Skip to content

Practical Tasks

This week we will look at File Includes and Insecure Deserialisation

File Includes

The Web Trainer has some examples of file includes.

Task

Follow the course materials, and try Directory Traversal through Local File Includes

Task

Follow the course materials to try to drop a shell through Remote File Includes

Task

Try to drop a shell through Logfile poisoning and LFI

YAML Based Deserialisation

For this Example there are two challenges

First work through the example for YAML based insecure deserialization

Try to recreate the two elements of an attack:

  • Modify the values of data within objects
  • Use YAML to execute system commands

Code

The important objects used in the code for the server are given below

class ShoppingItem:
    """ Represents an Item in someones shopping basket"""
    def __init__(self, name, cost, number = 1):
        self.name = name
        self.cost = cost
        self.number = 1


class ShoppingList:
    """Reperents the Shopping Basket itself"""
    def __init__(self):
        self.shoppingList = []

    def addItem(self, item):
        self.shoppingList.append(item)

    def calcCost(self):
        totalCost = 0
        for item in self.shoppingList:
            totalCost += item.cost * item.number

        return totalCost

Challenges

The Challenges use the YAML deserialise program.

First you will need to start the server

$ cd yamlDemo
$ docker-compose up

You can now open a web browser and visit port 5000 for the challenge http://127.0.0.1:5000

Challenge 1:

For our first task, you need to break the logic of the server by creating an order for a negative amount of money

Think about how you can modify the values of the data in the YAML export

Challenge 2:

In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system

Task 2 Python Pickle

For our second set of tasks the server has been update to make use of the Python Pickle module

Work through the example of RCE through Pickle

Then Try the Following Challenges

Getting the Server

The server has been modified to use pickle instead

First you will need to start the server

$ cd pickleDemo 
$ docker-compose up

As before we can connect to the server via a web browser using port 5000

Challenge 3:

For our first task, you need to break the logic of the server by creating an order for a negative amount of money

Think about how you can modify the values of the data in the Pickle export

HINT: Also think about the endoding of the data format here. Pickle is a binary file format, so we need to encode it a second time to make it safe to transmit over TCP...

Challenge 4:

In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system

Node Based Deserialisation

For this task lets see how well you follow someone elses writeup. The internet is a wonderful place, and cyber security enthusiasts like to share their findings.

The following blogpost describes a NodeJS based deserialisation attack

Note

Following other peoples writeups is a key skill. It might be usefful in the upcoming skills test

Important

This is not an excuse for you to give other people the answers (even if it is a writeup).

The Uni has a strict policy on collusion, While its fine to share writeups of the lab tasks, (as they are not assessed), sharing the answers to assessed work will be classed as cheating. (This includes after the test is over, resits, etensions etc. I dont really want any of you to have to go through an acedemic conduct case)

Try to replicate the process and get the Flag

$ cd nodeDemo
$ docker-compose up