{"id":252,"date":"2018-10-17T06:36:16","date_gmt":"2018-10-17T06:36:16","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/owasp-security-shepherd-session-management-challenge-one-solution-lsb-ls-blog\/"},"modified":"2018-10-17T06:36:16","modified_gmt":"2018-10-17T06:36:16","slug":"owasp-security-shepherd-session-management-challenge-one-solution-lsb-ls-blog","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/owasp-security-shepherd-session-management-challenge-one-solution-lsb-ls-blog\/","title":{"rendered":"OWASP Security Shepherd- Session Management Challenge One \u2013 Solution \u2013 LSB \u2013 ls \/blog"},"content":{"rendered":"<p>We have another solution in the OWASP Security Shepherd challenges and we enjoyed completing this one. You can find out about Session Management from OWASP <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet\" target=\"_blank\">here<\/a>. So let\u2019s get on with the challenge!!<\/p>\n<p>Below is the screen we are presented with and if we click on the Administrators Only Button we are told we are not admin. Simple enough, we need to escalate our privileges to admin to complete the challenge.<\/p>\n<p><img decoding=\"async\" alt=\"sesh1\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh1-e1539377589511.png?w=900\" \/><\/p>\n<p>Apparently the dogs have been released. This challenge will require a proxy for us to intercept the packet before it hits the server to see what is going across the airwaves. We will use Burp Suite for this task which comes as a default tool in Kali Linux.<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1243539&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\">Hyperledger Fabric Fundamentals (LFD271) $299<\/a><\/p>\n<p>You can find out how to configure your browser to work with Burp Suite <a href=\"https:\/\/support.portswigger.net\/customer\/portal\/articles\/1783055-configuring-your-browser-to-work-with-burp\" target=\"_blank\">here<\/a>. So let\u2019s hit the Admin button again and catch the packet in Burp. [ Click on images for a better view. ]<\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh2.png\" target=\"_blank\"><img decoding=\"async\" alt=\"sesh2\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh2.png?w=900\" \/><\/a><\/p>\n<p>At the bottom of the data being sent over the wire we can see a few Boolean statements. AdminDetected=false, what can we do with that?<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1193750&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\">$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 \u2013 INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!<\/a><\/p>\n<p>Let\u2019s change it to true and forward the packet to the server?<\/p>\n<p><img decoding=\"async\" alt=\"sesh3\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh3.png?w=900\" \/><\/p>\n<p>Whoops!! That was detected on the server, probably best to not do that again. So what\u2019s next? Let\u2019s look at the packet again to see what other information we can extract from it. We will send the packet again, click the admin button, catch it in the proxy and inspect the packet.<\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh2.png\" target=\"_blank\"><img decoding=\"async\" alt=\"sesh2\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh2.png?w=900\" \/><\/a><\/p>\n<p>Looking more carefully this time at the packet we should notice that there is a strange cookie in there and it\u2019s called checksum. The checksum looks to be encoded with an MD5 hash. So let\u2019s right click on the packet in Burp and send to our decoder tab to decode the hash.<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1193747&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\">REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!<\/a><\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh4.png\" target=\"_blank\"><img decoding=\"async\" alt=\"sesh4\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh4.png?w=900\" \/><\/a><\/p>\n<p>Bingo!! When we decode the hash we can see that it queries if userRole=admin. This cookie seems to be checking if the user is an admin and just encoded with the MD5 algorithm. We can\u2019t just send that to the server, that is a normal request and we are just back to the start. So maybe we need to change it slightly and then send it to the server?<\/p>\n<p>How about we lengthen the word admin to administrator?<\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh5.png\" target=\"_blank\"><img decoding=\"async\" alt=\"sesh5\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh5.png?w=900\" \/><\/a><\/p>\n<p>Let\u2019s quickly encode that back to MD5 with the tabs on the right hand side, replace the checksum in the sending packet with our new checksum and then forward that packet to the server.<\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh6.png\" target=\"_blank\"><img decoding=\"async\" alt=\"sesh6\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh6.png?w=900\" \/><\/a><\/p>\n<p>Looks fine and dandy, will we gain privileges? Let\u2019s Forward the packet and see what happens.<\/p>\n<p><img decoding=\"async\" alt=\"sesh7\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/10\/sesh7.png?w=900\" \/><\/p>\n<p>Perfecto!! To be honest, we didn\u2019t get this first go and it was a bit of a challenge. But I managed to get there in the end. Hacking requires us to have attention to detail and knowing when cookies are sent in a HTTP request helps us to be able to manipulate those cookies. Having a basic understanding of encryption helps too as we were able to identify the hash used in the cookie. So another level of SecShep DEFEATED!!<\/p>\n<p>Thanks for reading and I hope it helps you in some way.<\/p>\n<p>QuBits 2018-10-10<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1193736&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\">ENROLL IN THE LINUX FOUNDATION LFC210 \u2013 FUNDAMENTALS OF PROFESSIONAL OPEN SOURCE MANAGEMENT TODAY! $179<\/a><\/p>\n<p> <a href=\"https:\/\/linuxsecurityblog.com\/2018\/10\/12\/owasp-security-shepherd-session-management-challenge-one-solution-lsb\/\" target=\"_blank\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have another solution in the OWASP Security Shepherd challenges and we enjoyed completing this one. You can find out about Session Management from OWASP here. So let\u2019s get on with the challenge!! Below is the screen we are presented with and if we click on the Administrators Only Button we are told we are &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/owasp-security-shepherd-session-management-challenge-one-solution-lsb-ls-blog\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;OWASP Security Shepherd- Session Management Challenge One \u2013 Solution \u2013 LSB \u2013 ls \/blog&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-252","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=252"}],"version-history":[{"count":0,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/252\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}