XXE(XML External Entity) - TryHackMe - OWASP TOP 10

 

Finally I am here with the topic that I was frightened for no reason. Now I am happy that I did not gave in for my fears.

 

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system.

 

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).

1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker must reflect the output of their XXE payload to some other file or their own server.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data. 

Every XML document starts with an XML Prolog.

<? xml version=”1.0” encoding=”UTF-8”?>

In the above provided syntax the XML document version and encoding type is provided. It is not mandatory to have the prolog but it is considered as a good practice.Let’s consider the below provided example:

<? xml version=”1.0” encoding=”UTF-8”?>

 <mail>

  <to>test111</to>

  <from>boost</from>

<subject>About XXE</subject>

<text>Teach about XXE</text>

 </mail>

The <mail> element is the ROOT element of the XML file. It would be considered as invalid XML file if there is root element present within it.

All the other elements are called as children element. The XML element also has attributes present such as “message” and “category”.

XXE – DTD

DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.

Let us try to understand this with the help of an example. Say we have a file named “test.dtd” with the following content.

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

. #PCDATA means parseable character data. Now we can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD. Lets use the previously provided example to understand how the DTD validates the XML files.

<? xml version=”1.0” encoding=”UTF-8”?>

 <mail>

  <to>test111</to>

  <from>boost</from>

<subject>About XXE</subject>

<text>Teach about XXE</text>

 </mail>

1.    !DOCTYPE note -  Defines a root element of the document named note

2.    !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"

3.    !ELEMENT to - Defines the to element to be of type "#PCDATA"

4.    !ELEMENT from - Defines the from element to be of type "#PCDATA"

5.    !ELEMENT heading  - Defines the heading element to be of type "#PCDATA"

6.    !ELEMENT body - Defines the body element to be of type "#PCDATA"

7.    Note: !ENTITY – Defines the item of the data that is present in the XML document.

Now we see some payloads and how do they work. 

 

<!DOCTYPE replace [<!ENTITY name "boost"> ]>

 <userInfo>

  <firstName>falcon</firstName>

  <lastName>&name;</lastName>

 </userInfo>

As we can see we are defining a ENTITY called name and assigning a value feast. And later we use this entity in our code.

<?xml version="1.0"?>

<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>

<root>&read;</root> 

We use the above provided syntax to read a file from the system by defining the “ENTITY” and having it use the “SYSTEM” keyword. Here we are defining the ENTITY with the name read and we are setting the value of system to read a file from the system.

 

<?xml version="1.0"?>

<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///home/falcon/.ssh/id_rsa'>]>

<root>&read;</root>

By executing the above the syntax, we will be able to access .ssh private key of the system. 

That's it folks!!! Will be adding few new blogs on the OWASP TOP 10 Labs ..

 

Broken Authentication - TryHackMe - OWASP Top 10

Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. 

 A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data.

Example:

By using the TryHackMe lab try to access the IP address and access the application. try to register a username darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.

Try to login to the application and access Darren and Arthur user’s account. To login to the Darren account try creating a user with same username with a space before providing the username and access the flag. And the similar goes with the Arthur’s account.

Step 1: Try to provide username as “Darren” and create a user and an error state “The user is already registered”.

Step 2: Try to register “Darren” user with a space provided before the username and the application logs into the actual Darren user and flags are provided. The same method is applied for “Arthur” user.

The below flag is used for the Darren user in the application.

The below flag is used for the Arthur user in the application.

Remediation:

There can be various mitigation for broken authentication mechanisms depending on the exact flaw:

• To avoid password guessing attacks, ensure the application enforces a strong password policy. 
• To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.
• Implement Multi Factor Authentication - If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.

Command Injection - TryHackMe - OWASP TOP 10 labs

Finally, back after a week-long break!!! Now I am working on my OWASP skills and the notes are as follows

Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine.  It is a web vulnerability that allows an attacker to take advantage of that made system call to execute operating system commands on the server.

ACTIVE AND BLIND COMMAND INJECTION

Active command injection will return the response to the user.  It can be made visible through several HTML elements. 

Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document.

 

ACTIVE COMMAND INJECTION EXAMPLE

Let’s consider a scenario where the company called Evil Corp. is working on a web-based shell but accidently exposed it to the internet. Now let’s see how we can use this vulnerability to exploit. 

In the pseudo code provided above

1.    In the line 2, we check if the parameter “commandString” is set.

2.    In the line 4, the input “commandString” gets passed as the input.

3.    From the line 5, the program gets into the try block to execute the “passthru” command.

4.    The passthru() function is like the exec() function in that it executes a command. This function should be used in place of exec() or system() when the output from the Unix command is binary data which needs to be passed directly back to the browser.

5.    If the try fails, output the error to page.  Generally, this won't output anything because you can't output stderr but PHP doesn't let you have a try without a catch.

Ways to detect Active Command Injection

We know that active command injection occurs when you can see the response from the system call. The function “passthru()” is basically passing the response directly to the document. The function call here to “passthru()” may not always be what's happening behind the scenes, but I felt it was the easiest and least complicated way to demonstrate the vulnerability.

