HackTheBox CA CTF - Using Snyk to Find & Fix Vulnerabilities

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video i want to introduce you to sneak something that i think is really really cool but before we dive in uh a little bit of backstory so i've recently been trying to upload and showcase some video write-ups from the hack the box cyber apocalypse capture the flag and now that the game is over i've been looking at some kind of online write-ups and solutions for some of the challenges and i ran into this one that was kind of interesting it had a neat little trick that i wanted to learn more about so uh kudos and shout out to this individual http 418 that put this together uh but he was going through this blitz prop challenge and it was a web challenge kind of you know the stuff that i kind of like to poke at but they went ahead and looked for vulnerabilities within the application using sneak and they mentioned it here hey a good site that i found to look up vulnerable packages is sneak.io so i was kind of curious you know i was kind of interested hey what is this sneak so sneak is an open source security platform designed to help software driven businesses enhance in better developer security and security all around now i was looking through this and they have their own vulnerability database they have integrations across multiple tools your own editors your ides what you tend to use to develop your code and then the version control software you might work with this on whether it be github whether it be bitbucket etc and then of course you even have it across containers whether you're inside a docker or if you're hosting things with kubernetes or if you're using some infrastructure this has a lot of coverage and i thought this is super duper cool like seriously take a look at all these platforms and the things that they support integrations across your development environment your ci cd pipeline your deployment infrastructure and your reporting like take a look at some of these beautiful telemetry and intelligence dashboards that's kind of awesome so hey i want to do a couple different things in this video because i think sneak obviously has a ton of different use cases yes it is designed for businesses and organizations wanting to produce better more secure code and their products and their software and their systems and that is super duper important but hey you guys know we like to play here on this channel we like to hack we kind of like to be on the offensive acting as the adversary so i want to walk through that hack the box challenge from that recent capture the flag competition but i also want to showcase some of the cool stuff that sneak can do so let me walk you through kind of what i was doing here i went back to take a look at their website and i noticed that sign up for free button but i was a little i don't know i was a little curious i was a little hesitant is it really free and seriously they have a straight up free tier that you essentially have access to all of the most awesome stuff like what sneak can do between open source auditing to look for vulnerabilities and kind of external dependencies or other third-party libraries and modules you might use in your code container security uh checking about that docker container and making sure that's up to the standards and regulations infrastructure is code and sneak code looking for sort of hard-coded or accidental credentials or secrets or things that you shouldn't have in your code and that was all totally free the only page kind of subscription stuff looks like it gives you an unlimited amount of tests while we do have a limited in the free version but check it out we can just sign up with our github account or bitbucket account google or docker which is kind of nice so i'll go ahead and link my github here and it kind of like walks me through hey what do you want to do with sneak we could secure my team's code reduce risk at my company secure an open source project hey i want to see how this is going to look at like a capture of the flags that's not going to lie so i connected github and it's asking uh what repositories can it look through i'm going to switch that to public repos only and enable sneak to automatically test for new vulnerabilities when i create new pull requests that's kind of cool create pull requests to fix vulnerabilities it'll like automatically fix bad code and vulnerabilities create pull requests to upgrade out of date dependencies and test for vulnerabilities in my source code yeah yeah i want that when i was setting up my account for the first time i obviously got an email but i kind of wanted to check it out to see what other cool things it would offer me because i didn't exactly want to dive into just scanning all of my repositories first i kind of want to see if there was something else that i could do to just kind of get my feet wet you can install the software right there's a command line interface that we could jump into integrating it with all of our other source code management tools and find and fix vulnerabilities with just that they referenced the sneak vulnerability database which i believe is what that hacked the box ctf write-up was showcasing and then i had another email that was introducing me to goof kind of a vulnerable demo application that we could test sneak against rather than going through all of our own code and our own repositories right away so i want to take a look at goof so they have goof hosted over on github and i could use that to just kind of