Yep. Yeah. Sure. That's fine. Oh, oh, so like I talking like the Twitter bot kind of a thing like how easy it is to make an account spam that out or false information or or reading everybody's privated. All of the above. Right? Okay. So like when I think about security for a real company, my brain goes to and actually it's been on my mind to give you guys the high level security lecture where it's like, okay, here's all of cybersecurity and here's where we fit in, in this class. I think it's a valuable thing to do. So I want to do that, but because you've just got project too, I'm just going to try to throw as many CTF worthy like web exploits such as they can so that you feel like you've got something to go on this weekend, five CTFs or whatever and things like that. Okay. So maybe I'll answer that day. But essentially I do a risk analysis in my mind of like, what are the crown jewels, how necessary are there to protect and so on. So in Twitter, like most of it is highly public. Dmz we'd like to presume or private, the information about who you are is not that damming. The most important thing is not letting people pretend to be verified accounts or whatever, right? But if Twitter were like, you know, completely unencrypted or whatever, how bad is the world? Okay? You get people pretending to be people. They're not. That's the, which can lead to nuclear war. Like it's fine, like it's possible or Twitter or whatever conceivable. But there's no credit cards or whatever. Maybe there are. Not yet, right? Correct. So like it it gets away with more because the scope is not as critical to its users unless you're blue check. Okay, okay, K, reverse shell, Let's talk reverse shell. Height video panel at this thing. And I am recording. The goal here is in many types of web exploits, you can gain what I'll call remote code execution. And you'll see this all the time when you're looking at CVEs, cyber headlines or whatever. Rc E is a very common acronym for remote code execution. That you did some amount of trapeze work or whatever. Ben's everything around and just the right way and you get it to issue a command on your behalf. A lot of times when you can do that, maybe it's an XSS thing or maybe it's like a server-side request forgery or template injection or whatever it is. Sometimes it might take three days before they get to issue that piece of code, right? Because it's like some admin has to log in and catch your payload or whatever, something like that. Poor, poor hacker. So a lot of times you get one command every x hours. The goal of the reverse shell is that you make that one command account. Alright? So when they do that one command, what it's going to do with that command is spawn a shell process, connect to an IP address and port that you control. And let you have a shell on there so you can issue all the commands you want. Alright, so this is sort of like a little baby rootkits or something. And your job is to convert remote code execution into a complete shell. And you can just do whatever you want on that server now. Alright, that's the goal for today and we're going to spin that up and that's your flag. Two days give me a remote shell on this poor Heroku server. So in order to do that, you need to have an IP address that is public, right? And so you need to have an IP address and a port that anybody can connect to. Guys don't do that a lot in your lives. Like we've done Firebase Hosting really GitHub pages or something where it's like static files. But for you to have a server that's hosting an IP address and the port. I'm going to show you how to just kinda spin one of those up. No cost to you. And now you've got it and then you shut it down or whatever. I'll show you that with Digital Ocean. But there's other options like that. Bonus on the spreadsheet for project two, there are two things on there that are the one pointers. And then I might end up. Doubling the points on the left-hand side or whatever. Because you're gonna end up doing a lot of hours videos wherever it might make those to four instead of one to probably should be 23. Okay. So when we spin up digital ocean, I'll just show you that, hey, by the way, you can do this in a way where you just get darker on that computer. And if you have darker and the computer, you can go to Docker Hub and just grabbed down anything in the world. So when I'm teaching reverse engineering and Pony, I grabbed down Po1 docker ps that has all the tools they need for reverse engineering. If I'm doing this class, I'll show you the dam vulnerable web app. And you can just spin that up and run it yourself. And it's just full of exploits that kinda walk you through how to do them. They like sticks themselves to. So here's no security, medium security, high security. And you can feel the difference of what they do. The OWASP juice shop as the other one like that, That's