XSS with CSP set to “self”

Although initially one might think that the Content Security Policy(CSP) set to self will defeat XSS then depending on the web app, it might not be the case. Depending on how well the application is written there still might be ways to get around it.

When playing around on HTB I came across a machine where the initial foothold was designed to be gained via cross-site scripting(XSS) against a “bot user” on a website. I saw that when editing a field in a order form on my own user I could successfully ender a XSS payload, yet it got blocked by the CSP. As it was set to self, making the web browser reject inline Java Script. After looking around a bit on the page and discovering it’s features I noticed that I can actually upload a profile picture. After discovering that I decided to try and see if there are any restrictions on files that can be uploaded as my avatar. Lucky for me there weren’t any and I successfully uploaded a Java Script file as my profile image.

After having uploaded the malicious Java Script payload as my profile image I could get XSS to trigger on my own order forms. It was just a matter of pointing the inline Java Script to include its source from my profile image.

<script src="http://ctftarget.htb/static/profile/1"></script> 

After that it was just a matter of finding out how to feed that XSS to the bot user, which turned out to be easy – update the bots order form as permissions were broken.

So when you come across restrictive CSP look for other functionalities which might help you reach your goal. And like always use your skills wisely/legally/responsibly.

Notes on Pentesting/CTF “hacking” a gRPC application

Things I describe here are only to be used in a “lab/ctf” environment or on systems you have actually permission to try things out on.

Discovery

When playing around on HTB I ran into a strange port/service I hadn’t seen before. My nmap scan showed that port 50051 was active but “unknown”. Just out of curiosity opened a connection to it by using telnet after a while it timed out stating that its a HTTP/2 based service:

A quick Google search later it seemed to be a gRPC server. You can read more about it on their website gRPC.

Tools to interact with gRPC

As I hadn’t played around with gRPC previously I spent some time looking at tools and ways to interact with gRPC applications.

The options I found were:

After a quick look I ruled out writing Python code, as it seemed too much for a “simple CTF machine” and my current use case.

Next I took a look at Postman/Insomnia, their interface was similar and they could easily interact with the gRPC service but they were lacking some functionality to conveniently pentest the application.

Yes they were able to show what “Symbols” are available in the gRPC app, it they didn’t return some descriptive info/reflections properly at least in the app I was “hacking” which ended up for me looking at other tools.

grpcurl looked like a nice command line tool and was able to explore the app nicely:

But it also didn’t reflect all the features/parameters of the application and was still lacking something I found that grpcui had!

Now we come to my favorite of the bunch and that got me past the finish line on my target machine – grpcui. What this tool does is give you a WebUI to access and interact with the backend gRPC application. Why this is good for “hacking and pentesting” is that this gives you the option of proxying the connection through BurpSuite and use other automation tools to interact with the gRPC service. The current version of grpcui had a “csrf token”, but it was a static value so you could indefinitely, so basically could be ignored.

Testing/”hacking” a gRPC application

So after having found a tool that seemed to suite my purpose I started poking and prodding at my target gRPC application using a web browser with the help of grpcui.

When starting grpcui it basically starts a little WebUI on localhost:”SomeRandomHighPort” which you should access via a web browser. Startup Example :

If you use the bind parameter to bind it to some IP address that differs from loopback(127.0.0.1) then your browser will gladly proxy your connections to Burp or ZAP. After that you can continue your “regular pentesting workflow” .

In my case after having poked and prodded at the app for a bit I found that it had a SQLi in it. So I opted to take the raw request from Burp and “unleashed” sqlmap on it and dumped the whole database. That contained a username and password combo in it I could use to access the box over SSH and “user flag claimed”.

Using a Samsung T7 USB-C external SSD to run lab VMs

My use case

When I started more actively playing around on different hacking CTF platforms I felt the need to carry my “CTF pwn box” with me. Syncing the Kali VM constantly between my workstation and my laptop was time consuming and well I mostly just forgot to do it.

My doubts

Previously only having owned USB3 HDD’s for back up purposes and having seen their latency issues/slowness I was quite skeptical.. I was wondering about the latency penalties that would come from having the NVME drive over USB instead the m2 slot. And as reviewers somehow didn’t want to cover the latency aspects I was left wondering.