tinker just kind of play just see what sneak could do when it's put into action looks like it's a vulnerable demo app node.js based on the dreamers lab tutorial vulnerable app includes the following capabilities to experiment with an exploitable package our known vulnerabilities included docker image scanning for base images with known vulnerabilities in system libraries that's pretty cool runtime alerts for detecting invocation of vulnerable functions uh etc etc okay you could install and kind of work with this with a database if you'd like or you can just do it nice and easy with docker i might do that um okay and we can exploit the vulnerabilities ooh we can hack into this thing for a little bit this app uses npm dependencies holding known vulnerabilities here are the exploitable vulnerable packages mongoose um buffer memory exposure uh directory traversal redos redos and xss for cross-site scripting the exploits directory includes a series of steps to demonstrate each one okay that's kind of slick what is that docker image scanning the docker file makes use of a base image node six stretch that is known to have system libraries with vulnerabilities to scan the image for vulnerabilities run sneak test on that docker kind of image name specifying the docker file to monitor this image and receive alerts with sneak ooh runtime alerts fixing issues oh to find these flaws in this application and your own apps run install sneak and sneak wizard in this application the default sneak wizard answers will fix all the issues by default when the wizard is done restart the application and run the exploits again to confirm they are fixed that is super cool so i want to know because we're i'm still framing this in that kind of hack the box challenge that blitz prop ctf thing i want to know if i were to create a repository image with that vulnerable like application that service that challenge itself and if i were to let sneak just look at it and then determine the vulnerability and then repair it would it be able to do that because that would be super cool i want to see it done so hey let's go ahead and uh i guess clone this so we could work with it i will fire up a terminal and let's go ahead and clone this thing down see what we got here so it does have a docker file kind of as we know it also has a docker compose configuration uh we could do this kind of just as i mentioned in the readme we could do a super simple super easy docker compose up as it builds it if you don't have docker compose installed you should be able to just sudo apt install docker compose i believe that is totally fine in the repositories let me uh certainly check that yep all right looks good so let's go ahead and bring this thing up and it'll just build the image so super easy don't have to bother installing anything of course we see the errors hey critical security bugs that are fixed in this old version that's nice thanks docker sneak would do that for us okay i let this run for a little bit and uh looks like it's spinning up everything that it needs i see right away kind of in the foreground a super secret password nice this is a this is a vulnerable demo application so there's not going to be any kind of secrets or stuff going on here let's uh let's start to play now it said it had some kind of proof of concepts in the exploits directory oh they have an image tragic kind of reference in here maybe a couple zip attacks with zip files what is this what does this thing actually look like if i run docker ps will it show me the ports that we've got set up 3001 for the database oh no sorry uh is going to be 27017 the goof application is going to be on 301 so i will hop over there on localhost and this is it this this is goof the goof to do note-taking app right so i guess we can leave some notes um okay uh can we do like weird um javascript things can we do like uh some cross-site scripting maybe sort of thing no okay that seemingly didn't go through maybe the vulnerabilities in something else the about page that says the bestest to do app ever uh so we could look through this we could hunt it down if we really wanted to um i'm sure there's not going to be like any real uh oh i was wondering if there would be a robot.txt i guess it's in public the directory there although there's nothing particularly interesting in that um directory traversal though it said that was a thing there's no way that would just take it from the web route and public when we went up one didn't do that it just brought it back to the home do we need to like encode them or something we can do that with python if we wanted to i'll do a url lib and i think it's uh parse yeah urllib.parse and i think it's quote i don't know if it'll actually behave now quote plus we'll just okay that gives me the percent to f but i kind of need the let's try it in public one more time i don't know how far we're gonna go let's see if we can get to like it's that repassword maybe oh all right that did it it just took a little bit of encoding i didn't even i didn't even encode the periods that's awesome and it brought me to etc password okay so local file inclusion i mean just in that okay some directory traversal and we would see that right if we were checking out some of the sneak database the little vulnerability database this st package looks like that is the thing that offers oh and they here they use the percent 2e to encode the periods they did not in this version 0.2.5 for the st package did not properly prevent path traversal literal dots in the path were