Practical Tasks
This week we will look at Insecure Deserialisation and NoSQL Injection
Note
All the code lives in the 6005-CEM Codebase repository on Github.
YAML Based Deserialisation
For this Example there are two challenges
First work through the example for YAML based insecure deserialization
Try to recreate the two elements of an attack:
- Modify the values of data within objects
- Use YAML to execute system commands
Code
The important objects used in the code for the server are given below
class ShoppingItem:
""" Represents an Item in someones shopping basket"""
def __init__(self, name, cost, number = 1):
self.name = name
self.cost = cost
self.number = 1
class ShoppingList:
"""Reperents the Shopping Basket itself"""
def __init__(self):
self.shoppingList = []
def addItem(self, item):
self.shoppingList.append(item)
def calcCost(self):
totalCost = 0
for item in self.shoppingList:
totalCost += item.cost * item.number
return totalCost
Challenges
The Challenges use the YAML deserialise program.
First you will need to start the server
docker run --rm -p 5000:5000 cueh/6005_yamlserver
You can now open a web browser and visit port 5000 for the challenge http://127.0.0.1:5000
Challenge 1:
For our first task, you need to break the logic of the server by creating an order for a negative amount of money
Think about how you can modify the values of the data in the YAML export
Challenge 2:
In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system
Task 2 Python Pickle
For our second set of tasks the server has been update to make use of the Python Pickle module
Work through the example of RCE through Pickle Then Try the Following Challenges
Getting the Server
The server has been modified to use pickle instead
First you will need to start the server
docker run --rm -p 5000:5000 cueh/6005_pklserver
As before we can connect to the server via a web broswer.
Challenge 3:
For our first task, you need to break the logic of the server by creating an order for a negative amount of money
Think about how you can modify the values of the data in the Pickle export
HINT: Also think about the endoding of the data format here. Pickle is a binary file format, so we need to encode it a second time to make it safe to transmit over TCP...
Challenge 4:
In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system
Node Based Deserialisation
For this task lets see how well you follow someone elses writeup. The internet is a wonderful place, and cyber security enthusiasts like to share their findings.
The following blogpost describes a NodeJS based deserialisation attack
Try to replicate the process and get the Flag
Important
To save faffing about in Node, I have setup a copy of the server for you. You can start it with
docker run --rm -p 3000:3000 cueh/6005_nodeserial