Final exam, Part 1

Due 11:59PM Wednesday, 20 November 2024
Hand in as final1.pdf via Moodle

This is an open-notes, open-Internet, open-book exam. You may post questions about the exam on #general on our Slack workspace, but otherwise you may not discuss the exam with anybody other than Jeff Ondich.

Throughout, try to explain what you have done as clearly as possible. Screenshots and copied commands are often very helpful in clarifying your actions and reasoning, so don't hesitate to include them.

Note that Part 2 of the final will be due on Monday, 25 November 2024.

1. Session Cookies Working as Intended (12 points)

We spent a lot of time this term trying to understand various client/server/attacker interactions by understanding what messages were sent when, what data was stored where, what was encrypted and how, etc.

You can apply this protocol-and-attack-oriented perspective to understand the process of logging into (and staying logged into) web accounts like Amazon or Facebook or gmail. This and the next problem will encourage you to explore how web logins work.

Do the following experiments, and then answer the questions below.

Go back to our old friend, the Fake Discussion Forum (FDF).
If you're logged in as somebody (it will tell you so at the very top of the page), Logout.
Open your browser's inspector and look at the cookies.
Login as Alice (email=alice@example.com, password=alice).
Look at the cookies again.
Open a different browser (or an incognito window in the same browser) and go to FDF.
Copy Alice's cookies from the old browser window to the new browser window. (How exactly to do this may vary by browser.)
Reload the page in your new browser.

Here are the questions.

[1] What new cookie did you see when you logged in as Alice?
[2] What is a session cookie?
[1] What happens when you copy Alice's cookies to the new browser window and reload?
[6] Draw a diagram and/or list of events that explains clearly how you normally go from not logged-in to logged-in, and also how you stay logged-in when you navigate to other pages on the same site. (When I say "normally", I mean "when you click the Login button and fill out and submit the login form".) Make sure you include the actions of the user, browser, and server.

Your diagram should, among other things, address the question of how the server knows that a given session cookie corresponds to a given user.
[2] Think like an attacker: what opportunities do session cookies open to you?

2. Stealing Session Cookies (12 points)

Do the following experiments, and then answer the questions below. Note that for these experiments, you're simulating an attack, where your host OS will act as the victim (Alice) and your Kali VM will act as the attacker (Eve). Keep in mind that Eve cannot look at the stuff on Alice's computer, and Eve also does not know Alice's FDF password. Eve can only see what she can see inside Kali.

Using a browser on Kali, go to the Fake Discussion Forum (FDF), logout, and login as Eve (email=eve@example.com, password=eve).
Figure out your Kali's IP address.
Look at the post entitled "[jondich] Malicious Code for Final". Copy that post's Javascript payload into a new post of your own, but replace "KALI_IP" with your Kali IP address, replace "KALI_PORT" with whatever port necessary to achieve the goals below, and entitle your post "[YOUR-USER-NAME] Final Problem 2". (If you need to do this more than once, just change the title to use 2.1, 2.2, etc. as needed)
Do some kind of suitable setup on Eve's machine (Kali) to receive information from the malicious Javascript in your FDF post.
On your host OS, open a new browser, go to FDF, and login as Alice. IMPORTANT: Use Firefox or Safari for this. Chrome by default has some protections enabled that Firefox and Safari do not.
Click on Eve's "[YOUR-USER-NAME] Final Problem 2" post.
Go back to Kali. As Eve, if the above steps have gone correctly, you should now have access to enough information to login to FDF as Alice.

Here are the questions.

[2] Show an exact copy of your FDF post as Eve (specifically, the post that worked for you). Give a brief explanation of what the Javascript in your FDF post does.
[1] What did you do on Eve's machine (Kali) to prepare to receive Alice's information?
[1] Show the form (as text or a screenshot) in which Alice's information arrived on Kali.
[1] What can Eve do now to login to FDF as Alice?
[4] Diagram clearly the sequence of events in Eve's attack on Alice via the FDF.
[3] Session cookies have a standard mechanism (which I have disabled on FDF) for preventing this kind of attack. Research and explain "HttpOnly". Show exactly where in your diagram of the attack that the use of HttpOnly would prevent Eve's attack from working.

3. Privilege escalation via a misconfigured /etc/passwd file (6 points)

For this problem, you will probably find it useful to the class notes, the slides, and the lab from Wednesday, November 13.

[1] Show the Unix permissions on the files /etc/passwd and /etc/shadow in your Kali VM.
[1] Suppose somebody screwed up the setup of your Kali and accidentally made /etc/passwd globally writeable. Show what command you could execute as the "kali" user to cause this mistaken situation to occur. (And then go ahead execute it.)
[3] Logout as "kali" and login as the unprivileged user named "kermit" that you created during the lab on November 13. Show what steps you could go through to enable kermit to change the password for the "root" account.
[1] Once you're done with part (c), show how kermit can login as root, and thus have full control of the Kali VM.

(Here's a small hint to simplify your experiments, since we have not used the su ("superuser") command in class. If you're logged in as kermit, who is a normal non-sudoer unprivileged user, but you happen to know the password for an account named "xyz", you can login directly from kermit's terminal using the command su xyz and typing xyz's password at the prompt that appears.)

When you're done, don't forget to put the permissions on /etc/passwd back to rw-r--r--