- Introduction
- Disclaimer
- FAQ
- Getting started
- Architecture
- Task 1: The Bleeding Edge
- Task 2: The Encoded Secret
- Task 3: Tricking John Doe
- Task 4: Happy Birthday Attack
- Task 5: A Stranger in the Network
- The Master Secret
In this challenge, you will have to perform a few penetration testing tasks against an infrastructure on AWS in order to reveal confidential information and extract Master Characters, which then will reveal a Master Secret. A Master Secret, within this challenge's context only, is a "word" composed of 6 Master Characters which can be used to verify whether or not you performed the tasks correctly. At the end of each task, there will be a section explaining how to use the information retrieved in the task to generate a Master Character.
The techniques you will learn in this challenge are used by both real hackers and penetration testing professionals. The goal is just to educate you on how hackers and penetration testers break into systems and it is not Slalom's responsibility if you use these techniques to cause damage to others. Note that the environment we are providing to you has been approved by AWS to be penetrated.
In this challenge, you will learn how to:
- Exploit a serious OpenSSL vulnerability using Metasploit (a popular Penetration Testing Framework)
- Use encoding schemes and hash functions to obscure information
- Launch an SQL Injection attack on a vulnerable Node.js application and retrieve passwords from a database
- Crack passwords
- Eavesdrop the communication between two servers and retrieve confidential information (just like Cyber criminals would do in a coffee shop with a public Wi-Fi)
- and more...
To take this challenge, you will have to provision the same base infrastructure Slalom provided the attendees during the event. Follow the tutorial in the run-your-own-dojo folder to provision your own base infrastructure before proceeding.
Within Slalom Dojo's challenge's context only, a base infrastructure is the infrastructure that Slalom provides you with at the start of the challenge.
To help you out, some tasks will have a Pro Tips section with tips how to solve the task.
The base infrastructure consists of an attacker and target machines. The Attacker is a Kali Linux server and the Target is an Ubuntu 16.04 server. Instead of performing the attacks from your own machine, you will SSH into the Kali Linux machine to perform the attacks since Kali comes with all the tools you will need.
However, to make sure that everyone has the same environment before logging into the server, you will spin up a Docker container which will contain the private key needed to SSH.
Issue the following Docker command:
docker run --rm -it -e "URL1=<URL1>" thedojoseries/env:pentest
The command above will spin up a container using the thedojoseries/env image and tag pentest (each Dojo has its own tag for the thedojoseries/env image). You will also notice that you need to specify one environment variables: URL1. You will be given further instructions at the beginning of the challenge. If you Docker command fails, please reach out to one of the organizers.
Once you are in the container, ssh into the Kali machine (the has been provided to you):
$ ssh -i ~/.ssh/private ec2-user@<PUBLIC-IP>
The authenticity of host 'XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX)' can't be established.
ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)? yes
ec2-user@kali:~$
Now that you're in the Kali machine, let's begin!
As already mentioned, the base infrastructure is very simple. It consits of an attacker and target machiens. You will SSH into the Attacker server and attack the target. It's that simple!
PS: I'm sure you might be wondering what is that dotted line connecting both servers. That will be explained later :)
In this first task, you will use a popular penetration testing framework called Metasploit. The goal will be to use Metasploit to exploit the Heartbleed vulnerability and read the memory of the Target server, which is running a Docker container with a vulnerable version of the openssl tool.
In the Kali machine, run the following command to initialize the Metasploit Framework:
$ msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v4.17.3-dev ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
PS: You might see the same or a different drawing. Check this tutorial to learn more about a few of the Metasploit commands
Now that you've got the Metasploit prompt, it's time to launch the exploit. Here are a few tips that will help you complete this task:
- Read a little bit about what are modules within Metasploit. Now, search for
heartbleed. After a few seconds, Metasploit will output two modules. Use the one whose description readsOpenSSL Heartbeat (Heartbleed) Information Leak - In Metasploit, using a module means loading it. See how you can use the Heartbleed module you just found
- Once you're in the module, you will have to set two variables: RHOSTS and RPORT. These variables tell Metasploit the IP address of the target and the port the target is listening on. If you want to find out all the variables the module can work with, type in
show options. Finally, you can run the exploit. Take a look at this short tutorial to learn how to run exploits.
If you run the exploit and got the following output:
> exploit
[+] 172.21.0.24:8443 - Heartbeat response with leak
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
That's NOT very exciting! Try setting the variable VERBOSE to true and see what happens.
Get the full name of the module you used to exploit the Heartbleed vulnerability. The full name of the module includes the module type. For example, the exploit module multi/http/struts2_namespace_ognl full name is exploit/multi/http/struts2_namespace_ognl.
Once you have the name of the module, encode it using the base64 command in the Kali machine (whenever using echo with base64, use the -n flag to remove the newline char at the end, otherwise you'll get a different encoded text due to the newline char).
The Master Character of this task is the 16th character of the resulting base64 encoded string.
In task 2, you will have to retrieve an HTTP header generated by the Target's Nginx web server. From the Kali machine, send an HTTP request to Nginx (no endpoint needed) and look for a header called X-Server-Secret.
The X-Server-Secret header contains a Base64 encoded string. Once you retrieve the header, decode the string (which starts with cGV...). You will use the decoded string to generate the Master Character of this task.
Hopefully you found this task a piece of cake! But we're just getting ready for tasks 3 and 4!
To generate the Master Character of this task, grab the decoded string and use tools in the Kali Linux machine to run the string through a SHA-256 function to generate a Raw Hash. There are so many websites that generate hashes for you using different functions, but try using only Kali for this exercise.
