Webgoat - Crypto Basics

Webgoat – Crypto Basics

Leave a Comment / Labs, Webgoat / By

In this walk through, we will be going through the Crypto Basics vulnerability section from Webgoat Labs. We will be exploring and exploiting Cryptographic related vulnerabilities and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Crypto Basics

Crypto Basics

Crypto Basics

1. Base64 Encoding

  • In this challenge we have to decode a base64 string in order to reveal the username and password combo.

1. Base64 Encoding

  • I used cyberchef to decode the string and got credentials – kratos:123456

Cyberchef base64 decode

Challenge completed

2. Other Encoding

2. Other Encoding

  • In this challenge we have to find out the original password from the given default XOR encoded string.

Assignment

  • I used the below WebSphere xor decoder to reveal the DB password.

Password encoder and decoder

Challenge completed

3. Plain Hashing

  • In this challenge we have to decrypt given password hashes.

3. Plain Hashing

  • I used crackstation to reveal the password of the given hashes.

Crackstation Password Cracker

Crackstation Password Cracker

Challenge completed

Trending
Hacking Android pin password using Lockphish

4. Symmetric and Asymmetric encryption

4. Symmetric and Asymmetric encryption

5. Cryptographic signature

  • In this challenge, we have to determine the modulus of the RSA key as a hex string, and calculate a signature for that hex string using the key.

5. Cryptographic signature

  • I saved the given key to a file in my local machine naming private.key

private.key

  • Next, i derived the public key from the private key. Post that, calculated the modulus with our public key. Moving on, used the modulus to sign the private key and get a signed.key file and at last encoded it with base64.

$ openssl rsa -in private.key -pubout > test.pub
writing RSA key

$ cat test.pub 

-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEAmtyastz/iBXEOmQYRkzD
aOt1K1DY0bu3BAMtOpZjwLaW3tD1aCUBJbd22OG++0eWnMqT/gfdBaphP6D4y0Xx
qtQlpjJ4IO1YLo15JiI/y4TogRsTrryDKAF7cT9eqw29UbsRU6BOPNb7PmMWTgBe
qfaRbXKD5J+Ew2sv2nIaE/4E3/86aELQhm8J2QpAnz0f+Wp+F1qRDClKbybDQzee
bopfxRk3+KLvQGsxCuYkOuW3xnIUWeqhAQXl4OxvQs0v81kvYBqoe/CrSj3fIlaP
wDHNFyA2U9tlNQleoSZMkbqKXYBt8xnOY7I3JO4aIUH7EfhYs75sOtRVnjGJjvgc
rwICAQE=
-----END PUBLIC KEY-----

$ openssl rsa -in test.pub -pubin -modulus -noout
Modulus=9ADC9AB2DCFF8815C43A6418464CC368EB752B50D8D1BBB704032D3A9663C0B696DED0F568250125B776D8E1BEFB47969CCA93FE07DD05AA613FA0F8CB45F1AAD425A6327820ED582E8D7926223FCB84E8811B13AEBC8328017B713F5EAB0DBD51BB1153A04E3CD6FB3E63164E005EA9F6916D7283E49F84C36B2FDA721A13FE04DFFF3A6842D0866F09D90A409F3D1FF96A7E175A910C294A6F26C343379E6E8A5FC51937F8A2EF406B310AE6243AE5B7C6721459EAA10105E5E0EC6F42CD2FF3592F601AA87BF0AB4A3DDF22568FC031CD17203653DB6535095EA1264C91BA8A5D806DF319CE63B23724EE1A2141FB11F858B3BE6C3AD4559E31898EF81CAF

$ echo -n "9ADC9AB2DCFF8815C43A6418464CC368EB752B50D8D1BBB704032D3A9663C0B696DED0F568250125B776D8E1BEFB47969CCA93FE07DD05AA613FA0F8CB45F1AAD425A6327820ED582E8D7926223FCB84E8811B13AEBC8328017B713F5EAB0DBD51BB1153A04E3CD6FB3E63164E005EA9F6916D7283E49F84C36B2FDA721A13FE04DFFF3A6842D0866F09D90A409F3D1FF96A7E175A910C294A6F26C343379E6E8A5FC51937F8A2EF406B310AE6243AE5B7C6721459EAA10105E5E0EC6F42CD2FF3592F601AA87BF0AB4A3DDF22568FC031CD17203653DB6535095EA1264C91BA8A5D806DF319CE63B23724EE1A2141FB11F858B3BE6C3AD4559E31898EF81CAF" | openssl dgst -sign private.key -sha256 -out signed.key

$ openssl enc -base64 -in signed.key -out final.key

$ cat final.key 
kuUlJw0GgwqHbgpZkfWmeonIh0ESrS5c65peaNUzIwfv1Dl1s4ggKDcbvvakFypU
Mzse4t2iw1/thdWwBk9NOX7nBuSSsWZ/Hzz16PMAaLI9JuB1wwHnpyytWXoyeqhz
xOhXgj16BaG5HT9F918nXd36hkKEadYKErtMarNbRVPbtk87Bye3U/7DwcLUS0oK
C+GZf8ls9k3lL0DyjnQkan8eBMhfqwctgjj+kJ8z9A+jBty8Rd7L6KchhTcVuRhl
fszPO58fdjMSocLseNs097wh6cNr2A2NlaU+CwYUaBiuUY/l6O8ji0aA8OISQpCG
y5O7xDD/cFY1liVmJ5BGsQ==