How it actually is with the Samsung T7 portable drive

After having done some research I opted to buy the 1TB Samsung T7 Portable SSD and long story short my use case works fine. VM-s run like a dream on it.

When comparing latency on a machine running on my internally installed m2 NVME drive and the USB-C connected Samsung drive there is no difference that I can feel when doing labs.

But as feeling isn’t actually accurate I thought I’d actually measure the IO performance. In order to measure latency/IO performance I used DD with a small block size. That little idea I got from a nixCraft article.

The internal M2 NVME I use in the test is the Western Digital 1TB WD Blue SN550. Although it doesn’t change much the system itself is a Ryzen 5800x on a X570 chipset motherboard.

The results show in my case that the internal M2 drive is about 10% faster. Yet it is something that would make VMs run sluggish.

Results for the internal 1TB WD Blue:

Results for the USB-C 1TB Samsung T7:

One more thing that I feel must be said about the portable M2 drive is.. That although synthetic benchmarks like CrystalDiskMark show performance “like its written on the box” then real life differs from it. Namely Samsung promises “up to 1000MB/s” writes and having tried it on multiple computers actually copying files onto it lands somewhere around 350MB/s for me. And I was copying large files from internal M2 drives capable of more than that. And not so large that they should overwhelm a M2 drives cache functionality/slow it down. I used different files with sizes ranging from 1GB (like crystal disk mark) and up to 20GB.

It doesn’t necessarily make the T7 a bad drive, but it’s just something to take into account. For me I’m still pleased with the drive, as it has served me well for syncing & running my LAB VM-s between my different computers.

HackTheBox don’t get stuck on the decoy’s

Lately I’ve been doing a quite a lot of playing around on HackTheBox. I just love the “competitive mode/season” thing they are trying out, as it just gives you a target for the week. It does add a nice incentive to play around there and makes it harder to forget, as who doesn’t like getting higher on the “leader board”.

But what I’ve noticed over the past few weeks there is that there are some decoy hints on the machines. So if you seem stuck for a while and are quite sure you are doing the right thing.. Just take a step back and go through your notes again. The last decoy I found my self stuck on for a while was an app returning “username” in the header. Of course that was the value for username I used in all the following exploitation steps instead of my own username that I used to register. Wasted a bit of time because of that. It was there purely to throw people off! But hey lesson learned!

Also although nmap might say that some software version is vulnerable then usually that’s not the way in. It still tends to be some web application vulnerability that gives you the initial foothold not “vulnerable ssh daemon” (don’t waste time guessing usernames for scp exploitation). Most likely there is either a path traversal issue which allows you to see get access to something you shouldn’t or SQL injection.

Oh and before I forget, -p- flag for scanning is quite a good idea, as there have been quite a few hosts there where the actually vulnerable service doesn’t show up in the default port selection. And if you feel stuck then surely visit HackTheBox forums/discord servers to get a nudge/do a sanity check on your progress. Really nice and active community there with quite a few people willing to share ideas with out actually spoiling the challenge.

APIsecure 2023 day 1 Red Track

“New conference in town”

Today was the first day APIsecure API security conference and as it was a free conference I didn’t know what to expect. I actually somehow missed it last year so I didn’t know what to expect. I was expecting a lot of “product coverage”, but it was the opposite, I was pleasantly surprised that that wasn’t the case. One presenter who tried to pitch a product & was actually cut off for it.

My Favorites of the Day

There were quite a few interesting talks, but my favorites of the day were:

  • Michael Taggart-“Beyond Vuln Management: How Adding Offensive Methodology Made Our APIs More Secure.”
  • Antoine Carossio and Tristan Kalos Escape Workshop: “Discovering GraphQL Vulnerabilities in the Wild”
  • Ted Miracco “Enhancing API Security with Runtime Secrets & Attestation”

Michael Taggart had the smoothest and most enjoyable presentation to follow. If the videos are uploaded this is the one I will send to quite a few blue teamers I know. I totally agree with the idea that the blue team must know offensive tactics.

Although “Antoine Carossio and Tristan Kalos” had a lot of technical issues (internet issues) that made the talk a bit hard to follow. Besides the issues, I actually liked it a lot and learned something new. Hadn’t taken too much time previously to go into details on GraphQL vulnerabilities and this talk actually gave me new ideas on what to try when doing an assessment.

