Intro to Whitebox Pentesting

Skills Assessment

A company is developing a web tool using the NodeJS Express framework. You are assigned to review part of the web server being developed, and run a Whitebox Pentest on it. Download the archive found below and run it as you did with this module's demo.

Try to apply what you learned in this module to identify advanced code injection vulnerabilities to obtain the flag. Finally, you are required to patch the second provided source code and upload it to confirm the patch.

Challenge: There are at least 2 different ways to obtain remote code execution on the target. So, once you are able to exploit one vulnerability, try to identify the other and exploit it as well.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 40 Download the attached archive and apply the whitebox pentesting process you learned throughout this module to identify as many vulnerabilities as you can, and then use any of them to read the flag at /flag.txt.

+10 Streak pts

skills_assessment.zip

+ 20 The attached archive contains a basic script that may be vulnerable. Try to identify as many vulnerabilities as you can and patch them. Then, visit /patch and paste the patched script to get the flag, or to know what you have missed.

+10 Streak pts

skills_assessment_patching.zip

Go to Questions

Intro to Whitebox Pentesting

Patching & Remediation

Skills Assessment

Skills Assessment - Intro to Whitebox Pentesting

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

The Whitebox Pentesting Process

Order	Step	Description
1.	`Code Review`	General review of the code to understand its functionality and shortlist potentially vulnerable functions
2.	`Local Testing`	Testing/Debugging the code locally to test our findings and identify vulnerabilities
3.	`Proof of Concept`	Writing an exploit to prove the exploitability of the target automatically
4.	`Patching & Remediation`	Patching the vulnerability and all of its sources/causes

Examples of Code Review Techniques

Select functions based on the application design.
Select functions and files through search.
Select functions through the use of the application.

Exploit Scripting Language Guide

Use Case	Recommended Language	Reason
Attack is on a network application (including web applications)	`Python`	It works similarly on most operating systems
Attacking a client-side function (e.g. a CSRF attack)	`JavaScript`	It is the only script executed by browsers
Web chain including a client-side attack	`Python` & `JavaScript`	We prepare a `JavaScript` payload for the client-side part. Then, use it with a `Python` script to trigger the exploit and carry on the rest of the back-end attacks.
Binary exploitation	`Python`	`Python` has good libraries for debugging and exploiting binaries, while `C`/`C++` may be used to develop a binary exploit.
Targeting an operating system	`Bash` or `PowerShell`/`CMD`	Whatever pre-installed scripting language on that operating system
Thick client or some advanced types of exploitation	The application's programming language	This would enable us to reuse code/functions to generate some payloads, which would save us a lot of time (vs re-scripting all of the logic in Python)

Code/Command Injection Functions

JavaScript 'NodeJS'	Python	PHP	C/C++	C#	Java
`eval`	`eval`	`eval`	execlp
`Function`	exec	exec	execvp
`setInterval`	subprocess.open	proc_open	ShellExecute
`setTimeout`	subprocess.run	popen
`constructor.constructor`	os.system	shell_exec
child_process.exec	os.popen	passthru	system	System.Diagnostics.Process.Start	Runtime.getRuntime().exec
child_process.spawn		system	popen

Payload Development Rules

Comment out the rest of the code
Ensure quotes/parentheses/curly braces are even
Maintain a working function without syntax errors

Methods for Obtaining Command Output

Log output to console "for local testing"
Use a reverse shell
Use DNS exfiltration (or ping exfiltration)
Store the output in the database
Write the output to a file, then access that file
Inject the output into the HTTP response
Use sleep timers or boolean output to read the content

Intro to Whitebox Pentesting

Skills Assessment

Questions

Table of Contents

Whitebox Pentesting Process

Code Review

Local Testing

Proof of Concept (PoC)

Patching & Remediation

Skills Assessment

My Workstation