Viviry Tech | INFOSEC encyclopedia: February 2018

The OWASP Juice Shop project is great to learn about web app vulnerabilities and how to exploit them. I gave an introduction to web app hacking with the OWASP Juice Shop last year at BSides Iowa which you can see here. The YouTube link discussed web app hacking 101 and demonstrated how to exploit the easier challenges. The intent of these posts and upcoming talk are to skip ahead to the end and tackle more difficult challenges like deserialization. Without further ado, let's go!

Log into the JuiceShop VM

Go to Applications and launch Firefox

In Firefox, browse to http://127.0.0.1:3000

As you can see, this application runs on demand and is not up

Go to Applications and launch Terminal

In Terminal, browse to the location of the Juice Shop (e.g. Downloads/js624)

Now we need to start up the Juice Shop, in Terminal type in, "npm start"

Go back to Firefox and refresh the page

Now that the Juice Shop is up, let's create an account. Click "Login".

On the login page, click "Not yet a customer?"

Fill in the details for a user account and click "Register". You can have Firefox remember your login details.

Log into Juice Shop with your newly created account

Now that we're logged in, we have more options at the top. Let's get the score board and see our list of challenges. Normally you would find this by looking at the source code of the main page, or any number of methods to find this page.

In Firefox, browse to http://127.0.0.1:3000/#/score-board

We can see we have solved a challenge!

You can see the list of challenges and there are 9 one-star challenges, only 8 to go! If you scroll down, you'll see there aren't any more challenges!

At the top, click the blue buttons to make the rest of them darker. That'll reveal the rest of the challenges in this build.

If we scroll to the bottom with the 5-start challenges, we can see what we came for, the RCE Tier 1 challenge. This is a deserialization attack, but without clicking "unsolved" to get hints, let's walk through the app and see how this all works.

Scroll to the top and click on the OWASP Juice Shop logo

Click on the cart sign for "Apple Juice" to add this to our cart

Click "Your basket" at the top

Click the "x" for the solved notification message and then click "Checkout"

All done! No, not really

Click the back button in Firefox to return to the Juice Shop

Well, now we're going to have to get to work and bust out some tools to help us. We can use the Firefox (ideally Chrome) Developer Tools to help us solve some challenges, but we're going to need a bigger boat.

Open a new tab in Firefox

Browse to https://www.getpostman.com

Click "Linux" and choose "x64"

Click "Save file" and click "Ok"

Open a new tab in Firefox

Browse to https://github.com/zaproxy/zaproxy

Scroll down and click "Download ZAP"

In the wiki Downloads page, scroll down a little and click "Download now" for the "Linux Installer" option

Click "Save file" and click "Ok"

Go to your Downloads folder to see the ZAP and Postman downloads

Right click on "Postman..." and click "Open with Archive Manager"

Click "Extract"

Click "Extract"

Click "Close" when the extraction finishes

Close Archive Manager

Move the tar.gz of Postman into the Postman folder

Open a new Terminal application (since our first one is running Juice Shop)

In Terminal, type in, "cd Downloads" and press Enter

Let's see our contents; In Terminal, type in "ls -l" and press Enter

We don't have execute permissions to run the ZAP installer. Let's give ourselves permissions.

In Terminal, type in "chmod 577 ZAP_2_7_0_unix.sh"

In Terminal, type in "ls -l"

Let's run the ZAP installer; In Terminal, type in "./ZAP_2_7_0_unix.sh"

We get an error when we run it as our user account saying that we need to be root. In Terminal, type in "sudo ./ZAP_2_7_0_unix.sh" and enter root's password

Click "Next" in the installer

Review, accept the license, and click "Next"

Let's go "Custom" to see what options we have and click "Next"

Leave the path as default and click "Next"

Leave the symlinks path as default and click "Next"

Desktop icons are fun, click "Next"

I checked the option for "Automatically download new ZAP releases" and left everything else checked. Click "Next"

Install!

Click "Finish"

Go back to the second Terminal window that is in our Downloads directory

"cd" into the "Postman" directory

If we do "ls -l" in the Postman directory, we can see the Postman binary. Let's launch it.

In Terminal, type in, "./Postman"

PC Load Letter?

Let's find out what can provide this missing shared object. In Terminal, type in "yum whatprovides libXss.so.1".

We can see that libXScrnSaver will provide this shared object. In Terminal, type in "yum install libXScrnSaver". NOPE. In Terminal, type in, "sudo yum install libXScrnSaver".

Go through the prompts of the install

Let's try this again, in Terminal, type in, "./Postman" and press Enter

Yay! Postman works!

To go further, you can sign in with a Postman account if you have one, sign up for one, or just skip this step for now. I'm going to skip this for now.

You can choose to keep this helpful window on each launch; Go ahead and click the "x" in the upper right hand corner.

Postman works, you can close this for now

Go to Applications > Other and you should see "OWASP ZAP" in here

Click on "OWASP ZAP" to launch it

ZAP will load up and give you options of how you want to persist your sessions. Since this was just a test run to make sure the app runs, choose "No" and click "Start"

Close ZAP

That's all I have planned for this post! The next post will actually do something! :)

On Feb 16th, I'm going to present a discussion of deserialization attacks in a JavaScript based web application at the OWASP Omaha chapter meeting. My slides will cover a lot of the material below, but I won't spend too much time per slide. The purpose of these blog entries will be to show each step of the way as a reference for the upcoming talk.