private keys

Modulus: 9ADC9AB2DCFF8815C43A6418464CC368EB752B50D8D1BBB704032D3A9663C0B696DED0F568250125B776D8E1BEFB47969CCA93FE07DD05AA613FA0F8CB45F1AAD425A6327820ED582E8D7926223FCB84E8811B13AEBC8328017B713F5EAB0DBD51BB1153A04E3CD6FB3E63164E005EA9F6916D7283E49F84C36B2FDA721A13FE04DFFF3A6842D0866F09D90A409F3D1FF96A7E175A910C294A6F26C343379E6E8A5FC51937F8A2EF406B310AE6243AE5B7C6721459EAA10105E5E0EC6F42CD2FF3592F601AA87BF0AB4A3DDF22568FC031CD17203653DB6535095EA1264C91BA8A5D806DF319CE63B23724EE1A2141FB11F858B3BE6C3AD4559E31898EF81CAF

Signature: kuUlJw0GgwqHbgpZkfWmeonIh0ESrS5c65peaNUzIwfv1Dl1s4ggKDcbvvakFypU
Mzse4t2iw1/thdWwBk9NOX7nBuSSsWZ/Hzz16PMAaLI9JuB1wwHnpyytWXoyeqhz
xOhXgj16BaG5HT9F918nXd36hkKEadYKErtMarNbRVPbtk87Bye3U/7DwcLUS0oK
C+GZf8ls9k3lL0DyjnQkan8eBMhfqwctgjj+kJ8z9A+jBty8Rd7L6KchhTcVuRhl
fszPO58fdjMSocLseNs097wh6cNr2A2NlaU+CwYUaBiuUY/l6O8ji0aA8OISQpCG
y5O7xDD/cFY1liVmJ5BGsQ==

Challenge completed

6. Keystores

5. Keystores

7. Revealing Certs

  • In this challenge we have to find the secret which has been accidentally left inside a docker image. We first initialize the docker image by below command.

$ sudo docker run -d webgoat/assignments:findthesecret
[sudo] password for wh1terose: 
Unable to find image 'webgoat/assignments:findthesecret' locally
findthesecret: Pulling from webgoat/assignments
5e6ec7f28fb7: Pull complete 
1cf4e4a3f534: Pull complete 
5d9d21aca480: Pull complete 
0a126fb8ec28: Pull complete 
1904df324545: Pull complete 
e6d9d96381c8: Pull complete 
d6419a981ec6: Pull complete 
4cf180de4a1f: Pull complete 
ff2e10214d79: Pull complete 
Digest: sha256:3fba41f35dbfac1daf7465ce0869c076d3cdef017e710dbec6d273cc9334d4a6
Status: Downloaded newer image for webgoat/assignments:findthesecret
10b1a4fce85d5172856cfd2c6c2225f4fd13cfcb9e81d4c44deb03195c301f6c

Webgoat docker container

  • Next, logged into the image but was unable to locate to /root. Tried to escalate it with “su -“ however no luck.

$ sudo docker ps
CONTAINER ID   IMAGE                               COMMAND                  CREATED         STATUS         PORTS                                              NAMES
10b1a4fce85d   webgoat/assignments:findthesecret   "/bin/bash /home/web…"   9 minutes ago   Up 9 minutes                                                      suspicious_noether
30071e322466   webgoat/webgoat                     "java -Duser.home=/h…"   2 hours ago     Up 2 hours     127.0.0.1:9090->9090/tcp, 127.0.0.1:80->8080/tcp   nostalgic_shtern

$ sudo docker exec -it 10b1a4fce85d bash

$ cd /root/
bash: cd: /root/: Permission denied

$ su -
Password: 
su: Authentication failure

docker ps

docker exec

docker exec

  • Next, i copied the /etc/passwd file to my local system and changed the webgoat UID and GID to 0 in it.

$ sudo docker cp 10b1a4fce85d:/etc/passwd test
Successfully copied 2.56kB to /home/wh1terose/Desktop/test
wh1terose@fsociety:~/Desktop$ cat test
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
webgoat:x:1000:1000::/home/webgoat:

cat test

editing test file

  • Copy the file back to the docker image which makes us root. At last, we found the password in the default_secret file and then used the base64 string to reveal the secret.

$ sudo docker cp test 10b1a4fce85d:/etc/passwd
Successfully copied 2.56kB to 10b1a4fce85d:/etc/passwd

$ sudo docker exec -it 10b1a4fce85d bash
root@10b1a4fce85d:/# cd /root/
root@10b1a4fce85d:~# ls
default_secret
root@10b1a4fce85d:~# cat default_secret 
ThisIsMySecretPassw0rdF0rY0u

root@10b1a4fce85d:~# echo "U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=" | openssl enc -aes-256-cbc -d -a -kfile default_secret 
Leaving passwords in docker images is not so secure

docker cp test

secret revealed

Unencrypted message: Leaving passwords in docker images is not so secure

File name: default_secret

Challenge completed

Also Read: Webgoat – Cross Site Scripting

Conclusion:

Conclusion

So, we finally completed the Webgoat Crypto Basics Vulnerability section. Next, we can mitigate these types of attacks by using strong encryption algorithm and properly managing encryption keys. Along with that, there should be a use of valid random numbers for session keys and other cryptographic material, the libraries must be up to date and parties should be authenticated properly. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top