Skip to content

Practical Tasks

This week we will look at Insecure Deserialisation and NoSQL Injection

Note

All the code lives in the 6005-CEM Codebase repository on Github.

YAML Based Deserialisation

For this Example there are two challenges

First work through the example for YAML based insecure deserialization

Try to recreate the two elements of an attack:

  • Modify the values of data within objects
  • Use YAML to execute system commands

Code

The important objects used in the code for the server are given below

class ShoppingItem:
    """ Represents an Item in someones shopping basket"""
    def __init__(self, name, cost, number = 1):
        self.name = name
        self.cost = cost
        self.number = 1


class ShoppingList:
    """Reperents the Shopping Basket itself"""
    def __init__(self):
        self.shoppingList = []

    def addItem(self, item):
        self.shoppingList.append(item)

    def calcCost(self):
        totalCost = 0
        for item in self.shoppingList:
            totalCost += item.cost * item.number

        return totalCost

Challenges

The Challenges use the YAML deserialise program.

First you will need to start the server

docker run --rm -p 5000:5000 cueh/6005_yamlserver

You can now open a web browser and visit port 5000 for the challenge http://127.0.0.1:5000

Challenge 1:

For our first task, you need to break the logic of the server by creating an order for a negative amount of money

Think about how you can modify the values of the data in the YAML export

Challenge 2:

In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system

Task 2 Python Pickle

For our second set of tasks the server has been update to make use of the Python Pickle module

Work through the example of RCE through Pickle Then Try the Following Challenges

Getting the Server

The server has been modified to use pickle instead

First you will need to start the server

docker run --rm -p 5000:5000 cueh/6005_pklserver

As before we can connect to the server via a web broswer.

Challenge 3:

For our first task, you need to break the logic of the server by creating an order for a negative amount of money

Think about how you can modify the values of the data in the Pickle export

HINT: Also think about the endoding of the data format here. Pickle is a binary file format, so we need to encode it a second time to make it safe to transmit over TCP...

Challenge 4:

In this task we want to try to push the server to get a remote shell There is a flag in the root of the file system

Node Based Deserialisation

For this task lets see how well you follow someone elses writeup. The internet is a wonderful place, and cyber security enthusiasts like to share their findings.

The following blogpost describes a NodeJS based deserialisation attack

Try to replicate the process and get the Flag

Important

To save faffing about in Node, I have setup a copy of the server for you. You can start it with

docker run --rm -p 3000:3000 cueh/6005_nodeserial

No SQL injection

Back to top