The Master Character of this task is the 10th character of the resulting SHA-256 Raw Hash.
Now things will start to get a little bit more complicated. In this task, you will use Kali to attack a vulnerable Node.js API running on the target machine.
This Node.js API has been purposely coded to allow an SQL Injection. Take a look at the code.
When you send a GET request to /user/:id (e.g. /user/1), Node.js talks to a MySQL Database to retrieve the username corresponding to the ID in the request path. Here's the database schema (and data sample) of the USERS database:
+----+----------+-------------------------+--------------+
| id | username | password | salt |
+----+----------+-------------------------+--------------+
| 1 | johndoe | c2342f404a55...caf009ea | passwordsalt |
+----+----------+-------------------------+--------------+
Each entry in this database consists of a user ID, username, SHA-256 hashed password, and salt used to generate the hashed password. If you're not familiar with the concept of hashed password and salts, check out this article.
The goal of this task is to send a malicious HTTP request to the Node.js API and retrieve the password and salt of the user with ID = 1. If you send a simple request like this:
$ curl target.dojo:3000/user/1
["johndoe"]
You will get an array back with the corresponding username. What you need to do is modify the request so the Node.js sends back the corresponding password and salt.
PS: Do not use any tool installed in Kali. You should be able to trick Node.js into returning the password and salt by modifying the curl request above.
To make this task even more interesting, once you retrieve the password and the salt, you will have to crack the password. This means that both hashed password and salt should be input to a program and the program should figure out the real password. To achieve this, you'll use one of the most popular tools for cracking passwords: Hashcat. But wait!
Before you start using Hashcat, it is important to understand what a Wordlist is. Instead of relying on a Brute Force attack to crack the password, Hashcat should be provided with a wordlist. Read below to learn more about how you should generate this wordlist.
Remember the previous task when you generated an SHA-256 Raw Hash? You will use parts of that hash to generate a wordlist. In Kali, one way to generate wordlist is to use Crunch.
Crunch accepts patterns that can be used to generate a more specific wordlist. For example, you can use crunch to generate a wordlist where the first two characters are numbers and the last four are uppercase letters. For this exercise, use Crunch to generate a wordlist where the first three (3) characters are 406 and the last three (3) are c74. All the words in the list should have twelve (12) characters in total, which means that there should be six characters between 406 and c74.
When you use Crunch to generate a wordlist with such requirements, crunch will ask you whether the characters in between 406 and c74 are numbers, symbols, uppercase or lowercase letters. The six (6) characters in between should be lowercase letters:
4 0 6 @ @ @ @ @ @ c 7 4
|_________|
Lowercase
letters
Refer to these articles to learn more:
Comprehensive Guide to Crunch Tool
Making a Perfect Custom Wordlist Using Crunch
Creating Wordlists With Crunch
Once you generate the wordlist, you should have something like the following:
406aaaaaac74
406aaaaabc74
406aaaaacc74
406aaaaadc74
406aaaaaec74
406aaaaafc74
406aaaaagc74
...
406zzzzzuc74
406zzzzzvc74
406zzzzzwc74
406zzzzzxc74
406zzzzzyc74
406zzzzzzc74
Now that you have the wordlist, time to crack the password! :)
Here are a few links to help you out with this task:
KALI – How to crack passwords using Hashcat
Cracking Salted MD5 With Hashcat
MD5($salt.$pass) hashcat syntax, help?
PS: Note that some of these links explains how to crack passwords hashed with the MD5 algorithm, but the password you retrieved from the database has been hashed with the SHA-256 algorithm.
If you run hashcat and you get the following error:
hashcat (v4.1.0) starting...
* Device #1: Not a native Intel OpenCL runtime. Expect massive speed loss.
You can use --force to override, but do not report related errors.
No devices found/left.
Use --force at the end of the command.
Once you crack the password, the Master Character will be the 6th character of the cracked password.
Time to breathe.
In this task, you will have to retrieve the list of (ALL) Ciphers accepted by the nginx server and find out which one is vulnerable to an attack. More specifically, find the Cipher which is vulnerable to the Birthday Attack. Use one of the tools already installed in your Kali machine to accomplish this task.
If you don't know what a Cipher is, read this article.
Before you start, note that you've been sending request to the Target server using its private IP address. If you use its private IP address to send an HTTPS request, it won't work because the SSL Certificate is only valid for dojo.slalomdev.io. Also, if you try to resolve dojo.slalomdev.io from the Kali machine, it won't return any IP address as we haven't added a record to the network's DNS server. You will have to find a way to point dojo.slalomdev.io to the Target server's private IP Address.
Once you find out the name of the Cipher, the Master Character will be the first character of the cipher name.
Do you remember this dotted line between the attacker and target machines in the architecture diagram you saw in the beginning of this challenge? That dotted line indicates that there's a communication happening in the background between both machines. Your Kali server has been configured to send an HTTP request to a certain endpoint of the Node.js API to retrieve a password. The API is sending the password back using the X-Password HTTP header. But because the request is HTTP (not HTTPS), the response is not encrypted. Since it's not encrypted, it's possible to find out the password using a Network Packet Analyzer tool.
In task, you will have to use a few tools (which already comes with your Kali server, so you don't have to install anything) to intercept the traffic between both machines and retrieve the password being returned by the Node.js API.
- Find out which interfaces are available in the machine (e.g. using ifconfig)
- Use a tool such as tcpdump to capture all the traffic going through some of the interfaces and save the data in a file
- Use tshark (the command-line version of Wireshark) to read the captured traffic and reveal the password.
The Master Character of this task is the 7th character of the password that the Node.js API is returning to the shell script.
The Master Secret of this challenge is: j 6 e 3 T