor", and increase the number of CPUs up to 2 if possible

  14. On the "Storage" tab, click "Empty" under "Controller: IDE", and click the CD icon

  15. Click "Choose Virtual Optical Disk File"

  16. Select the ISO from step 2

  17. Click Ok

  18. Click "Start" on the JuiceShop VM

  19. Press the up arrow to select "Install CentOS 7" and press Enter

  20. Once the GUI install screen appears, select the appropriate language and click "Continue"

  21. Let's start with configuring the system from the top. Click "Date & Time".

  22. Change the timezone as appropriate and click "Done"

  23. Click "Software Selection"

  24. Choose "GNOME Desktop", check "Development Tools", and click "Done"

  25. Click "Installation Destination"

  26. Review the disk options and click "Done" when complete

  27. Click "Network & Host Name"

  28. Click "Configure"

  29. Click "General"

  30. Check "Automatically connect..."

  31. Click "Save"

  32. The ethernet adapter should now have automatically flipped to "On"

  33. Click "Done"

  34. Click "Begin Installation"

  35. While the system begins installation, you get the option to set a root password and a user. Click "Root password".

  36. Set a root password and click "Done"

  37. Click "User creation"

  38. Set the full name, user name (should automatically populate), check the box for "Make this user administrator", and matching passwords. When done, click "Done".

  39. Wait for the installation process to finish

  40. Click "Reboot"

  41. Once you're back into the GUI configuration screen, click "License information"

  42. Review the EULA, check the box to accept the terms, and click "Done"

  43. Click "Finish configuration"

  44. Log into the system!

  45. In the gnome-initial-setup screen, choose your language and click "Next" in the upper right

  46. Review the keyboard selection and click "Next"

  47. Review the privacy option and click "Next"

  48. Connect accounts that'd you like and click "Skip" if you choose none of them

  49. Click "Start using CentOS Linux"

  50. Review the help information and close when finished

  51. Move the mouse cursor to the top left of the screen to "Applications"

  52. Click "Applications" and click on "Terminal"

  53. In Terminal, type in, "sudo yum update" and press Enter. Review the warning, enter your password, and press Enter.

  54. I had an issue with PackageKit locking yum in two different instances. Move the cursor to the top right of the screen, click the power icon, and click on the "Power button" icon.

  55. Click "Restart"

  56. Enter the password and click "Authenticate". The system will be rebooted.

  57. Log back in!

  58. Open up a Terminal client (Applications > Favorites > Terminal)

  59. Type in, "sudo yum update", press Enter, enter in your password, and press Enter

  60. A bunch of text will scroll by, eventually it'll stop asking if you want to download updates. Type in, "y" and press Enter.

  61. Next you may get a prompt to update a key. Type in "y" at the prompt and press Enter.

  62. Once that completes, move the mouse to the upper right, click on the power icon, and click the wrenches

  63. Click "Power"

  64. Click the dropdown for "Power Saving" and change it to "Never"

  65. Click the back button to go to the previous screen

  66. Click "Privacy"

  67. Click on "Screen Lock"

  68. Click on "On" to turn it off

  69. Click on the "x" to close out

  70. Click on the "x" to close out of Privacy

  71. We now want to install the VirtualBox Guest Additions. If you click out of the VM (pressing Right Control in Windows or Left Command in macOS), you get options for the VM if you click the title bar of the VM window. These instructions are based on Mac, so click on "Devices" at the top and select, "Insert Guest Additions CD image".

  72. In your VM, you should see a CD icon automatically popup and an auto-run box asking if you want to run the software. Click "Run".

  73. Enter in your password and click "Authenticate" or press Enter

  74. If all goes well, you'll be able to freely move your mouse in and out of the VM. Yay! Press the Enter key.

  75. We now need the Node.js package manager to run the Juice Shop. If we type in "npm" at the prompt, we see that it's not installed.

  76. We will refer to these official instructions from Node to install what we need

  77. In Terminal, type in, "curl --silent --location https://rpm.nodesource.com/setup_9.x | sudo bash -" and press Enter

  78. Enter in your password and it should do it's magic

  79. Like the instructions on the website and in the window, we need to now install node v9. We are using v9 since that is what is officially recommended by Juice Shop as the preferred version.

  80. In Terminal, type in, "sudo yum install -y nodejs" and press Enter

  81. It should complete pretty fast! We now have nodejs v9.5 installed at the time of this writing.

  82. Now we need to get the latest version of the OWASP Juice Shop. In our VM, go to Applications and open up Firefox.

  83. In Firefox, browse to https://github.com/bkimminich/juice-shop

  84. You should see a "releases" link. At the time of this writing, there are 106 releases. Click on that.

  85. We want the latest linux, x64, node9 package. In this case, its juice-shop-6.4.2_node9_linux_x64.tgz. Click on that.

  86. Click on "Save File" and click "Ok"

  87. Once it's done, Firefox should show you a helpful mini-window and a folder icon so you can browse to where the file was saved. Click on the folder icon.

  88. Right click on the archived file and click "Open With Archive Manager"

  89. Click on "Extract"

  90. Click on the new folder icon

  91. Give the new folder some kind of meaningful name. I chose, "js642". After you enter in a name, click "Create"

  92. Click on "Extract"

  93. Click "Close"

  94. "X" out of the Archive Manager

  95. You can close the file browser window now too along with Firefox

  96. Go back to the Terminal window

  97. Browse to the folder we extracted the Juice Shop contents into

  98. Type in, "npm start" and press Enter. If all goes well, we should have the Juice Shop listening on port 3000!

  99. Open up Firefox, and browse to

  100. Welcome to the OWASP Juice Shop!