Looking Glass: A Beginner’s Guide to Web Exploitation
Introduction:
We recently had the opportunity to explore and test an acclaimed secure networking tool named "Looking Glass." Its creators have boldly deemed it as the market’s most secure solution, and we were keen to check it out. In this article, we’ll walk you through our journey of testing this tool, highlighting our methods, observations, and the resultant findings.
Machine Name: looking glass
Difficulty: Easy
Category: Web
CHALLENGE DESCRIPTION:
We've built the most secure networking tool in the market, come and check it out!
First Impressions:
Upon launching the Looking Glass machine, we were presented with its IP address, which we promptly opened on our Kali browser. The landing page introduced two key features – 'Ping' and 'Traceroute to Server 01,' both seemingly straightforward network commands tied to a fixed IP address.
I can see two commands here. 1) Ping and 2) Traceroute to Server 01 which have fixed ip.
Investigating the Backend:
To gain a deeper understanding of how these commands were executed, we decided to intercept the server-side requests with Burp Suite, a popular tool among security researchers for analyzing web traffic.
For the Ping feature, the intercepted request was quite telling. It appeared that the server was running the 'ping' command with a count of 4, targeting the fixed IP address (144.126.206.249). This gave us an important clue: the server seemed to be using the System() function to execute commands.
Exploiting Command Injection:
The System() function is known to be susceptible to command injection if not properly sanitized. Our suspicion was that the function was concatenating the user input with the 'ping' command. We speculated that we could append another command to the IP address by using a semicolon (;), which in the UNIX command line, allows for multiple commands in a single line.
We tested this theory by sending a manipulated command “ping -c 4 144.126.206.249;ls” through Burp. The 'ls' command is used in UNIX-based systems to list files and directories.
The Return of the 'ls':
To our delight, the server responded not just with the results of the ping command, but also with a list of files present in the current directory. This was a clear confirmation of a command injection vulnerability present in the Looking Glass tool.
Exploring the Directories:
Feeling adventurous, we decided to expand our horizons. We used the same command injection method to explore the root directory by appending ';ls /' to the IP address. The '/%20' in the manipulated command was to add a space after 'ls', signifying that we wanted to list the contents of the root directory.
Unexpected Findings:
Our curiosity was rewarded when we stumbled upon an interesting file named 'flag_dwstw'. Intrigued by this unusual discovery, we decided to display its contents using the 'cat' command, once again taking advantage of the command injection vulnerability.
Eureka! The Flag:
As we executed 'cat /flag_dwstw', we were greeted with an unexpected surprise - a flag! For those unfamiliar with Capture The Flag (CTF) competitions in cybersecurity, a flag is a specific string of text that players are supposed to find, signifying that they have successfully exploited a vulnerability.
In Conclusion:
Our exploration of the Looking Glass tool was an enlightening experience, exposing a major command injection vulnerability. It served as a potent reminder that even tools marketed as "the most secure" are not impervious to cybersecurity risks. In the evolving digital world, rigorous security testing and awareness of potential vulnerabilities remain crucial for any organization, big or small.