a little bit more modern, whatever. And I'll just show you how to spin those up on your, on your own as a bonus to the lecture. And then I've given this exact site before in my list of flags for the class. But we're gonna do it better this time. I just need a place where it can do remote code execution. Otherwise, the lecture is gonna get way, way, way too hard or long. Remote code execution. I need a vulnerability, but it's me do that. I'm going to use File Upload exploits. The idea of that is something that lets you upload images. And instead of uploading an image, you upload a PHP script that just takes in an argument from the user and issues, issues it as a system command. Cool. If they upload your file and sort on their server and they have PHP running and they're not confirming that the file is not. Is it actually a picture? Now you've got a URL where you can go and just issue remote quotes. We're going cool. So that's our, that's our remote code execution. And it will pivot that into a reverse shell. Okay, That's my plan. I told you when we tell you, not going to tell you, then I'll tell you what I told you. I think about this kid a lot. Just know that that means just gets It's a millennial style name. I know, but I'm a millennial I'm an old millennial on practically generous. Okay. Okay. Okay. Okay. Yep, yep. Yep. I just said all this stuff out loud. But I will say in terms of why a reverse shell, and I've never taught reverse shells before today, so thanks Tommy for that. But the reason reverse shells are kind of awesome. All servers have firewalls on them. People are trying to securities things, whatever. But typically they don't police outgoing connection. You're on a server and you're going to do a git clone of whatever. You're gonna do, a fetch of whatever you're gonna do an npm install, pip install, all that crap is outgoing. We tend to allow even, even our computers, I'm allowed to make external things, but the router prevents internal requests coming to my computer. So most of the security is not letting the outside world in, but they're totally okay letting you do stuff out. So reverse shell is the idea that, Hey, the reason it's a reverse shell and not just a shell, is that they're going to make an outgoing requests to me. And I've got a honeypot waiting or whatever. I've got my target waiting that will receive the connection and take over the shell. So outgoing connections are not policed. And this turns a highly constrained single operation into arbitrary execution of whatever the heck you want. If you're going to pull off a reverse shell, you need these three things. Public IP address and ports that you can open up to external traffic, right? You need a method of remote code execution and needed clever played at payload. Okey dokey. Alright, here we go. If you have the GitHub education pack included in that should be 100 dollar credit to Digital Ocean. If not, here's a link that will give you $100 credit to Digital Ocean. Digital Ocean here is gonna be a stand-in for swear I wrote like the list of all the other things that's sort of a standard for. You can use digital ocean, you can use Amazon EC2, you can use Lin owed. You can, you can spawn up VMs on Cloud services all over the place, the digital ocean. This one server is just a drop in the Digital Ocean concept. I like using it. You can even do this. You might even be able to pull this off and like repl it or something. I just don't know that repl it's going to allow external things. Again, you don't have an IP address and port. So like I've avoided doing this up to this point. But it's really nice for you to have an actual server that acts as a target or whatever, something like that. So that's we're going to do. You can follow these instructions. And I'll show you what that feels like. Digital Digital Ocean. Now I have a lot of digital ocean boxes that I sort of, I spawn up, I leave them up, I killed them, whatever. I do, a lot of my security stuff inside of these sorts of disposable servers because I'm gonna get malware and I want to just kill the box and not worry about it and just spin up a new 11 of the other things about this is that like on my laptop, it's time for me to have any laptop. I'm paranoid about it because so many of my business processes run from this. And like every time you make an OS upgrade or whatever, all your crap breaks, right? Like Deidre is not working right now because every little jar file now, like let it run as a Security Permission next to the optimal whatever. So now I can't run Deidre irritable bowel button. That happens all the time, right? Like you install your world and it lives this way. But robot. When you are in the land of disposable cloud servers and Docker images. Like Docker is the idea that hey, it works on my computer. So here I have my computer. Rather than, here's all the