Ted Miracco‘s talk on mobile app API security was quite interesting also, proposing some interesting ideas on bettering the security of apps. To be honest, the leak statistics shown in the talk were worse than I thought they would be.

All the talk videos/slides were supposed be uploaded some time after the conference on their website.. Can’t wait to actually be able to go through the slides and “perfect my notes” on GraphQL. The conference website can be found here.

Does VMware Workstation Pro 15.5 run on Windows 11???

As Microsoft stopped selling Windows 10 licenses & Windows 11 has been out for quite a while now I thought I’d give it a try. First questions that came to mind were does everything I need for work actually work there and what do I need to change.. As VMware itself states that Workstation 15.5 on Windows 11 isn’t a supported setup I still thought I’d give it a try before getting the upgrade.

So here’s what you can expect from this setup (or how it was for me). It somewhat worked.. :

  • Some VM-s required “VM hardware upgrade”
  • None of the VM-s with more than 1 CPU/Core would even start – threw errors & refused to start until extra cores removed
  • 3D acceleration issues inside VM-s when needing to use GUI (Gnome/KDE,etc)- GUI worked, but image sometimes was blurry/sometimes resolution issues when resizing VM Window, etc.
  • Suspend VM button instantly crashes/shuts the VM down.

So if you don’t need multi core VM-s with/3d acceleration or pause(standby) functionality, then it might work for you.. But I’d just recommend skipping this trial and error phase if your not just curious & bored.. and just upgrade to 17.

Tenable.SC plugin/feed updates failing & disk full

Today I was called to help with a Tenable.SC instance that failed updating it’s plugins. It turned out that that had its “/opt” filled 100%.. A little investigation into where the space had gone led me to see that “/opt/sc/data/” folder was full of “feed.XXXX” folders each being 2.4GB in size. (~130+ GB in total..)

When looking at the logs I could see that as of December 6th updating the feed had failed (/opt/sc/admin/logs/sc-error.log).

PHP Fatal error: Allowed memory size of 1782579200 bytes exhausted (tried to allocate 20480 bytes) in /opt/sc/src/lib/FeedLib.php on line 2769

So in order to get the SC updating itself normally again I removed all unneeded feed folders, except the “latest feed update attempt” by running the following command:

find /opt/sc -name "feed.*" -ctime +1 | xargs rm -rf

And next in order to fix the “feed update failing” & prevent it from filling up the disk again within a month had to increase the PHP memory parameters. Todo that I edited “/opt/sc/support/etc/php.ini” and turned the memory limit up to 1900M, its default value was 1700m. After that restarted the SC by running :

service SecurityCenter stop && service SecurityCenter start

Additional thoughts on SC disk cleanup can be found in these 2 posts on tenables website:

Kali ticket_converter.py issue fix

When trying to convert Kerberos tickets I ran into a little issue with it being unable to import a name.. To be more exact the specific error is:

Traceback (most recent call last):
File "ticket_converter.py", line 30, in
from impacket.krb5.ccache import CCache, Header, Principal, Credential, KeyBlock, Times, CountedOctetString
ImportError: cannot import name 'KeyBlock' from 'impacket.krb5.ccache' (/usr/local/lib/python3.8/dist-packages/impacket-0.10.1.dev1-py3.8.egg/impacket/krb5/ccache.py)

Fortunately the fix was quite easy when looking into impacket file mentioned in the error. Namely it seems, they have changed the class names and added versioning.

grep -i keyblock /usr/lib/python3/dist-packages/impacket/krb5/ccache.py
class KeyBlockV3(Structure):
class KeyBlockV4(Structure):

When seeing that I realized that the fix is easy.. Just change all occurrences of the word KeyBlock to KeyBlockV4. Just open up ticket_converter.py in vim and type: “%s/KeyBlock/KeyBlockV4/”. That fixed it for me. Happy Hacking! 🙂

OWASP ZAP/ZED Attack Proxy missing after Kali upgrade

If you find your self looking in the menus and not finding OWASP ZAP in the menu’s any more after updating/upgrading your Kali instance. Even locate command returns former paths to zap files that don’t exist any more.. Fortunately the fix is easy just updatedb command as root/with sudo. That should fix the issue and ZAP should be back visible in menus. At least that worked for me.