We’ll get started at 18:05

Week05

How’d you all find it (trivial enough?) Gonna do some of them challenges later

Demo (Pico CTF) “Forbidden Paths” (Local File Disclosure)

Why is this bad?

../../../../../../etc/passwd

<?php
// Get the page to include from the URL parameter
$page = $_GET['page'];
// Include the requested page
include($page . '.html');
?>

What if you can upload files and then have them executed? Whats that called?

How do we fix?

allowlist santise inputs for “../” dont do it?

Trick a server into doing stuff it doesn’t intend to
Consider HAAS, we can’t access KB, but HAAS could, and we can send requests through HAAS
What if we could access other internal services through HAAS, which aren’t expecting it

Internal services might (often will) be less secure than externally facing ones
What can we do?
- Retrieve/disclose information (ssi/lfi)
- Remote code execution / Reverse shells?
- Other bad stuff

Don’t assume local/internal services will be safe
Monitor internal requests, block any suspicious activity
- e.g. very long execution time could be someone fetchng information from a database
A whitelist of IPs that can access internal services
A good WAF

Templating engines (eg. Jinja2, Pug) use templates to inject code and variables into static files
Jinja2: {{<CODE HERE>}} e.g. {{7*7}} => 49
what if we tricked the template rendering into thinking our user-supplied content was code?

If you’re ever using os.system() (or similar) to call shell functions containing user input
- first of all, probably don’t
- second of all, it’s kinda vulnerable

Sometimes you can get command injection, but it’s really tedious
wouldn’t it be easier if you could just get send your commands directly via terminal?

checkout explainshell and revshells

Midterm walkthrough? Yes or No?

What you all came for lol