1
00:00:00,180 --> 00:00:06,690
All right now we're on to the attack now unfortunately this attack is going to be theoretical.

2
00:00:06,690 --> 00:00:12,140
I'm going to walk you through every single step that we would take all the way through the exploit but

3
00:00:12,150 --> 00:00:16,530
the exploit is not going to trigger or fire because we're running in Docker.

4
00:00:16,530 --> 00:00:23,380
Now the issue here if we scroll down and you can see it says please note exec see challenges described

5
00:00:23,400 --> 00:00:27,690
or not available in docker container or Heroku.

6
00:00:27,750 --> 00:00:33,090
So the other methods that are available for installing are incredibly complex especially on a killing

7
00:00:33,090 --> 00:00:34,050
machine.

8
00:00:34,050 --> 00:00:39,810
And it's just not worth setting everything up for a course and going through all the trouble just for

9
00:00:39,810 --> 00:00:41,080
one demonstration.

10
00:00:41,520 --> 00:00:44,310
So I'd rather just show you kind of how it's done.

11
00:00:44,310 --> 00:00:48,240
Walk me through it and then show you the picture of what it would look like if it triggered.

12
00:00:48,240 --> 00:00:50,160
I think the methodology here is important.

13
00:00:50,730 --> 00:00:54,470
So looking at our exploit all I've done is saved it.

14
00:00:54,480 --> 00:00:55,500
I put it on my desktop.

15
00:00:55,500 --> 00:00:57,090
You could put it wherever you want.

16
00:00:57,090 --> 00:01:00,290
You can call it whatever you want minus called Test to excel.

17
00:01:00,450 --> 00:01:04,760
And again we're calling out this file Etsy password and we're going to do it for the.

18
00:01:04,770 --> 00:01:06,820
And x x e here.

19
00:01:06,840 --> 00:01:11,340
So from here let's go ahead and go over to our juice shop application.

20
00:01:11,340 --> 00:01:16,540
So go ahead and go to account and log in and let's make a new account.

21
00:01:16,680 --> 00:01:19,650
So we'll go ahead and just not yet a customer.

22
00:01:19,650 --> 00:01:25,950
Let's go ahead and do that and we'll just call this test pilot testing at test dot com and we'll just

23
00:01:25,950 --> 00:01:27,670
say Test one two three.

24
00:01:27,690 --> 00:01:29,900
Test one two three.

25
00:01:30,000 --> 00:01:33,140
And then our eldest sibling's name is Bob.

26
00:01:33,150 --> 00:01:34,800
Our middle name is Bob.

27
00:01:34,800 --> 00:01:38,700
So log in there or register there and then let's come in and log in

28
00:01:41,730 --> 00:01:45,870
and then we're gonna go ahead and take a look at the application.

29
00:01:45,870 --> 00:01:54,450
Now this is what is called authenticated testing we are at a middle user or a regular user between here

30
00:01:54,450 --> 00:01:56,250
from an authenticated to an admin.

31
00:01:56,250 --> 00:01:59,430
So we're kind of in between right on this account.

32
00:01:59,450 --> 00:02:02,570
We should navigate around and see what we have access to.

33
00:02:02,570 --> 00:02:07,060
That is my first methodology when I get access to a user account.

34
00:02:07,070 --> 00:02:12,110
And if you're doing web application pen testing again you're gonna be given two accounts usually two

35
00:02:12,110 --> 00:02:18,400
roles one is going to be admin one's going to be non admin and you're probably gonna test on authenticated.

36
00:02:18,410 --> 00:02:23,310
Now I've seen a bunch of roles before given as well but typically it's two.

37
00:02:23,420 --> 00:02:24,950
Sometimes there'll be more.

38
00:02:24,950 --> 00:02:29,860
But what you want to do is go around and see what you might have access to.

39
00:02:29,870 --> 00:02:35,270
Right where where are your pages what what screens do you have.

40
00:02:35,270 --> 00:02:36,760
What can you do.

41
00:02:36,770 --> 00:02:41,900
And I like to go through and just click on anything and everything that I see a link for.

42
00:02:42,020 --> 00:02:47,690
The nice thing about burps WI is with burps we can come in here and we can go right click and scan if

43
00:02:47,690 --> 00:02:53,180
we had the pro version which if you're doing pen testing you will your job should pay for it.

44
00:02:53,540 --> 00:02:59,430
And so you would do a scan you would crawl the Web site and it would find a lot of these links for you.

45
00:02:59,660 --> 00:03:01,550
So it doesn't hurt to navigate around.

46
00:03:01,550 --> 00:03:05,340
It doesn't hurt to understand the application how it's running what it's doing.

47
00:03:05,420 --> 00:03:07,270
That way you have a good feel for it.

48
00:03:07,280 --> 00:03:07,610
Right.

49
00:03:08,480 --> 00:03:12,820
So from here we're just going to abuse and upload feature.

50
00:03:12,950 --> 00:03:18,600
So if we go to the Complaint Section over on the left side we see that there's a file upload feature.

51
00:03:18,650 --> 00:03:23,930
Now anytime I see a file upload feature I kind of drool a little bit because I get really excited about

52
00:03:23,930 --> 00:03:32,120
it and file uploads can be very devastating if they're not handled properly for a web application on

53
00:03:32,120 --> 00:03:38,960
top of things that we've already seen before when it comes to file uploads in executing malicious content

54
00:03:38,990 --> 00:03:43,070
on Web sites through the middle capstone of the course.

55
00:03:43,070 --> 00:03:44,020
Right.

56
00:03:44,120 --> 00:03:52,070
We here can also upload Excel files and we can upload malicious documents and try to dump sensitive

57
00:03:52,070 --> 00:03:53,620
information get a shell.

