Exercise 2

This is the report for the second series of exercises for my penetration testing course, taught by Tero Karvinen
http://terokarvinen.com/2018/penetration-testing-course-autumn-2018
The second assignment consists of four parts, as follows:

h2

Scope. you can only use attack or sniffing programs against marked target computers. Read HackTheBox.eu rules before you start. Check IP-addresses carefully

1) Investigate actively HackTheBox.eu network. You can use port scanners, Metasploit, web browser, curl -l, NC and other tools you know. Report. Hide the answers behind a simple password, not on the public internet. You can give the password to your teacher via Moodle and your classmates. Link below ->

Exercise 2.1

2) Do three assignments from WebGoat. Install WebGoat if needed. The answers can be published in the public internet.

3) Voluntary: Solve more WebGoat assignments

4) Voluntary, Hard. If you know how, crack a target computer in HackTheBox.eu. Remember the scope.

This exercises are done on my home computer, the hardware consists of the following:
i7-5820K processor
ASUS X99M-WS Motherboard
16Gb DDR4 Kingston RAM
Samsung 840 EVO 250Gb ssd

The operating system used is the Kali Linux version 2018.3 using xfce destop.
The system has been updated and the root password has been locked (passwd -d root, passwd -l root).
A new sudouser tatu has been created using the following commands:

assuser tatu
adduser tatu sudo
adduser tatu adm

2)

Authentication flaws: Authentication bypasses

I started the exercise by reading the assigment, the idea being to bypass authentication by taking advantage of a flawnin the configuration.
The instructions mentioned using a proxy for to accomplish the assigment goal, so I started
by googling ‘OWASP proxy’ and the first link that came up was OWASP Zap. I had used this program in my previous course, cybersecurity basics a
year ago but honestly, I had to browse through the instruction links to warm up for the task.
I started OWASP Zap to get a feel for it, but there came an error message stating that the program couldn’t listen to the port 8080.

 

 

 

 

 

 

 

 

 

 

At this moment I rememberd that WebGoat uses that very same port. To fix this, I assignet a nother port for ZAP to use, in this case 8081. The setup tab for this can be found from ‘Tools’ -> ‘Options’ -> ‘Local Proxies’.

 

 

 

 

 

 

 

 

 

 

I started the program again and there were no conflicts with the ports in use. Once I got this sorted out, I manually configured the fire fox
browser to use ZAP as a proxy. The settings tab for this can be found from ‘Preferences’ -> ‘Advanced’ -> ‘Network’

 

 

 

 

 

 

 

 

 

 

I didnt have to restart the browser fo the settings to take effect and ZAP started receiving packets from the browser.

 

 

 

 

 

 

 

 

 

 

I continued with the assigment trying to recreate the scenario as in the example. I inserted ‘test’ in borh of the question field, set the break on(the green circle in the main tab) from ZAP and pressed ‘submit’.
Nothing came up and I started to browse the packets intercepted
(the blue arrow on the right side of the break button). It took a while to find the right packet.

 

 

 

 

 

 

 

 

 

 

The example stated on step 3 to remove the secQuestion’s from the POST data and send it on, I tried doing this with no luck.

I reset the exercise and started again, this time the correct POST message was the first one intercepted.
Next thing I trid was removing the numbers for the secQuestions but this also failed.

On the third try, I modified the secQuestion number, setting 0 to 10 and 1 to 11, the logig being that if the two security questions have a fixed numbering (always 0 and 1), this could some how break or trick the verify method. Luck being on my side this time, the third hack attempt worked and I was able to reset the password for the user.

 

 

 

 

 

 

 

 

 

 

Note! In this exercise changing the password doesn’t do anything.

Client side: HTML tampering.

The idea of this exercise is to tamper with the HTML that the browser send’s, specifically to try and change the price of the tv purchase from
the website.

 

 

 

 

 

 

 

 

 

I started this by opening the browser’s developers tool bar’s inspector tab, browsed through the HTML code but didn’t find anything useful.
I looked through the hints for this assignment and the last one mentioned intercepting the request.
I opened OWASP Zap again, inserted the valu 6 to the ‘Quantity’ field in the web page, turned the break on and clicked ‘Checkout’.
The first packet intercepted seemed the right one.

 

 

 

 

 

 

 

 

 

 

I altered the price, making it 0.00 and submited the packet forward.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This proved succesful and the assigment was completed.

Client side: Client side filtering

The goal of this assignment is to find out the salary of the CEO not listed among the ‘selected user’. The assignment clearly states to
examine the page to see waht information there is to find.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I right click on the html element and select ‘inspect element’ to open the developer dash board. In the inspector tab I start to browse
through the html code and expande the ‘lesson_workspace’, finding a ‘table’ tab with the id ‘hiddenEmployeeRecords’…

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I start expanding the different layers underneath the hidden tab and find a row of ‘tr’ tags with numbers. Opening the first one it reveals
employee info of Larry Stooge.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I start opening the ‘tr’ tags, in hopes of finding what i’m looking for. The very last one, contains the info for the CEO that was not listed
in the website’s selector.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Inserting the salary to the question field, proves that the answer was right.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References:
http://terokarvinen.com/2018/penetration-testing-course-autumn-2018