-
Wifi: StaQ-Security - Staq-2017
-
VM: ssh root@localhost:17022
-
Username: root
-
Password: crashoverride
You can verify the result of your efforts by running:
/root/staq_check
This program looks up the entered value in a file named dictionary.txt. The implementation however is extreme susceptible for "command-injection" (otherwise known as OS-injection). Change the program in a way this isn't possible anymore.
You can find the program in /var/www/html/level1
--
You can separate commands in linux using a ;
--
As an example, search for "a; cat /etc/passwd"
(without the quotes).
This page contains an SQL-injection leak. This makes it very easy to circumvent the login-page. Modify the code to prevent this.
Username for level 2 is "level2"
without the quotes.
--
An example was given during the presentation.
--
Try and use " or "1"="1
as password.
This level has a modified 404 page, it is vulnerable for a XSS (Cross Site Scripting) attack. Modify the code to prevent this.
--
Visit the modified 404 page (http://yourhost/level3/idontexist)
--
Maybe you can provide a javascript alert in the address-bar?
--
For example http://yourhost/level3/idontexist<script>alert('hello');</script>
Though it is often disabled, SELinux or its counterpart AppArmor provide hardening within the operating system. SELinux is currently disabled on our demo system. If it were enabled the http daemon would still be allowed to connect to other network-services. You can check this by browsing to http://yourhost/proxypass/
Try enabling SELinux and find the setting to disable the http daemon connecting to other network services.
If you do this correctly then you wouldn't see Nee!
anymore on the aforementioned link.
--
Using getenforce
you can see the current SELinux status.
Maybe you can "set" another value?
--
Using getsebool
you can view various settings of SELinux.
--
Like httpd_can_network_connect
Even though SSH is one of the more secure ways to connect to a remote server, there are still some bad configuration choices to be made. The SSH daemon has been badly configured. Ideally you'd want to connect using an ssh-key. But if you need to permit password-based authentication then at least make sure that a certain user can't...
--
Which users are permitted to log-in?
--
Should the root
user be able to connect remotely?
Even though telnet is a very outdated and insecure application it still has its use for some specific solutions. Telnet is enabled on our demo-system. Disable it without deleting/uninstalling the package itself.
--
How is telnet started on this system?
--
Hint: xinetd
--
Configuration is usually found in the /etc
directory (or a subdirectory thereof.
It's good practice to have a local firewall on every system. Make sure you have a working firewall on your demo system. Be sure not to lock yourself out :)
--
The firewall is created and managed with iptables
--
Make sure you permit at least SSH traffic (port 22) for yourself.
--
REJECT or DROP all traffic after permitting legitimate traffic on the INPUT and FORWARD chains.
--
Is iptables automatically started on runlevel 3?
--
This is checked and managed by the chkconfig
program.
Our demo system is a bit outdated. It contains some vulnerabilities you'd like to get rid of. Amongst others it is vulnerable for the shellshock and dirty-cow vulnerabilities. Make sure these can't be used anymore.
--
Are there any available updates for this system?
--
You can check this using yum list updates
The http daemon has an old and crude ssl configuration. You'd like to improve this configuration. Use the /root/testssl.sh
script to test your setup and see if you can achieve the following objectives:
- Disable SSLv3
- Disable Low, Medium en DES ciphers
- Solve the RC4, POODLE en Heartbleed vulnerabilities
--
You will find the configuration for the http daemon in /etc/httpd
--
In one of the subdirectories you will find a file called ssl.conf
--
Using -
en !
help with disabling settings
The sudo
program is often used to give users limited super-user rights on a linux system. If you're not careful a user can quickly obtain too many rights. The user quintor
has some specific rights, however the setup contains some "leaks" discover these and try to understand why this is a risk.
--
The config for sudo can be found in /etc/sudoers.d
--
The user quintor
is allowed to run a whoami
program
--
Who is the owner of this file?
--
Which rights have been assigned to this file?
Like assignment 10 there are more commands the user quintor
is allowed to run.
--
The user quintor
can also run a bunch of print*
commands.
--
Which rights have been assigned to these commands?
--
And how are the rights on the folder?
The user quintor
is allowed to configure and control apache. It is possible to obtain root rights with this configuration. Try to discover and understand how this is possible and prevent it.
--
Which config would the user be able to change?
--
Perhaps this is a rights problem as well?