resolved out but url encoded dots were not okay so i got through it there it would leak sensitive files and data from the server nice and i love that they have all this here's the credit and the specific cve which you could go ahead and do more research on if you need to learn a little bit more oh and that has the zip slip thing that we kind of saw in that exploits directory this could potentially allow the attacker to create or replace existing files that's very cool and they offer the references here and you can see for literally every single exploit that was kind of mentioned here there are plenty more explanations and information on sneak in the vulnerability database here's some source code examples more references and the version numbers and patches that could be applicable that i think is great regular expression denial of service oh that was the re-dos cross-site scripting from the marked library that module that's pulled in very cool so if you go ahead and take a look at this if you go check out that vulnerability db sneak dot io slash vuln you can look through this and there are a lot of super cool entries in here obviously these are all like stemming from cves or legitimate vulnerabilities for any open source code or libraries you might end up using if you check out linux or anything else maybe if you're more interested in go or if you're interested in other things like pip here we could explore that but look at all of these so now i want to know will sneak just like automatically fix all this will sneak just kind of know gonna be contextually where with its own auditing uh that has attack g in it so i'm going to install sneak with sudo here we'll just be able to like parse all this out determine those vulnerabilities and then just fix them with their patches because that would be crazy cool obviously right this is goof this is for their their demo vulnerable application but when we put this to the test with the hack the box challenge uh i want to know what it can do all right so now i have sneak that's awesome a good little man page for help and we could check out the container actually let's do that let's do that because it did uh it did showcase hey is this something that we can actually work with scan the image for vulnerabilities with sneak let's run that syntax sneak test oh and that requires an authenticated account let me go ahead and connect that okay i go ahead and authenticate here and that's good all right let's run that one more time analyzing container dependencies for that specific docker file querying vulnerabilities database okay it came back uh there is a lot of output oh this is this is crazy cool there are so many vulnerabilities in this down at the very very bottom here let me scroll up let me see though this goes on forever medium severity we saw high severity earlier all right that's that's enough seizure inducing text tested 413 dependencies for known issues found 895 issues wow that's kind of that's kind of crazy cool it is the demo vulnerable application it goes to show um but i think there's a lot of awesomeness in that with that said let's see if sneak can just go ahead and clean all this up i'll go ahead and run that sneak wizard command oh uh that makes sense this kind of needs to be installed i guess like locally as if it is my own code not strictly within the docker container so let's go ahead and build this thing locally okay coming through now let's see if that sneak wizard will just auto magically do it all enumerate your local dependencies and query sneak server for vulnerabilities guide you through fixing the vulnerabilities and create a dot sneak policy file to guide sneak commands such as test and protect remember your dependencies to alert you when new vulnerabilities are disclosed um all the defaults that said were worthwhile but oh yeah you can upgrade to a latest version review the issue separately or set to ignore them or you can skip them upgrade to body parser latest version we should be good how long am i going to be pressing enter there we go all right applying patches applying updates i want to run the test just after this and i want to see if that um st the directory traversal and that file inclusion trick that we just did will will still be in place and then we'll move on to the hack the box challenge i promise okay and it's done easy as that sneak went ahead and and cleaned it all up uh looks like it updated all those version numbers pulled in different libraries now and uh i think it should have patched a lot of those vulnerabilities let me let me check that uh package.json file i remember the st version from that sneak vulnerability database that that version that was vulnerable with that directory traversal kind of that file access and the zip slip everything that was 0.25 and now we have been upgraded to a later version it looks like a lot of these are now up to date and this is great sneak went ahead and cleaned the whole thing and fixed that application i will note i will note that i got an email as we were testing that as sneak was looking through checking out the vulnerabilities checking out the code in that project there hey it found those issues it found plenty more and it was willing to notify me and let me know so that's super cool um now i can go ahead and clean out kind of uh that docker instance we could dock compose down docker compose rmi stuff uh because when we use docker compose it will pull the files in from this current directory on our local machine so if i were to docker compose up and build that