install instructions to get this esoteric software running on your device. It's saying, I'm just gonna give you the entire device guarantee that everything works the way that it does for me. That's like the idea of darker. It's virtual machines without the kernel. Okay? What I like to do for Digital Ocean is something like this. Spin up a droplets. We're gonna go, Yeah, what's up? No. It will want a credit card number. And that's almost always a no-go for students. Yep. Yep, yep. $100 of free credit or whatever. But you have the thing. I used to be able to have a way that students benefit thing and not need any credit card. And that was Cloud9. Maybe are cracking Piazza Cloud from the other day could do such a thing or whatever. But whatever you're practically grown up, it's $5 a month. If you leave it running for a whole month, you turn it on and then you just turn it right back off and you're $100, credit will last you tenures like that. You know, if your credit card gets charged, I will be shocked. But that's but again, that's not required or anything else like that. This is a nice to have not Muslim. But yes, Typically, I do this a lot, but I don't mind. Okay. Now, let's be careful with this, right? I'm saying that this is telling you $56 a month at the bottom. That's like whoa, whoa, whoa, $56 a month we're talking about. So I'm going to create a droplet. Gonna be in New York, fine. I'm going to click the marketplace and just type the word darker. So I'm going to select one that just has darker ready to go. All right. Now when it comes to the size, Here's the places where you get it to be cheap. You go regular, you go all the way to the left. And the smallest second run Docker on is $6 a month. Alright, so I select that. Again. This is a tenth of a penny per hour. So that's more correct. And how you think about it, you run it and then you shut it down and you have $100 worth of tenth of the paints that I'm so rich, I leave my Docker is running all month long and pay that 56 bucks. Okay. Now, on the SSH key thing, this is valuable to go through and make SSH keys are going to do this all the time, whatever for today, you can just do it from the browser. Oh, sorry. I clicked add SSH key that name. I'm just going to include ones that I already have. One droplet can change the host name. Okay. Reverse shell. Alright, great, my droplet. Somebody is trying to talk to me in the Zoom, but I don't see what they're saying. Whoever said something into Zoom, you can just say it out loud because I don't I don't know. I can't I can't find my controls. I asked if you can use a local VM, but I'm just going to use Google Cloud and stuff. Yeah, Google, google Cloud Platform's and alternative to this or whatever, every single cloud provider as a burden. But you do want is an IP address that can receive requests. That's, that's the actual reason to do this now reverses like they want to pass. Because. Christina pointed out credit cards story, right? And that's correct. Now, I do think that there's like Web Services where you can get correct but wrong credit cards where you can like, you know, I'm going to spin this thing up and it's only allowed to charge $1 or whatever it is, like a fake credit card generator. That's a cool service. Okay, I now have reverse shell. Hahaha. I've got my IP address here. And I can now take that IP address and SSH in from that terminal the way it is. I can SSH in route at that IP address. And that will just work for me. But for you, you'll have to spin up some SSH keys to do that. So you can also do it a little bit slower from the console. Now, you're in with a box that you can do stuff on purely from the terminal. Whatever you're paying. A tenth of a penny per hour, that's computing costs. Alright. Now, one thing I did not test this morning is this guy. So the last little thing, a couple of things here. You have w, This is the firewall. And I'm willing to allow incoming connections on port, and I specify ports that are late or whatever. Up to some maximum limit. I think for 2069 works, but 6094 twenties too tall. So that's your range. And so 896 is totally fine. And now this IP address on that port is open. That was the goal of all of that. Already. Does this line. Okay, now, here's the bonus part of this. So it's time to paint in the marketplace the Docker image. I can now run anything from Docker Hub. Docker Hub is awesome. One of the things that makes life on the internet just so, so cool these days. I can search for whatever the heck I warrant. I don't know security stuff. And here's rancher labs, security scan, whatever. All of these are entire server sets of tools that I can just sort of be in a box that has all of that installed, for instance, savings math, but we're reversing kit or whatever and things like that. So like I said, I use Po1 Docker for all of my hacking. There's probably