Lab #2: Basic exploitation and reconnaissance

Due: Saturday, Sep 10 11:59PM

Introduction

Over the past several years, I have spent countless hours analyzing youth social media trends to try and discover what’s “in” with the kids these days. Using data painstakingly collected in double-blind market research studies, I have created the next great cultural phenomenon that will take the Internet by storm:

TickTock,

the app that tells you the current time and lets you share your favorite clocks with your friends!

Unfortunately, my co-founders and I blew our funding on a collection of a few dozen gold-plated wristwatches to display around the office, so we ran out of money before we could hire a security team. Luckily, I have access to the next best thing: you!

Lab structure

This lab is part one of a two-part series. In the first part, your goal will be to discover as much information as possible about TickTock’s attack surface and complete a basic attack.

For this assignment, you will want to use the Lab 2 environment in Virginia Cyber Range. Once there, you can access the TickTock server at terminal.example.com in VCR. For example, visiting http://terminal.example.com in your browser should show you a webpage that looks something like the following:

Screenshot of the TickTock website on Virginia Cyber Range.

Tools

In this lab, you will need to use (at a minimum) the following tools:

These should all be pre-installed in your VM. In addition, you will want to have access to some wordlists. The VM should come with the wordlists from the SecLists repository, which you can find in the /usr/share/wordlists directory.

Grading and submission

Each problem asks you to complete different tasks and write a description of your findings. At the end of this assignment, you should submit a document with your answers to each of the problems through Collab.

Each problem is worth a different number of points, roughly based on difficulty and the amount of work you should put into them. You will be graded based on your ability to complete the assigned tasks and demonstration of understanding of basic network scanning and web exploitation techniques.

Problems

Problem 1 (3 points)

Using nmap, generate a list of all of the exposed services on the target server (you should see 6 open ports in total). Provide the command that you used as well as a description of all of the services you were able to identify, including

  • The service name,
  • what port(s) it’s using,
  • its version number (if available), and
  • a description of what that service does and what it’s typically used for (you may have to do some Googling).

Each of these services is used in some form by TickTock. You should think about what role they might play in running the server.

Hints:
  • In some cases, you may find it useful to explore the services that you identify with your initial nmap scap using other tools, e.g. curl, ffuf, and your web browser. Note that not all of the services use HTTP and may not respond to HTTP requests.
  • There are five services in total; one of those services uses two ports. You should be able to determine which of those services is running on two ports from your scans.
  • Nmap will do its best to guess the service running on a port, but it isn’t always correct. You should look at the full output of your Nmap scan – not just the value in the “Service” column – to check what program is running on that port. If possible, you should try to verify that you have the service correct by connecting to it with other tools.

Problem 2 (1 point)

Enumerate all of the pages that you can find under / on the webserver using ffuf. One of the pages should contain a flag (formatted as flag{...}).

Submit the flag, along with the command you used and a list of the pages you discovered using ffuf.

Hints: for this and the next few problems, you will have to use ffuf to scan the webserver. You can learn about all of the options available for ffuf using ffuf --help, or by checking the GitHub page for ffuf.

To practice using ffuf, you can try using it against http://ffuf.me (which also contains tips on how to perform a variety of other scans using ffuf). For instance, here is how you would perform basic page/directory discovery against http://ffuf.me:

$ ffuf -w /path/to/wordlist -u http://ffuf.me/FUZZ

This is very similar to the command you will have to use for this problem.

The desktop should have some pre-installed wordlists that you can find in the /usr/share/wordlists/ directory; these wordlists come from Daniel Miessler’s SecLists repository. I would suggest trying out some of the wordlists in Discovery/Web-Content/, e.g. the directory-list-*.txt wordlists.

Here are some other flags you might find useful while using ffuf:

  • -ic: some wordlists contain comments, which are typically prefixed by #. You can use -ic to ignore lines that are commented out.
  • -c: colorized output.

Problem 3 (1 point)

Each post on the webserver has a unique integer ID. The flag for this problem is contained in the post with the highest ID.

Submit the flag, along with the command(s) you used to find the post.

Hints:
  • Start by figuring out how to see a post with a specific ID.
  • Once you’ve figured out how to check whether a post with an ID exists, look up how to use pipes to give custom wordlists to ffuf on ffuf.me. You’ll probably want to use the seq command. Another option is to use seq ... > wordlist.txt to write the output of seq to a file, and then pass that into ffuf the normal way.
  • The highest post ID is below 10,000.

Problem 4 (2 points)

Enumerate the users on the webserver (by default there should be six, in addition to any users that you create). One of the users should have a flag for their username.

Submit the flag, as well as a summary of how you discovered it. Your summary should include the commands that you used, as well as a description of how you figured out how to identify what users exist on the server.

Hints: For this problem, you’ll want to start by using the browser’s developer tools and look in the “Network” tab. This tab shows you what resources your browser loads whenever you visit a webpage.

Try visiting some pages on TickTock and see the various requests that your browser makes. Eventually, you should find something that will allow you to enumerate the users on the webserver very easily.

Problem 5 (2 points)

For the last problem, you will be demonstrating a cross-site scripting (XSS) attack against the website. To do this, you will need to go through the following steps:

Identification: identify a potential XSS vector in the site. You should look for areas where you are able to upload arbitrary HTML, e.g. <b>hello, world</b> (which should render “hello, world” in bold font).

Proof-of-concept: perform a simple proof-of-concept to demonstrate that you can perform XSS using the attack vector that you previously identified. You should try to run something simple, e.g. alert("xss") (which should create a pop-up dialog).

You shouldn’t need to know much JavaScript for this problem, but if you want to practice you can run JavaScript snippets in the “Console” tab of your browser’s developer tools.

Create a PoC that doesn’t require interaction: if you haven’t already, modify your proof-of-concept to work without requiring any user interaction. You may need to try some of the other methods described on the OWASP page linked in the hints.

Submit a summary of the attack vectors that you tried (even the incorrect ones!) and a description of your final proof-of-concept, as well as the process you used to arrive at it. Submit screenshots that demonstrate the proof of the validity of your proof-of-concept attack.

Hints:
  • You won’t be able to inject <script>...</script> tags directly. You should try some of the alternative XSS mechanisms on OWASP’s XSS filter evasion page instead.