We will start with preparing the environment. We're going to use CentOS 7 for the OS and the OWASP Juice Shop project for the web app to exploit. This series assumes you already have VirtualBox installed, but I would imagine that VMware would also work fine as well.

Go to the downloads page for CentOS here

Click on "DVD ISO" and download the ISO which should automatically pick a download mirror closest to you. At the time of this writing, CentOS 7, x86_64 1708 was used.

Start VirtualBox and click "New"

Type in "JuiceShop" as the name, change the type to "Linux", and select "Red Hat (64-bit)" as the Version.

Click "Continue"

Change the RAM to 2048 (or higher if you can) and click "Continue"

Leave the default option of "Create ..." and click "Continue"

Leave the default option of "VDI" and click "Continue"

Leave the default option of "Dynamic" and click "Continue"

Change the hard drive size to 30GB and click "Create"

Click "Settings" for JuiceShop

On the "General" tab, click "Advanced", and change both "Shared Clipboard" and "Drag n drop" to "Bidirectional"

On the "System" tab, click "Processor", and increase the number of CPUs up to 2 if possible

On the "Storage" tab, click "Empty" under "Controller: IDE", and click the CD icon

Click "Choose Virtual Optical Disk File"

Select the ISO from step 2

Click Ok

Click "Start" on the JuiceShop VM

Press the up arrow to select "Install CentOS 7" and press Enter

Once the GUI install screen appears, select the appropriate language and click "Continue"

Let's start with configuring the system from the top. Click "Date & Time".

Change the timezone as appropriate and click "Done"

Click "Software Selection"

Choose "GNOME Desktop", check "Development Tools", and click "Done"

Click "Installation Destination"

Review the disk options and click "Done" when complete

Click "Network & Host Name"

Click "Configure"

Click "General"

Check "Automatically connect..."

Click "Save"

The ethernet adapter should now have automatically flipped to "On"

Click "Done"

Click "Begin Installation"

While the system begins installation, you get the option to set a root password and a user. Click "Root password".

Set a root password and click "Done"

Click "User creation"

Set the full name, user name (should automatically populate), check the box for "Make this user administrator", and matching passwords. When done, click "Done".

Wait for the installation process to finish

Click "Reboot"

Once you're back into the GUI configuration screen, click "License information"

Review the EULA, check the box to accept the terms, and click "Done"

Click "Finish configuration"

Log into the system!

In the gnome-initial-setup screen, choose your language and click "Next" in the upper right

Review the keyboard selection and click "Next"

Review the privacy option and click "Next"

Connect accounts that'd you like and click "Skip" if you choose none of them

Click "Start using CentOS Linux"

Review the help information and close when finished

Move the mouse cursor to the top left of the screen to "Applications"

Click "Applications" and click on "Terminal"

In Terminal, type in, "sudo yum update" and press Enter. Review the warning, enter your password, and press Enter.

I had an issue with PackageKit locking yum in two different instances. Move the cursor to the top right of the screen, click the power icon, and click on the "Power button" icon.

Click "Restart"

Enter the password and click "Authenticate". The system will be rebooted.

Log back in!

Open up a Terminal client (Applications > Favorites > Terminal)

Type in, "sudo yum update", press Enter, enter in your password, and press Enter

A bunch of text will scroll by, eventually it'll stop asking if you want to download updates. Type in, "y" and press Enter.

Next you may get a prompt to update a key. Type in "y" at the prompt and press Enter.

Once that completes, move the mouse to the upper right, click on the power icon, and click the wrenches

Click "Power"

Click the dropdown for "Power Saving" and change it to "Never"

Click the back button to go to the previous screen

Click "Privacy"

Click on "Screen Lock"

Click on "On" to turn it off

Click on the "x" to close out

Click on the "x" to close out of Privacy

We now want to install the VirtualBox Guest Additions. If you click out of the VM (pressing Right Control in Windows or Left Command in macOS), you get options for the VM if you click the title bar of the VM window. These instructions are based on Mac, so click on "Devices" at the top and select, "Insert Guest Additions CD image".

In your VM, you should see a CD icon automatically popup and an auto-run box asking if you want to run the software. Click "Run".

Enter in your password and click "Authenticate" or press Enter

If all goes well, you'll be able to freely move your mouse in and out of the VM. Yay! Press the Enter key.

We now need the Node.js package manager to run the Juice Shop. If we type in "npm" at the prompt, we see that it's not installed.

We will refer to these official instructions from Node to install what we need

In Terminal, type in, "curl --silent --location https://rpm.nodesource.com/setup_9.x | sudo bash -" and press Enter

Enter in your password and it should do it's magic

Like the instructions on the website and in the window, we need to now install node v9. We are using v9 since that is what is officially recommended by Juice Shop as the preferred version.

In Terminal, type in, "sudo yum install -y nodejs" and press Enter

It should complete pretty fast! We now have nodejs v9.5 installed at the time of this writing.

Now we need to get the latest version of the OWASP Juice Shop. In our VM, go to Applications and open up Firefox.

In Firefox, browse to https://github.com/bkimminich/juice-shop

You should see a "releases" link. At the time of this writing, there are 106 releases. Click on that.

We want the latest linux, x64, node9 package. In this case, its juice-shop-6.4.2_node9_linux_x64.tgz. Click on that.

Click on "Save File" and click "Ok"

Once it's done, Firefox should show you a helpful mini-window and a folder icon so you can browse to where the file was saved. Click on the folder icon.