once again now goof will pull from the current files in this directory and since those are all up to date with the installed version numbers it'll grab it all and it'll all be good so now once we have this new cleaned and fixed version of goof if i were to go test and try that directory traversal or any of the other exploits or vulnerabilities that we could have taken advantage of they'll be fixed they'll be patched sneak did it all for us we didn't have to do a thing that's awesome okay docker is finishing up here and now goof is running i'll hop back to the web browser and that local host port is still alive and kicking if i go check out that public directory right where we would have had etc password using our directory traversal i'm hitting ctrl shift r i'm hitting a hard refresh i can do that ctrl f5 look this is now returning forbidden and no longer reading out that potentially sensitive file or anything else so sure that's a simple proof of concept it was just a directory traversal and some file access there were a numerous plethora of other vulnerabilities we could have looked at exploits we could have thrown but i think that goes to show hey sneak went ahead and cleaned that up seriously looking at that package.json file i think that's awesome and this is just one component of what sneak very well could do like between sneak code looking for those hard coded credentials that you might have accidentally introduced into your system or checking out the container itself that docker image that docker instance that we looked at and then bringing it across kubernetes and having the integration with github and the pipeline ci cd it's it's just awesome it's just cool so hey now let's go check it out on that hack the box cyber apocalypse capture the flag walkthrough i wanted to mix this in because i feel like hey it's a little bit more pertinent to kind of what my audience might be might be interested in could you use this and capture the flag could you use this in red teaming could you do this in the offensive adversarial penetration testing sense i mean look it's a database of known vulnerabilities that could be solid and then we put it on its head and consider it for let's protect this code let's better this thing now now things might look great all right i'm gonna hop back over to this hack the box cyber apocalypse ctf uh blitz prop write-up this was the write-up we mentioned earlier that was using sneak to track down the vulnerability here it was a challenge that was a prototype pollution attack and this individual was literally just checking out the packages you'd notice them in package.json kind of just as we had previously and that flat pug and express vulnerabilities here or these packages that are pulled in they could very well have some software flaws and they use sneak to check that out seriously we can go click on the prototype pollution and the remote code execution capability here prototype pollution this entry for the flat package versions greater than or equal to 5.0.0 and less than 5.0.2 flat is vulnerable to prototype pollution in these versions you can see the syntax here you can see the magic that makes it work uh i am truthfully uh going to press the i believe button and just kind of walk through what this write up is showcasing here but it's weaponizing and using what pug could offer with remote code execution in that templating engine and taking advantage of it with prototype pollution the cool thing is sneak knew of all this that's that's i think was super cool uh hack the box cyber apocalypse their ctf was nice enough to go ahead and offer the docker instances for challenges that you might be working in kind of the web category so i'm going to go ahead and work with that blitz prop challenge now so i'm going to move into that directory and go ahead and build this docker instance and now it is running on port one three three seven so i can go check that out here what's you what is your favorite blitz song oh goodness uh not polluting with the boys ast your hosta lavista baby i'm assuming that's going to be like abstract syntax tree maybe the galactic rhymes the goose went wild and you can submit any song that you might like uh we'll just use hello here does that actually add it or what does that end up doing i'm gonna hit f12 to check out the network tab in the developer tools and let's see what really goes down if i were to submit this here looks like submit sends a post request to an api endpoint on submit and it will include okay a json little object here for our song dot name now we could look through the code here we could experiment with this with just a smidge more um truthfully again i'm kind of gonna speed run from what the write-up was willing to showcase and since we know sneak was able to track this down hey it is going to end up being a prototype pollution attack they showcase uh some sample injection or payload techniques that you could use and they can get code execution on this target here so let's try it i am going to switch this up i'll grab the syntax but make it a little bit different uh i'll go ahead and subtle like a little exploit dot py file slap this all in here i'll add a shebang line and i am going to be calling out to localhost 1337 rather than that target that they had and they used a little uh bash reverse shell here i don't think i'll do that i actually want to just try and copy the flag file to a publicly accessible route or location on the website so then i can just retrieve it nice and easy um i'm going to check out the