thelightfinder

Link to Lab 6 This Lab shows a bit of promise of fun. The task is to exploit a CL-TE request smuggling vulnerability to bypass the Front-end Server Access control to the admin panel, the front end server doesn't support chunked encoding. Access to login endpoint: As seen above the login endpoint is accessible without any restriction. But an attempt to admin endpoint: well, it seems we can't access the admin panel, maybe not. Interestingly we have this endpoint to our rescue: we have already been informed that the server pair is vulnerable to CL-TE request smuggling, let's craft the exploit:  the above request poison the Back-end server such that the next request will be routed to " /admin ". Let's request the " /login " endpoint: The Back-end server responded with 401 Not authorized, I guess not so fast, let render the full response: I believe the Back-end server is very clear about what it expects from us, it expects that we either login as Admini...

Lab 5 can be found here . In this Lab, we need to confirm TE-CL vulnerability via differential response, provided with a Front-end Back-end server pair where the Back-end server does not support Transfer-Encoding, the tasks is to poison the Back-end server so that when a normal request is made to the Back-end server a 404 Not Found is obtained. Since this lab is similar to the previous one I will go straight to exploitation, the poisoned request: Considering it has already been made clear that the Front-end Back-end server pair is TE-CL, the request uses a payload such that the content length read by the Back-end server is just 5, this is why we get a response of " Bad Request 'Missing Parameter' ", the rest of the request body is left to poison the Back-end server. A subsequent request to the web-root or any directory at all results in the following: Lab 5 Solved.

Lab 4 can be found here . For Lab 4 our task is to confirm CL-TE Vulnerability via differential Response. A Front-end Back-end server pair has been provided, the Front-end server does not support chunked encoding, to solve the Lab we need to smuggle a request to the Back-end server so that subsequent request to the web-root (/) results in a 404 Not Found response. Like Lab 3 the provided endpoint is a comment posting section as below: Response is: We got a confirmation redirect. From the lab task, we have already been informed that the Front-end Back-end Server pair is CL-TE, meaning that the Front-end support Content-Length Header only while the Back-end support Transfer-Encoding Header, therefore avoiding the need for any test, we use the following request: The above request now includes Transfer-Encoding: chunked so that the Back-end server will read a chunked request, the request also includes an extra payload which will be ignored by the Back-end server and will poison the next re...

Lab 3 can be found here . For this Lab, a Front-end and Back-end servers that handle duplicate HTTP Request headers differently are provided, the task is to find a way to obfuscate the Transfer-Encoding Header to achieve HTTP request smuggling. The provided endpoint accepts POST request for posting comments as follows: Since both servers accept Transfer-Encoding header the above request chunk encoded becomes: Sending the request to the server, the response was: a confirmation redirect is obtained, meaning the server is happy with us, so far so good. Since the essence of the Lab is to play with how the server handles duplicate headers, we attempt this: the server still isn't complaining: well, that's because at this point both the Content-Length (CL) and Transfer-Encoding (TE)  Header values are valid, therefore even if one is using the CL and the other is using the TE we don't notice any discrepancy. Let's assume that the Front-end Server processes the first Header and ...

Level01 Task There is a vulnerability in the below programs to be executed, can you find it? To do this level, log in as the level01 account with password level01. Files for this level can be found in /home/flag01. Source code (level1.c) download 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main ( int argc , char ** argv , char ** envp ) { gid_t gid ; uid_t uid ; gid = getegid (); uid = geteuid (); setresgid ( gid , gid , gid ); setresuid ( uid , uid , uid ); system ( "/usr/bin/env echo and now what?" ); } Solution We login into the machine: ssh level01@192.168.195.5  From the given task, files are in " flag01 " home: level01@nebula:~$ cd /home/flag01  level01@nebula:/home/flag01$ ls    flag01               ...

Level00 Task This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in the top-level directories in/for suspicious looking directories. Alternatively, look at the find man page. To access this level, log in as level00 with password level00. Solution For this level, we have been provided with a username and password to log in to the nebula machine which for my current setup has an address of 192.168.195.10 so we can easily ssh into the machine. ssh level00@192.168.195.5 So, what is expected of us is to find a Set User ID program. But what is a set User ID program? In simplest terms, a Set User ID program is a Linux program that has the setuid flag set. So what is a setuid flag? A setuid flag is a Linux file permission flag which when set allow users to run executable file with the permission of the file's owner. Why is finding a setuid program important in a privilege esc...

I was preparing for class when I recalled that it has been weeks since my first post  then I thought to myself it's probably because of school, but remembered something I read in Phineas Fisher's paper " if not you, who? if not now, when? " and hence this post. The truth is during the past weeks I have gathered a lot of content for the blog, I just haven't had the time to properly document and post, so after a lot of thought I have decided to start with a walkthrough of the Nebula VM , there is already a lot of walkthroughs on the internet on this machine, but I thought one extra post won't hurt, moreover my aim is to make my post different from most technical post I have seen online, how do I plan to this? most posts I come across on the internet show how to do something, not why and I think that approach most of the time leaves a beginner confused, therefore what I intend to do on this blog is to show the reader why we do what we do. Disclaimer: All con...