58
00:03:53,690 --> 00:04:00,890
There's a lot of things that we can do at a bare minimum we should see if the upload feature is functioning

59
00:04:00,890 --> 00:04:04,160
the way it is even if we can't get a shell or get anything out of it.

60
00:04:04,160 --> 00:04:07,170
Can we bypass what it's trying to do.

61
00:04:07,190 --> 00:04:14,220
So here you're going to see that this is going to be trying to only allow for zip files and PDA files

62
00:04:14,240 --> 00:04:19,430
but we're going to upload maximal file and it should blacklist it but it doesn't.

63
00:04:19,940 --> 00:04:20,320
OK.

64
00:04:20,330 --> 00:04:27,590
So let's go ahead and go to browse and we're going to go to route or desktop for me and then we're going

65
00:04:27,590 --> 00:04:33,050
to see here it says all supportive types will all support types of PDA F and zip by using to go all

66
00:04:33,050 --> 00:04:39,890
files and say I want to do the test X well anyway and all the say test and what's going to happen here

67
00:04:39,890 --> 00:04:46,760
is I'm going to go ahead and intercept this request and I'm doing this because I want to see the response

68
00:04:46,760 --> 00:04:48,350
in case I need to tinker with this.

69
00:04:48,740 --> 00:04:53,390
So it's go ahead and submit and then I'm going to send this to repeater and we can take a quick look

70
00:04:53,390 --> 00:05:03,350
at it so in repeater here you can see that we have our test X email being uploaded and the X AML version

71
00:05:03,350 --> 00:05:04,760
1.0 same thing.

72
00:05:04,760 --> 00:05:10,910
We have our execs e entity and we're just saying hey I want to call system and I want to call this file

73
00:05:10,910 --> 00:05:15,380
from Etsy password because we are attacking a Linux machine.

74
00:05:15,380 --> 00:05:18,890
So here we see the call of the X XY.

75
00:05:18,950 --> 00:05:25,430
We would execute this and if this were a real web page that was vulnerable you would see some sort of

76
00:05:25,460 --> 00:05:29,060
printout of the Etsy password file.

77
00:05:29,060 --> 00:05:32,590
Now I have a video of this on my channel on YouTube.

78
00:05:32,610 --> 00:05:38,300
I'm just going to show you a quick picture of me show you a stopped image.

79
00:05:38,300 --> 00:05:47,000
So if we see here we cover execs e you can see that right here in the juice shop look what came through.

80
00:05:47,030 --> 00:05:51,450
You see this part X sexy system quote file.

81
00:05:51,500 --> 00:05:52,870
And then guess what.

82
00:05:52,910 --> 00:06:02,390
Once it calls that ampersand X XY you see here a route you see user s been and it's it's cut off.

83
00:06:02,390 --> 00:06:07,520
It only allows for so much we'd have to finagle this a little bit but this right here you could submit

84
00:06:07,520 --> 00:06:10,280
to a client you could submit to a bug mining program.

85
00:06:10,550 --> 00:06:13,510
You can say look you are vulnerable to X XY.

86
00:06:13,520 --> 00:06:15,350
This is what it is.

87
00:06:15,350 --> 00:06:22,930
So what's going on here are these DDD are being allowed these external entities are being allowed.

88
00:06:23,210 --> 00:06:26,830
And through this parser and we're able to just push this through.

89
00:06:26,840 --> 00:06:28,460
So what is the solution here.

90
00:06:28,460 --> 00:06:30,740
How do we defend against this.

91
00:06:30,740 --> 00:06:36,490
Well we need to disable completely these DDD these external entities.

92
00:06:36,530 --> 00:06:43,490
Once we disable that you're not going to see this come through at all and it's going to look almost

93
00:06:43,490 --> 00:06:47,360
similar to what you're seeing here we just don't have the ability in Docker to do it.

94
00:06:48,080 --> 00:06:48,470
OK.

95
00:06:48,470 --> 00:06:51,190
So we would never know if I saw this when I tested it.

96
00:06:51,200 --> 00:06:52,310
I'd be like well OK.

97
00:06:52,310 --> 00:06:53,960
That that exploit didn't work.

98
00:06:54,050 --> 00:06:59,240
I might go more through those payload lists that I showed you and see if we can't get that to work or

99
00:06:59,240 --> 00:07:02,710
try different things to see why it's why it's not working.

100
00:07:02,960 --> 00:07:08,180
You should never give up on the first go but at the same time you know this isn't showing me that it

101
00:07:08,180 --> 00:07:13,130
is exploitable where if we looked at the other image it did seem like it was.

102
00:07:13,160 --> 00:07:18,950
So hopefully that is a good example for you understanding how and why we did this.

103
00:07:18,950 --> 00:07:24,020
We're taking and abusing the Excel feature the Excel passing feature of a Web site.

104
00:07:24,560 --> 00:07:30,020
So because of that we're able to upload a malicious excel file and bypass by the way.

105
00:07:30,050 --> 00:07:36,110
So this bypass is a finding regardless if we had X axis here or any sort of a malicious ability.

106
00:07:36,110 --> 00:07:42,710
This is a finding in itself and this is a pretty big one because we're bypassing what white listed extensions

107
00:07:42,740 --> 00:07:43,850
they had originally.

108
00:07:43,850 --> 00:07:48,290
So I would mark this up as a finding and this would actually be even something that you could submit

109
00:07:48,290 --> 00:07:53,120
on a bug bounty program to to get a bug or money from it.

110
00:07:53,150 --> 00:07:55,480
So that is it for this lesson.

111
00:07:55,490 --> 00:08:01,160
So we're going to go ahead and move on to the next one which talks about broken access control.

112
00:08:01,220 --> 00:08:02,600
I'll catch you over in that video.