Commands to try
                Linux

                To learn more about the commands below use man <command>

·         whoami – provides the username of the current user

·         id – provides the user and group names and IDs (UID and group ID)

·         ifconfig/ip addr – Provides the IP address of the system it is executed on

·         uname -a – Print all the system information

·         ps -ef – snapshot of all the running process (ps), -e option is to select all process,  -f full format.

                Windows

                To learn more about the commands below use <command> help

·         whoami – provides the username of the current user

·         ver – provides the windows version that is running on the server

·         ipconfig - Provides the IP address of the system it is executed on

·         tasklist – provides the list of tasks that are running on the server

·         netstat -an – Provides all connected and listening ports and displays all address and ports in numerical form

Questions:

1. What strange text file is in the website root directory?

Answer: drpepper.txt

 

2. How many non-root/non-service/non-daemon users are there?

Answer: 0

3. What user is this app running as?

Answer: www-data

4. What is the user's shell set as?

Answer: /usr/sbin/nologin

5. What version of Ubuntu is running?

Answer: 18.04.4 LTS

6. Print out the MOTD.  What favorite beverage is shown?

Answer: DR PEPPER

In App:

In Terminal:

That's All folks for now. 

MySQL Enumeration and Exploitation

 

This is the last lab from TryHackMe Network Services 2 module. It can be accessed only by the premium users.

MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.

The server handles all database instructions like creating, editing, and accessing data. It takes and manages these requests and communicates using the MySQL protocol. This whole process can be broken down into these stages:

1. MySQL creates a database for storing and manipulating data, defining the relationship of each table.
2. Clients make requests by making specific statements in SQL.
3. The server will respond to the client with whatever information has been requested.

MySQL can run on various platforms, whether it's Linux or windows. It is commonly used as a back-end database for many prominent websites and forms an essential component of the LAMP stack, which includes Linux, Apache, MySQL, and PHP.

Enumeration

Typically, you will have gained some initial credentials from enumerating other services that you can then use to enumerate and exploit the MySQL service. As this room focuses on exploiting and enumerating the network service, for the sake of the scenario, we're going to assume that you found the credentials: "root:password" while enumerating subdomains of a web server. After trying the login against SSH unsuccessfully, you decide to try it against MySQL.

By knowing the Default credentials, we can login using the mysql client.  Let's double check that by manually connecting to the MySQL server. We can do this using the command

"mysql -h [IP] -u [username] -p"

We're going to be using the "mysql_sql" module using MetaSploit.  

By using this Metasploit module we can see many databases present in the MySQL DBMS. By default it will test with the "select version()" command. Change the "sql" option to "show databases" we can see 4 databases present in the DBMS.

Exploitation

Exploit the database fully and gain more sensitive information than just database names. We know:

1. MySQL server credentials

2. The version of MySQL running

3. The number of Databases, and their names.

Let's search for and select the "mysql_schemadump" module. Set the relevant options, run the exploit. You have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. 

Hashes are, very simply, the product of a cryptographic algorithm to turn a variable length input into a fixed length output. We can see in the output that there are different credentials. The password for the other user is hashed. Use the below provided command to crack the password.

“john hash.txt”

Using the cracked password login to the ssh of the machine and access the flag.

 

SMTP Enumeration and Exploitation

This is a TryHackMe Network Services 2 lab and it is available only on premium version. 

SMTP stands for "Simple Mail Transfer Protocol". It is utilized to handle the sending of emails. To support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.

The SMTP server performs three basic functions:

•  It verifies who is sending emails through the SMTP server.
•  It sends the outgoing mail
•  If the outgoing mail can't be delivered it sends the message back to the sender.

POP, or "Post Office Protocol" and IMAP, "Internet Message Access Protocol" are both email protocols who are responsible for the transfer of email between a client and a mail server. 

SMTP Workflow

1.    The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, example smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.

     1. The process of sending mail can now begin. The client first submits the sender, and recipient's email address- the body of the email and any attachments, to the server.

     2. The SMTP server then checks whether the domain name of the recipient and the sender is the same. 

     3. The SMTP server of the sender will make a connection to the recipient's SMTP server before relaying the email. If the recipient's server can't be accessed or is not available- the Email gets put into an SMTP queue. 

     4. Then, the recipient's SMTP server will verify the incoming email. It does this by checking if the domain and username have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.

     5. The E-Mail will then show up in the recipient's inbox.

Enumeration

We want to fingerprint the server to make our targeting as precise as possible. We're going to use the nmap to scan the ports on the machine and "smtp_version" module in MetaSploit to do this.

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists). Using these SMTP commands, we can reveal a list of valid users

We can do this manually, over a telnet connection- however Metasploit comes to the rescue again, providing a handy module appropriately called "smtp_enum" using this we will be able to get the username.

Exploitation

We used the hydra tool to brute force the login credentials of the ssh port and we were able to find the password. The hydra command used is provided below.

hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV 10.10.86.60 ssh

Section	Function
hydra	Runs the hydra tool
-t 16	Number of parallel connections per target
-l username	Points to the user who's account you're trying to compromise
-p path	Points to the file containing the list of possible passwords
-vV	Verbose, shows the login+pass combination for each attempt
Machine IP	IP address
ssh / protocol	Sets the protocol

    

As there is an ssh port present and we have also got the username and password, we need to login using the credentials and access the flag.