Monday, February 12, 2018

OWASP Omaha Feb 2018 - 001 - Deserialization with the JS for the lulz

On Feb 16th, I'm going to present a discussion of deserialization attacks in a JavaScript based web application at the OWASP Omaha chapter meeting. My slides will cover a lot of the material below, but I won't spend too much time per slide. The purpose of these blog entries will be to show each step of the way as a reference for the upcoming talk.

We will start with preparing the environment. We're going to use CentOS 7 for the OS and the OWASP Juice Shop project for the web app to exploit. This series assumes you already have VirtualBox installed, but I would imagine that VMware would also work fine as well.

  1. Go to the downloads page for CentOS here

  2. Click on "DVD ISO" and download the ISO which should automatically pick a download mirror closest to you. At the time of this writing, CentOS 7, x86_64 1708 was used.

  3. Start VirtualBox and click "New"

  4. Type in "JuiceShop" as the name, change the type to "Linux", and select "Red Hat (64-bit)" as the Version.

  5. Click "Continue"

  6. Change the RAM to 2048 (or higher if you can) and click "Continue"

  7. Leave the default option of "Create ..." and click "Continue"

  8. Leave the default option of "VDI" and click "Continue"

  9. Leave the default option of "Dynamic" and click "Continue"

  10. Change the hard drive size to 30GB and click "Create"

  11. Click "Settings" for JuiceShop

  12. On the "General" tab, click "Advanced", and change both "Shared Clipboard" and "Drag n drop" to "Bidirectional"

  13. On the "System" tab, click "Processor", and increase the number of CPUs up to 2 if possible

  14. On the "Storage" tab, click "Empty" under "Controller: IDE", and click the CD icon

  15. Click "Choose Virtual Optical Disk File"

  16. Select the ISO from step 2

  17. Click Ok

  18. Click "Start" on the JuiceShop VM

  19. Press the up arrow to select "Install CentOS 7" and press Enter

  20. Once the GUI install screen appears, select the appropriate language and click "Continue"

  21. Let's start with configuring the system from the top. Click "Date & Time".

  22. Change the timezone as appropriate and click "Done"

  23. Click "Software Selection"

  24. Choose "GNOME Desktop", check "Development Tools", and click "Done"

  25. Click "Installation Destination"

  26. Review the disk options and click "Done" when complete

  27. Click "Network & Host Name"

  28. Click "Configure"

  29. Click "General"

  30. Check "Automatically connect..."

  31. Click "Save"

  32. The ethernet adapter should now have automatically flipped to "On"

  33. Click "Done"

  34. Click "Begin Installation"

  35. While the system begins installation, you get the option to set a root password and a user. Click "Root password".

  36. Set a root password and click "Done"

  37. Click "User creation"

  38. Set the full name, user name (should automatically populate), check the box for "Make this user administrator", and matching passwords. When done, click "Done".

  39. Wait for the installation process to finish

  40. Click "Reboot"

  41. Once you're back into the GUI configuration screen, click "License information"

  42. Review the EULA, check the box to accept the terms, and click "Done"

  43. Click "Finish configuration"

  44. Log into the system!

  45. In the gnome-initial-setup screen, choose your language and click "Next" in the upper right

  46. Review the keyboard selection and click "Next"

  47. Review the privacy option and click "Next"

  48. Connect accounts that'd you like and click "Skip" if you choose none of them

  49. Click "Start using CentOS Linux"

  50. Review the help information and close when finished

  51. Move the mouse cursor to the top left of the screen to "Applications"

  52. Click "Applications" and click on "Terminal"

  53. In Terminal, type in, "sudo yum update" and press Enter. Review the warning, enter your password, and press Enter.

  54. I had an issue with PackageKit locking yum in two different instances. Move the cursor to the top right of the screen, click the power icon, and click on the "Power button" icon.

  55. Click "Restart"

  56. Enter the password and click "Authenticate". The system will be rebooted.

  57. Log back in!

  58. Open up a Terminal client (Applications > Favorites > Terminal)

  59. Type in, "sudo yum update", press Enter, enter in your password, and press Enter

  60. A bunch of text will scroll by, eventually it'll stop asking if you want to download updates. Type in, "y" and press Enter.