if I just put in CTF, there's probably folks that yep. Here's they're like CTF Docker that they use for capture the flags and whatever 5 million people have used, it must have some good stuff, et cetera, Sarah. Sarah, what we're gonna do here is host a vulnerable web app. Actually, I should just do the search for PWA. And which one is the real one? Not totally sure. Okay, this one. If I want to run the dam vulnerable web app, this is just a bonus. It's not my actual topic of the lecture today, but it's it helps you with your project to go over here. Service docker start. Dr starting. And docker run port 80, 80, vulnerable web D VWA. Alright. That's just, you all suddenly need to handle or a web app running this IP address colon 80, 80. And I can go with packet. Okay. I don't know if have to allow any MySQL MariaDB, take a sip of coffee. Coffee that might be running. Now. Copy my IP address, colon 80, 80. Yeah, it is. This is a dam vulnerable web app. How should we get through the login? Inspect elements? Too slow. Okay, just click login. Actually that just went into that. The password was admin password by the way, her default credits to whatever. And I think once you're on here, it does need to start a thing. Click on Create reset database button below. Great Reset database. Alright. Now we'll get a better login. Alright? Now clicking login doesn't quite work, but now I can try admin. Password. Do not see nothing. Change your password. Okay? And now inside of dBW way, these are all the things you can get points for in the class to project. They'll say, Hey, here's a vulnerability, brute force, credential login or whatever, things like that. Okay, cool. Command injection here I can say 8.8, 0.8, 0.8. It's a little service that will let me like ping something. But if I look at that output, It's like wait, that looks like Bash output. Therefore, I can do something colon ls. Now I'm getting source code, so I'm running. So whenever you are on a website and you see something that's like, Oh, that looks like Bash. Probably even throw some extra commands in there sometimes. And then you can get a reverse shell instead. Okay, Now this is the place where I want to receive the reverse shells. So I need to like not to this or whatever, but cross-site request forgery, we haven't talked about that yet. File inclusion, file upload. That's the vulnerability for today. Institute capture. Okay, fine. Sql injection, blind SQL Injection, session IDs, cross-site scripting and the DOM, et cetera, et cetera. Okay. Then what you can do is increase the security level. So they've got four levels for the dBW way where now, now they're gonna make all of them one step harder, one step harder, but it's still possible. Then they'll go. It's not possible. Well, digital us, pardon me? Did you click one of the referral links with the referral link, so you'll get $103. I didn't get no vegetation pack or the one that I like, I'm pretty sure that'll give you $103 or you think you're just charging $200. How it's sorted order $200 credit. Which means that now the credits are good. So it did not take, gave you $200 of free money for running this as many hours and then just shut it down and spin it back up when it's good. If it charges you $200, I will eat my umbrella. That's bad. Welcome to this service we really want you to, we're going to charge you $200 a moment one, justice, just know that you're serious. That would be bad business, okay? So anyway, you can mess up the security, rerun it and things like that and whatever and all of that is worth points to project two, you can do these, but you'll find write-ups on the Internet and they're like, Oh, let me do a walk-through of the dBW way, things like that or whatever. Right, Cool. That's the dBW way. I would like to kill that. Now, these are the logs of the requests coming in Control C. And now my dBW way is gone again. Alright. The other cool one is the OWASP juice shot. This thing is newer than the VWA. So D VWA is a lamp stack, Linux, Apache, MySQL, PHP. This one is a mean stack, Node, Angular or that kind of thing, whatever. The Jewish shop, that is also perfectly fine and you can find write-ups on there and it will have all sorts of slightly different vulnerabilities, then you can go through them. I also list Google Greer is another site like that where it's just full of Swiss cheese holes. Since full security holes and your job is to go through, and this was the bonus part of the lecture. This is not reversed showing this is just darker and Digital Ocean is really pleasant. Then bonus that if you've taken my class in the spring, we'll do lots of Po1 darker upon tools can stop or whatever for reverse engineering and malware analysis. So let's see if it's up and running yet. Here we go. Welcome to the OWASP juice shop. Here's all sorts of stuff and blah, blah, blah, blah. And each of