docker file and i'll check to see where that flag file might actually be actually uh in that challenge directory it looks like they do have a flag file the fake one that is used for testing and that's what we'll work with as we are working locally but that challenge directory looks like it's copied into the container in the current working directory which is slash app so if i were to bring inside of that challenge directory they have the static directory where they can show images or cross-site or excuse me cascading style sheets or javascript so maybe we could go ahead and just copy the flag file over there with our code execution so i will use syntax uh actually i'll just use like a a glob to try and get any directory with flag i suppose anything right uh just in case it were to have a dot text extension or something um and then we could bring it into app static images and we'll just call it flag just like that so now because of the prototype pollution that we can kind of weaponize with pugs remote code execution now we are able to go ahead and run that command to copy the flag into a publicly accessible location so i'll try and run that exploit and it says hello guest thank you for letting us know okay so if i were to go back on the web page and if i were to go to static images flag you can see that it downloaded there for me and i had tested this a moment ago so i'm glad that still works so if we were to just do that exact same thing to curl it down http uh throw that link in there static images flag there we go we should get the flag accessible on that server so that's how we took advantage of that prototype pollution remote code execution to retrieve the flag and solve the blitz prop challenge what i want to take away though is that sneak was able to know that sneak had the awareness that had that information the vulnerability database that hey that's a vulnerable version part of me wants to know would sneak be able to test that if i were to come in here and try and run sneak could i tell it to run in a specific directory maybe infrastructure as code test a location or a path yeah test a project in the current folder for known vulnerabilities that's all it takes so let's move into that challenge directory where we had all the files in here let's try and go ahead and run sneak test and we'll see if that gets anything out of here totally should yeah as expected found the command injection remote code execution regular expression denial of service but the prototype pollution is the dead giveaway here so could we go ahead and fix this now if i were to run sneak wizard what are you tracking down all right we need to go ahead and install it i'll use yarn install as it suggested and let's see if once everything is installed sneak can go ahead and clean it up let's do that sneak wizard one more time okay analyzing all of the things here yep we do want to upgrade flat we want to upgrade pug and that seems all good we'll let it go cleaning house add on all these applying the updates using yarn this time things look good how about that package.json file yes flat has been updated pug has been updated now i'm going to hop back and try and build that docker image one more time looks all good and it's running so i will go back to this page just as a sanity check i no longer have static images flag because this is a new instance but if i were to try and run this exploit i'll go ahead and try this it says hello guest thank you for letting us know let's see if that static images flag still exists it does not that totally failed it gave me a fine status message but it did not actually execute that command or run that so that vulnerability that attack vector has been patched to the point where okay we can't retrieve that flag through that method so that's awesome all we did was run sneak we just let it do its magic it updated the packages and it would solve this vulnerability that was present in that capture the flag challenge now i realize i have been yapping for a while but i really hope that you thought that was just as cool as i did i think it's incredible sneak can just kind of hey figure out everything that you're working with within your project within your software within your code and then handle it to make it better to make it more secure that's the whole point right better security and man they have just so much stuff uh hey i want to put it up a little bit on the screen here check it out check out how it can integrate into your workflow how it can work in your editor how it can be a part of your ci cd pipeline it's all totally free and you can get started with it right now and sneak has just been doing a ton of awesome stuff they have a website vulnerability scanner out and a checker out and about now and uh so hey kudos and thank you i do have to give a lovely shout out and thank you to sneak being the sponsor for today's video and honestly just overall being awesome and incredible people to hang out and work with so uh when i had signed up for sneak they had reached out we chat a little bit and i'm just really really thankful that we were able to put this together i hope this is something that you guys think is awesome honestly just the same way that i do so please please check it out and uh i'll see in the next video everyone take care thanks for watching
Info
Channel: John Hammond
Views: 32,388
Rating: undefined out of 5
Keywords:
Id: tyL3Ouais1c
Channel Id: undefined
Length: 30min 36sec (1836 seconds)
Published: Thu May 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.