  61. Next you may get a prompt to update a key. Type in "y" at the prompt and press Enter.

  62. Once that completes, move the mouse to the upper right, click on the power icon, and click the wrenches

  63. Click "Power"

  64. Click the dropdown for "Power Saving" and change it to "Never"

  65. Click the back button to go to the previous screen

  66. Click "Privacy"

  67. Click on "Screen Lock"

  68. Click on "On" to turn it off

  69. Click on the "x" to close out

  70. Click on the "x" to close out of Privacy

  71. We now want to install the VirtualBox Guest Additions. If you click out of the VM (pressing Right Control in Windows or Left Command in macOS), you get options for the VM if you click the title bar of the VM window. These instructions are based on Mac, so click on "Devices" at the top and select, "Insert Guest Additions CD image".

  72. In your VM, you should see a CD icon automatically popup and an auto-run box asking if you want to run the software. Click "Run".

  73. Enter in your password and click "Authenticate" or press Enter

  74. If all goes well, you'll be able to freely move your mouse in and out of the VM. Yay! Press the Enter key.

  75. We now need the Node.js package manager to run the Juice Shop. If we type in "npm" at the prompt, we see that it's not installed.

  76. We will refer to these official instructions from Node to install what we need

  77. In Terminal, type in, "curl --silent --location https://rpm.nodesource.com/setup_9.x | sudo bash -" and press Enter


  78. Enter in your password and it should do it's magic

  79. Like the instructions on the website and in the window, we need to now install node v9. We are using v9 since that is what is officially recommended by Juice Shop as the preferred version.

  80. In Terminal, type in, "sudo yum install -y nodejs" and press Enter

  81. It should complete pretty fast! We now have nodejs v9.5 installed at the time of this writing.

  82. Now we need to get the latest version of the OWASP Juice Shop. In our VM, go to Applications and open up Firefox.

  83. In Firefox, browse to https://github.com/bkimminich/juice-shop

  84. You should see a "releases" link. At the time of this writing, there are 106 releases. Click on that.

  85. We want the latest linux, x64, node9 package. In this case, its juice-shop-6.4.2_node9_linux_x64.tgz. Click on that.

  86. Click on "Save File" and click "Ok"

  87. Once it's done, Firefox should show you a helpful mini-window and a folder icon so you can browse to where the file was saved. Click on the folder icon.

  88. Right click on the archived file and click "Open With Archive Manager"

  89. Click on "Extract"

  90. Click on the new folder icon

  91. Give the new folder some kind of meaningful name. I chose, "js642". After you enter in a name, click "Create"

  92. Click on "Extract"

  93. Click "Close"

  94. "X" out of the Archive Manager

  95. You can close the file browser window now too along with Firefox

  96. Go back to the Terminal window

  97. Browse to the folder we extracted the Juice Shop contents into

  98. Type in, "npm start" and press Enter. If all goes well, we should have the Juice Shop listening on port 3000!

  99. Open up Firefox, and browse to http://127.0.0.1:3000

  100. Welcome to the OWASP Juice Shop!


Posted by No comments:

Tuesday, February 6, 2018

OSCP Journey 002 - Assessing Kioptrix Level 1

Now that we have the Kioptrix Level 1 VM up and ready, let's see what we have! Ensure that both the Kali VM and Kioptrix Level 1 VM are up and running. I first booted up the Kali VM and then booted up the Kioptrix VM. That order has helped me with the IP address distribution below and in future posts.

Assessment go!
  1. Log into the Kali VM

  2. Open a terminal window and let's verify that we cannot connect to the internet

  3. In Terminal, type in "ping www.msn.com" and press the Enter key

  4. That should be good enough to verify we can't get out. Let's see our IP configuration.

  5. In Terminal, type in "ifconfig" and press the Enter key

  6. When we set up the host-only network configuration in VirtualBox, we could see that the IP addresses would automatically start at .3. It appears that our Kali box has the first IP address from the DHCP pool for the "eth0" adapter.