these will. There's just vulnerabilities throughout all of this. Cookies and things, whatever, etc. And help getting started. We'll like riddled with security vulnerabilities. There's a scoreboard even cool. Alright, so this is next-generation dBW. Alright, cool. Now you can go and hack those and make videos. If you're hacking those or whatever and things like that, and you're good to go back to reverse shell. That's what we're here for. 941. Okay. This vulnerability is well, whatever file upload escalates server. If I go to my cake server, what I get is a gallery submission page and it invites me to upload a picture of my favorite cake. You can do this one. Upload the image, and it will show me my image at uploaded. My hatred is Caitlin. Okay? Now, what is vulnerable about this is this image lives on that server. Url is there and what that means, and this is something that, you know, splitters, security, whatever, all things let you upload images, all things that you take, screenshots, all things once you to upload images and files and movies, the word that we're going to say might repeat myself, but I forgot that. I upload stuff. It's got to live on a server somewhere. Okay. Well, what harm can I do by putting a file on your server? Lots of time, lots of harm. So in this case, I'm going to make my file the following. When you go to a text editor somewhere. Oh, there it is. Good. Thanks. Okay. Even my malware should be well indented. Alright, so I've now just authored some malware. I'll save it as mail dot PHP. And now at this poor website, I'll go here. I'll upload my malicious image. And you'll note that the link is broken because it's not actually an image. It's trying to render it as an image, but I can just open that image in a new tab. I get this. Okay, cool. That's executing my PHP code. Fantastic. What does my PHP code do? Well, it lets me make a man arguments where operators of the line thing. So the way that you would typically crack this is just, in this case, I say question mark command equals Ls. Look at that. We've got all sorts of stuff in here. And I can say cat flag that TXT. I've got my flat. Don't delete, but you have full power to delete it. It's a Roku thing. So I can like, it can restart or whatever, something like that, but not in real time for our class. But the flag is not irrelevant. I've already given you that flag. And what matters here is that I'm doing remote code execution. Those command line arguments, That's cat flag, That's me doing bash commands through a URL parameter to get remote code execution. Okay? The reason I'm doing this is not because this exploit that interesting it is, It's very simply harmful. But it's the simplest remote code execution I can do. In order to show you the process is set up a reverse shell. Okay? So in fact, you know what I should do? Kind of like when the blockchain got hacked or whatever, I'm going to copy this flag real quick. You guys delete it. I can reverse shell and just put it back where it can have a little darker. Now, I'm really okay. So we've now uploaded a malware to this thing. And I'm basically being commanding control right through the browser. Very pleasant. Let's talk reverse shell, Okey-dokey. The tool I'm going to show you here is Rev shells.com. This will let you say, Hey, you've got an IP address and a port or whatever. Actually let me save that flag real quick because it's in my, okay. I take this IP address. I'm gonna go over to my there we go. That's the bad guy here. Alright. I'm gonna put in my IP address here and the port I've opened up. Okay? So there's two things that are going on here. 111 you listen, or the shell on my server that I have. So I'm going to run this over on the digital side. I am now listening on port 80 96, waiting for my incoming shelter. Then this is a type of command that I can run on the other server in order to get access to that shell or in order for it to connect to me. So this is going to run on the few cakes server, and it's going to try to spawn a shell and make a TCP connection to my port, my thing, whatever, and disconnect that process and let it run for a while. Okay? Now this one won't work. Few reasons why it won't work. But one of them is just the ampersand name or LA, where I'll skip that are random variables. So to some extent, there are many, many possible commands here. And it took me a little while to find the one that works for few cakes. I almost leave it as an exercise to the reader. But I also just want to have the remote shell real quick. Like, I don't know which one you'd rather do, like to hunt around for your one that works for you. One of the things I did start to do is actually just reverse, reverse shell on myself from here. Because I can, I can kind of like I can attempt it from my computer and if it works or whatever, That's something, etc. And even kinda see what