Exercise 1

This is the report for the first series of exercises for my penetration testing course, taught by Tero Karvinen http://terokarvinen.com/2018/penetration-testing-course-autumn-2018
The first assignment consists of three parts, as follows:

0) Read the materials linked in the course program schedule. Reading the linked materials from the course schedule are mandatory during every assignment.
(These are not included in this report).

1) Try an attack of your choice from the OWASP10 list, on your own computer. In this exercise you can only use practice targets that are installed on your own, local computer.

2) Voluntary: Try multiple OWASP10 attacks on practice targets that are installed on your own local computer. How many can you accomplish in practice?

1

This exercise is done on my home computer, the hardware consists of the following:
i7-5820K processor
ASUS X99M-WS Motherboard
16Gb DDR4 Kingston RAM
Samsung 840 EVO 250Gb ssd

The operating system used is an Xubuntu 18.04.1 fresh installation, with the basic
updates installed (sudo apt-get update && sudo apt-get upgrade).

I first intended on doing this on my T470P laptop using a virtual machine in virtual box,
but since you can’t run a virtual machine, inside a virtual machine (at least not in
virtual box), I decided on installing Xubuntu on a spare ssd drive on my desktop
computer.

I chose to try the first security risk from OWASP10 list, A1: Injection. This is the most
familiar security risk to me from before, so it seems logic to start with that. On our
previous course lesson, we tried SQL injection on an application that Tero Karvinen made for us.

I chose to try the Metasploitable 3 – vulnerable target computer. It has a payroll login
webpage that is intended to be hacked. For the installation I followed the instructions
Tero Karvinen has on his web page.

I started by installing virtual box, vagrant and curl. The command for this is:

sudo apt-get -y install virtualbox vagrant curl

After that I created a ‘metas’ directory for the for the vagrant file, that is used for
the virtual computer installation. The command for this is:

mkdir metas/ && cd metas/

I created a file called ‘Vagrantfile’, using nano and added the necessary code from the
instructions:

 

 

 

 

 

 

 

 

 

 

 

After that I started the virtual machine, using the command:

vagrant up

The installation took a while (about 5 minutes). When the machines attempted booting up, I got
a warning of an authentication failure. I let it try a few runs with no success and tried
to abort using the CTRL + c Key combination, the startup continued for a moment before
there came an error message stating “Vagrant exited after cleanup due to external
interrupt.”

 

 

 

 

 

 

 

 

 

 

I tried the startup again and the virtual machine started without problems.

 

 

 

 

 

 

 

 

 

 

I opened my web browser and browsed to the address ‘http://localhost:8080’.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After I had concluded that the virtual machine was working, I disconnected the ethernet
cable from my computer to isolate it from my home network. Just to be on the safe side.

The first thing did with the webpage, was just try to input a value in the ‘user’ field
and click ok. I chose to use a generic name ‘user’ for this.
The webpage did not load an error message for the missing password, but loaded a page with
a welcome announcement for the input I used. I viewed the page source if that would give
me any hints.

 

 

 

 

 

 

 

 

 

 

It seems that the program had catenated my input to the welcome message.
I have used SQL before and on the exercise in our previous lesson, the answer for the
hack was ” ‘OR’1’=’1 “.
I tried using that in the ‘user’ field, but with no success.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As a new approach, I tried using the same insert in both the ‘user’ and ‘password’
fields.
This resulted in great success.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

From what I understand, ‘1=1’ is something that can be considered as an boolen
(true/false, 1/0). From our previous lesson the word ‘true’ also works in these kind of
situations. I tried to play around with this using different combinations.
” ‘OR’true ” did not work in the ‘user’ field or the ‘password’ field, together or
separate.
Neither did ” ‘OR true “.

Now SQL statements always end with a semicolon ( ; ). Usually when the input is
catenated in the SQL query, you don’t need to add this, because it’s already in the
pre prepared SQL statement. Apostrophe ( ‘ ) in the beginning makes sense , since it
closes the possible input variable in the SQL statement.

For the fun of it, I tried inserting the semicolon to the
input. After trying a few combinations, I got a successful hack by using an input value of
” ‘OR true; “. Strangely, this only had to be inserted in the ‘user’ field to work.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2

 

the second part of the exercise is done on my Thinkpad T470P laptop running Arch Linux. The hardware specifications are:

i7 7700k processor
16Gb DDR4 RAM
500Gb Samsung 950 pro M.2 ssd

I decided on doing this part using WebGoat, a deliberately insecure web application that is maintained by OWASP and is designed to teach web application security lessons. I downloaded the latest .jar package from their website. I have used this application in my previous Haaga-Helia course cyber security basics, so I throught logical to try it again.

I already have the latest Java JDK and JRE installed, so I tried to run the .jar file with the command

java –add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar

There came a error in the program load. When I checked the instructions, it stated that Maven should be installed as well. I installed the missing component with the commad

sudo pacman -S maven ( pacman is the package manager for Arch linux )

After that the program started with out a problem. I opened Firefox and browsed to the address localhost:8080/WebGoat/login

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I registered a new user with the username ‘userArch’ and selected a decent password. It seems that WebGoat doesn’t like too long passwords.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I striped the password a little and logged in.

I browsed through the lessons and decided on trying the Missing function level access control, located in the Access control flaws lesson.

 

 

 

 

 

 

 

 

 

 

The idea of the lesson was to try and find hidden code in the html page. I started by inspecting the Account element.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Firefox developer toolbar has a inspector sunsection, in which you can check the html, CSS and javascript code that is in the webpage. I started by opening tabs in near the section that opened up.

The was one h3 tag that was marked with the class ‘hidden-menu-item’ on it. I opened the tab andthere was an admin text element in it. I was looking for two hidden menu items and in this didn’t seem to be the right one, since it didn’t have any tags on it.

 

 

 

 

 

 

 

 

 

 

Above the h3 tag, there was a div that also had the ‘hidden-menu-item’ added to it’s class. I opened the tab and found two ‘a’ tags with ‘href’ on them, the elements where labeled ‘Users’ and ‘config’.

 

 

 

 

 

 

 

 

 

 

I guessed that I had found what I was looking for and tried them out as the answer with great success.

 

 

 

 

 

 

 

 

 

 

References:

http://terokarvinen.com/2018/penetration-testing-course-autumn-2018

https://github.com/WebGoat/WebGoat/releases