  7. Let's use netdiscover to see if that can pick up any hosts in our network. Note: Your results may vary depending on what else you've configured to run in the host-only network.

  8. In Terminal, type in "netdiscover" and press the Enter key

  9. The command will enumerate IP ranges and eventually we should find the Kioptrix Level 1 VM!

  10. We can correlate the Kioptrix VM with the IP address based on the MAC address. This is why we needed to note that MAC address from the previous post!

  11. Let's use another tool to further investigate Kioptrix. We're going to use Zenmap.

  12. In terminal, type in "zenmap" and press the Enter key

  13. This will launch the GUI front-end for the nmap tool.

  14. We can see default options are already set for us. Let's configure Zenmap to scan Kioptrix.

  15. In Zenmap, enter in "192.168.56.5" for the Target, and change the Profile to "Intense scan, all TCP"

  16. Click the "Scan" button

  17. Depending on a few factors, your entire scan of the host could take 1 or up to a few minutes. The scan I performed took about 5 minutes for the entire scan to finish. However, you'll quickly see preliminary results based on the different phases of the scan.

  18. Once the scan finishes, you'll see various points of interest from the scan results. In the first part of the scan results we can see open ports on the Kioptrix VM.

  19. Here's a quick breakdown of the results and why we care:
    1. Port 22 - Could identify a vulnerable SSH implementation
    2. Port 80 - Could identify a vulnerable web server and OS
    3. Port 111 - Could identify a vulnerable RPC implementation
    4. Port 139 - Could identify a vulnerable file sharing/SMB implementation
    5. Port 443 - Could identify a vulnerable web server and OS
    6. Port 32768 - Could identify some kind of vulnerable network thing

  20. Let's keep scrolling




  21. This scan helped further identify services behind the ports and interesting tidbits of information

  22. On the left, click "Services"

  23. This view provides a quick interface to each service and further information

  24. Click on "http" to see more information about the version of Apache and identification of Red Hat

  25. Scrolling to the right reveals more info

  26. Click on "netbios-ssn" to reveal Samba is being used for SMB

  27. Click on "ssh" to show information about OpenSSH

  28. Let's save our scan results for future reference

  29. Click "Scan" at the top and click "Save Scan"

  30. Let's name the results "Kioptrix Level 1" and save it in the Documents folder. But, you can save it wherever you want!

  31. Let's take a quick peek at what's running!

  32. Open Firefox

  33. In Firefox, open a new tab/window, type in 192.168.56.5, and press Enter

  34. You should see the default page for an Apache install (albeit pretty old) on port 80

  35. If we type in https://192.168.56.5 in Firefox, we'll get a warning about insecure SSL settings (e.g. an expired self-signed certificate).

  36. Click "Advanced"

  37. Add in the exception by clicking on "Add Exception"

  38. Click on "Confirm Security Exception"

  39. We see the same default install page for Apache, but on port 443

Now that we have a basic enumeration of the system done, the next post will use more tools to identify more information about each service and we will exploit it.
Posted by 1 comment:

Wednesday, January 31, 2018

OSCP Journey 001 - VM prep for Kioptrix Level 1

One of my goals for 2018 is to get the OSCP and OSCE certifications. I have been looking at OSCP study guides and getting a feel of what to review before signing up for the certification. WIth that, I’ve seen these multiple guides (Jaspher, abatchy, and Andrew Hilton) with suggestions for vulnerable virtual machines that are similar to the OSCP labs. I’ll be going through the list like the guide from Jaspher and honing the skills I need for the PWK/OSCP starting with Kioptrix Level 1.
Here’s what we’ll need for this post:
  1. VirtualBox installed (I'm using 5.2.6)
  2. Kali (or another machine with similar tools)
  3. Kioptrix Level 1 VM
For Kali, I’m going to assume you’ve already got that set up and it’s fully up to date (e.g. sudo apt-get update; sudo apt-get upgrade). Next we will set up our internal network that only our virtual machines can use.
VirtualBox internal network setup:
  1. In VirtualBox, click “File” and select “Host Network Manager”.
  2. Click “Create”
  3. Click the checkbox next to “Enable” for DHCP Server
  4. Click “Close”

