OWASP Omaha Feb 2018 - 002 - Deserialization with the JS for the lulz

The OWASP Juice Shop project is great to learn about web app vulnerabilities and how to exploit them. I gave an introduction to web app hacking with the OWASP Juice Shop last year at BSides Iowa which you can see here. The YouTube link discussed web app hacking 101 and demonstrated how to exploit the easier challenges. The intent of these posts and upcoming talk are to skip ahead to the end and tackle more difficult challenges like deserialization. Without further ado, let's go!

1. Log into the JuiceShop VM


2. Go to Applications and launch Firefox


3. In Firefox, browse to http://127.0.0.1:3000


4. As you can see, this application runs on demand and is not up
   


5. Go to Applications and launch Terminal


6. In Terminal, browse to the location of the Juice Shop (e.g. Downloads/js624)
   


7. Now we need to start up the Juice Shop, in Terminal type in, "npm start"
   


8. Go back to Firefox and refresh the page
   


9. Now that the Juice Shop is up, let's create an account. Click "Login".
   


10. On the login page, click "Not yet a customer?"
    


11. Fill in the details for a user account and click "Register". You can have Firefox remember your login details.
    


12. Log into Juice Shop with your newly created account


13. Now that we're logged in, we have more options at the top. Let's get the score board and see our list of challenges. Normally you would find this by looking at the source code of the main page, or any number of methods to find this page.
    


14. In Firefox, browse to http://127.0.0.1:3000/#/score-board


15. We can see we have solved a challenge!


16. You can see the list of challenges and there are 9 one-star challenges, only 8 to go! If you scroll down, you'll see there aren't any more challenges!
    


17. At the top, click the blue buttons to make the rest of them darker. That'll reveal the rest of the challenges in this build.


18. If we scroll to the bottom with the 5-start challenges, we can see what we came for, the RCE Tier 1 challenge. This is a deserialization attack, but without clicking "unsolved" to get hints, let's walk through the app and see how this all works.
    


19. Scroll to the top and click on the OWASP Juice Shop logo


20. Click on the cart sign for "Apple Juice" to add this to our cart
    


21. Click "Your basket" at the top
    


22. Click the "x" for the solved notification message and then click "Checkout"
    


23. All done! No, not really
    


24. Click the back button in Firefox to return to the Juice Shop

Well, now we're going to have to get to work and bust out some tools to help us. We can use the Firefox (ideally Chrome) Developer Tools to help us solve some challenges, but we're going to need a bigger boat.

1. Open a new tab in Firefox


2. Browse to https://www.getpostman.com
   


3. Click "Linux" and choose "x64"
   


4. Click "Save file" and click "Ok"


5. Open a new tab in Firefox


6. Browse to https://github.com/zaproxy/zaproxy
   


7. Scroll down and click "Download ZAP"
   


8. In the wiki Downloads page, scroll down a little and click "Download now" for the "Linux Installer" option
   


9. Click "Save file" and click "Ok"


10. Go to your Downloads folder to see the ZAP and Postman downloads
    


11. Right click on "Postman..." and click "Open with Archive Manager"


12. Click "Extract"
    


13. Click "Extract"
    


14. Click "Close" when the extraction finishes


15. Close Archive Manager


16. Move the tar.gz of Postman into the Postman folder


17. Open a new Terminal application (since our first one is running Juice Shop)


18. In Terminal, type in, "cd Downloads" and press Enter


19. Let's see our contents; In Terminal, type in "ls -l" and press Enter
    


20. We don't have execute permissions to run the ZAP installer. Let's give ourselves permissions.


21. In Terminal, type in "chmod 577 ZAP_2_7_0_unix.sh"
    


22. In Terminal, type in "ls -l"
    


23. Let's run the ZAP installer; In Terminal, type in "./ZAP_2_7_0_unix.sh"


24. We get an error when we run it as our user account saying that we need to be root. In Terminal, type in "sudo ./ZAP_2_7_0_unix.sh" and enter root's password
    


25. Click "Next" in the installer
    


26. Review, accept the license, and click "Next"
    


27. Let's go "Custom" to see what options we have and click "Next"
    


28. Leave the path as default and click "Next"
    


29. Leave the symlinks path as default and click "Next"
    


30. Desktop icons are fun, click "Next"
    


31. I checked the option for "Automatically download new ZAP releases" and left everything else checked. Click "Next"
    


32. Install!
    


33. Click "Finish"
    


34. Go back to the second Terminal window that is in our Downloads directory


35. "cd" into the "Postman" directory
    


36. If we do "ls -l" in the Postman directory, we can see the Postman binary. Let's launch it.
    


37. In Terminal, type in, "./Postman"
    


38. PC Load Letter?


39. Let's find out what can provide this missing shared object. In Terminal, type in "yum whatprovides libXss.so.1".
    


40. We can see that libXScrnSaver will provide this shared object. In Terminal, type in "yum install libXScrnSaver". NOPE. In Terminal, type in, "sudo yum install libXScrnSaver".
    


41. Go through the prompts of the install


42. Let's try this again, in Terminal, type in, "./Postman" and press Enter


43. Yay! Postman works!


44. To go further, you can sign in with a Postman account if you have one, sign up for one, or just skip this step for now. I'm going to skip this for now.
    


45. You can choose to keep this helpful window on each launch; Go ahead and click the "x" in the upper right hand corner.
    


46. Postman works, you can close this for now
    


47. Go to Applications > Other and you should see "OWASP ZAP" in here
    


48. Click on "OWASP ZAP" to launch it


49. ZAP will load up and give you options of how you want to persist your sessions. Since this was just a test run to make sure the app runs, choose "No" and click "Start"
    


50. Close ZAP

That's all I have planned for this post! The next post will actually do something! :)