a bad attempts looks like over here. Nothing so far. Um, so because I don't get error on this. So if I throw this into here, it didn't work, but I don't know why. I'm a hacker. I'm not getting error messages. Error messages are privileged not arise. Okay. So let's fart around with a few more. I don't know if you want to know an answer that works for me. But I had success on this particular server with silk at this one did the job. Okay. Connection received. Now I can type ls. Okay, cool. Cd dot dot, cd dot, dot. Let's look where I am. Okay, Cool. Let's see what proxy remain. Okay, cool. Alright, we've got these processes running. I can go inspect inspect the registers of those boxes. I want whatever. I got to sell them up in your business, right? So I had one crappy remote code execution through a URL. Now I've got full PowerShell on that server. That's the reverse shell. Questions, thoughts, concerns, whatever. Yeah. Yeah. Yeah. It it looks like this is the one that works for me. Was so cat number one. Yeah. Yeah. Yeah. That's one of the things that this classroom has made me regret, is that controlled plus everything but this. We do a lot with this in this class. So I do have new glasses waiting for me and I say I can't be there to Galadriel. Somebody will pick those up and feel a little headache. Okay. Alright. Five-minutes to look at that. Like a lot of content and I was late. But that's a reverse shell. And other places. So now what this is is you can pivot remote code execution to you having a complete shell show. Sky's the limit, whatever. The unethical hacker, this is, this is something that will totally get you the rest of you did with the wrong side or whatever. Do it to one that says Please do this to me. Not one that does not. Okey-dokey. Cool little tool that's reverse shell's. Your job today is to get me a screenshot of Etsy past WD. And so you can see shadow is where all the passwords are stored for the Unix users. Past the VD is like your lists of Unix users. And all sorts of nice stuff down here for you to hacker to learn about what system you're on and on. Okey-dokey. All right. I'm going to disconnect my fine. And now that I've done my malicious D there, I can just turn this off and destroy it. And I've paid my not even attempted the polling here with a pretty cool. But since I've got 3 min, I'll jump back in and we can do some GWA study. So I could do a whole lecture on TWA or your shop or all those kinds of things. So alright, admin, password. All right, You're so good at security. Alrighty. So one of the ones that I'll say SQL injection is one of those ones that is very pleasant to do. Students always think they know it better than they do. And mastery takes practice and a little bit of white boarding and reflecting. And I think that's why the SQL, the blind SQL Injection is the one flag that hasn't been done of my flags this semester, right? So blind SQL Injection is valuable. So the difference in the blind business versus SQL injection. So here I can say user ID. One tells me this is already zero. Nothing to tells me that, et cetera. So it's nice to figure out that crashed it good. Crashing is good. So it's nice to figure out how many things matter. Note that it's MySQL so different. Alright. Alright. Gordon Brown and T3. It is worth one. Alright, I want to get that to get back to where it's not crashing. And I guess it's time. I'll say farting around with getting better at like the mental model of that is probably just studying how to do SQL. And then, and then like just doing a little linear algebra transformation over to the land of the injection space. So like how do I do in SQL? What's my space? Wind is going to work where you get like success or not success on various things that you might try. Here all I get is a yes-no, but not any data about, let's say now I've got to like fuzz my way through with binary search fashion. Okay, cool. That's reverse shells. I'm going to now kill this droplet. Destroy, destroy this Dropbox. Sure you don't want to pay us. Alright. I'm gonna go do some. Yeah, you wanna do NES game jam or whatever we've been. Otherwise, I'll see you guys later. Check CTF time religiously now that you're in this project, so you miss the boat for the Hong Kong one, you had to register before it started. Well, but there's one that starts at midnight. Actually, there's like three that's four that start overnight. So maybe it makes some accounts for some of those and hope that you get some easy web blast. I hope that all of you on Zoom feel better soon.

Reverse Shells, DVWA, Juice Shop

From Andrew Novocin November 11, 2022

128 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: UpY4XlR+R+uOm/VVbz61ng== Meeting Time: 2022-11-11 02:11:51pm

Tags: docker

Department Name: ECE
Department Division: Engineering
Date Established: November 11, 2022
Appears In: Web Sec 22