Kali VM prep:

After you’ve updated the VM with all of the updates and made sure it’s ready to go, change the network adapter to “Host-only Network” and click “Ok”

Kioptrix VM prep:
  1. Download the Kioptrix Level 1 virtual machine from here

  2. Extract the VM contents to produce

  3. In VirtualBox, click “New”

  4. Type in the name of the VM to "Kioptrix Level 1", change the type to “Linux”, change the version to “Other Linux (32-bit)”, and click “Continue”

  5. Change the memory to 1024 (if possible with your system constraints) and click “Continue”

  6. Choose “Do not add a virtual hard disk” and click “Create”

  7. Click “Continue” at the warning. We’re going to add the hard disk very soon.

  8. Click “Settings” with the “Kioptrix Level 1” VM selected

  9. Click “Storage” at the top.

  10. You should only see “Controller: IDE” in here. We need to add the hard drive on the IDE controller and not SATA. This VM won’t work (at least didn’t for me) when it was attached to SATA.

  11. Click the hard drive with a plus sign icon

  12. Click “Choose existing disk

  13. Click “Kioptrix Level 1.vmdk” and click “Open”

  14. Click “Network”

  15. Uncheck the network adapter

  16. It should now look like this

  17. Click “Audio”

  18. Uncheck the sound card

  19. It should now look like this

  20. Click “Ok” to save all of the changes

  21. Click “Start” on the Kioptrix Level 1 VM

  22. You should see the boot loader screen show a bunch of text. Next you should see the configuration screen, “Kudzu”.

  23. Press any key to enter the configuration wizard

  24. Your next options may be different, but in my scenario, the network card was the first option. We want to remove the network card from the virtual machine (the VM didn't automatically pick up network settings and work out of the box, this is my workaround).

  25. In the “Hardware Removed” screen for the network card, select “Remove configuration” and press the Enter key.
  26. The next option may be for the USB controller.

  27. Make sure “Do nothing” is selected and press the Enter key.

  28. If you have additional options for hardware, choose “Do nothing” and proceed out of this configuration wizard

  29. After everything continues to load and start, you should now be at the text login window for Kioptrix! We are not done yet with our prep though!

  30. You need to either:

    1. Shutdown the virtual machine by closing the virtual machine window

    2. Start a reboot sequence (Input > Keyboard > Insert Control+Alt+Delete), watch the system gracefully shut down the system, and then close the window before the VM starts up again

  31. With the VM powered off, go into “Settings” for the Kioptrix Level 1 VM

  32. Go to “Network”

  33. Check the box to enable the network adapter

  34. Choose “Host-only Adapter” with a “PCnet-PCI II Adapter” type

  35. Optionally, you can click the “refresh” button to generate a new MAC address

  36. Take note of the MAC address for future reference

  37. Click “Ok”

  38. Start the Kioptrix Level 1 VM

  39. Press any key on the Kudzu configuration wizard screen to enter the wizard

  40. The first screen for you should hopefully be the network card configuration wizard. You can click the X for the two VirtualBox messages at the top of the screen to make it easier to see.

  41. On the network card configuration screen, make sure “Configure” is selected and press the Enter key

  42. Click “Yes” to the “Migrate existing network configuration” question and press the Enter key

  43. Select “Do nothing” for the USB controller option and press the Enter key. You should now be done with the Kudzu configuration wizard and back to the black screen.

  44. We’ll need to verify we are able to successfully get the network card enabled and “Ok”.

  45. Keep an eye for the third line for “eth0” and make sure it says, “Ok”. That should be enough to make sure the network card was successfully attached to the virtual machine and was provided an IP address from the VirtualBox DHCP server.

  46. If all is well, you should be back at the Kioptrix login screen!



In the next post, we will go about assessing the virtual machine to see what we have.
Posted by 11 comments:
Subscribe to: Posts (Atom)