 Yep. Okay. I think we're there. So in grand EMF 2018 tradition, we are running half an hour late, but hopefully like yesterday, we will catch up throughout the day. So I'd first like to welcome our first speaker, Andreas Kosterveros, who's going to be talking to us about attacking websites for educational purposes only. Over to you. Cool. Hey guys. I am so sorry for the delay. It was like the first time I had no clue what's going on. Shout out to the tech team in the back for really pulling it through. Hey, I'm Andreas. The talk you're about to hear is about attacking websites for educational purposes only. It's my first talk, so like don't murder me please. So what do I mean by educational purposes? So I'm a student at the University of Reading. In our second year, we have an information security module, and the coursework for that is to set up a web server and then break into it and then patch it up and like just write a massive report the entire way through. So my initial submission came in the form of a really boring 25 page report without references. So I've upgraded that into a talk. So you can scan that QR code to get a local copy of the slides. So if anyone has trouble reading, go for it. Now you'll get another bonus crash course and information security as well, and I won't be able to demo any client side exploits because I'm not running Windows anymore. Cool. So let's get started with the crash course. So I might be ripping my lecture off throughout this. If you're here, John, thanks a lot. So beginning with a quote, the only truly secure system is one that's powered off, cast in a block of concrete and then sealed in a lead lined room with armed guards, and even then Gene wouldn't put his life on it. So I feel that's quite an accurate representation of how you have to give trade-offs between security and usability. So this leads on really nicely to the CIA, which is what you want your information to be, which is confidential, integral, and then available. So confidentiality means that people who shouldn't have access don't have access because you wouldn't want your files to be accessed by someone that's not allowed to do that. You don't want people to change your data while you're not looking at it essentially, or if they're changing the data, you want to be able to find out, and lastly, you want to actually access your information. So the example we gave earlier, yeah, it's confidential, it's integral, no one can access it, but you can't access it either. So that's like a demo is the trade-off between, again, security and usability really well. So a question that gets asked often when talking about information security is how much should I actually worry? You could ignore security entirely and broadcast your credit card information on the EMF's insecure network. That's quite bad. You could get really paranoid and start using SHA-256, for example, to send emails to your mom or use a messenger, which is also a bit inconvenient. Another question that gets asked is who actually cares about my data? So there are people, hackers, social engineers, war drivers, some people just want to mess with you essentially, and what do they get out of it is usually money. Sometimes they did it for fun, sometimes they did it for money again. And the main question I'm hoping you came to see here is how do they do it? So a lot of software has human errors built into that, which usually lead to vulnerabilities. I forgot to put this in the slide, sorry. If someone uses a vulnerability in an exploit, they can get intrusion into your system and that's when they can actually get access to your data. So we're going to look into how to do stuff like this now. But before I do this, looking at you, Rich, it comes with a massive warning. So the stuff here shouldn't be used for malicious purposes. Back in uni, we got told that if you abuse this, you'll get suspended from uni, but I don't think this applies to most of the crowd here. There's something about laws as well in the UK, so be careful. So there are two main ways of finding vulnerabilities. You can either discover your own. So if you're working with open source software, you can read through the source code, identify said human errors, and then see if you can make something of it. If it's close source like Google or Facebook, then you can text all of their APIs, all of their interfaces, and it involves a lot of thinking outside the box. That's why security analysts get paid like massive amounts. And obviously, when you find a vulnerability, you usually disclose it responsibly. So you don't make it public. You give it to the company involved. They usually have bug bounties involved as well. This is a good way to get some money. What I'm doing here or in the report is use vulnerability databases. So a lot of software that gets analyzed, they get assigned common vulnerabilities and exposures, which all have scores. The screen is messing up there. So vulnerabilities are scored using the CVSS system, which takes metrics like how difficult is the attack, what kind of permissions you need, what kind of privileges you gain out of it, and it's usually like low to high rating. That gets trying through a lot of algorithms and then spits out a number between zero and 10, where high numbers usually lead to really scary vulnerabilities. So on the right, there's an example of the distribution in one of the vulnerability databases. So let's do it. We'll be looking at PHP BB, quite an old form system. Yeah. So PHP BB is a free and open source form software that's easy to use, powerful and highly customizable. But the version we're looking at today is really, didn't change there. There we go. A really specific release candidate version of PHP BB. So it has, if we look at the security vulnerabilities, one of the, so here's an example of all of them for PHP BB. Here's one for iOS, for example. So the one we're looking for PHP BB is a score 10, where it lets you pretty much gain shell access to the system, and you can just run the code remotely. So it's called a remote code execution vulnerability. So the reason I needed the screen so badly is because we're doing a live demo today. So let's get rid of this. So I have a copy of PHP BB running somewhere in the world. It's publicly exposed. More on that later. So you can navigate the form software. It looks a lot like the 2000s because it is from the 2000s to the point where using has funny images. So that's the victim server running. That's vulnerable. And we're going to see if we can execute some code remotely. So if I get access to my attacker server, the only reason I need an attack server is so I can have files available publicly because I can't expose them on my EMF network. So if we, so the way you find it is if you look at the source code for this version of PHP BB, you'll notice that this script in particular, slash includes slash DB dot PHP, if you access it, like throw some errors. And that's usually what you don't want your web server to do. If you're not, if you're including a file from another file, usually set like safeguards that if someone's accessing that file directly, they shouldn't get access to it. So a funny thing with PHP BB is you can give it variables through URLs. So for example, here, it's freaking out that we didn't define a database management system. So we can tell it use my scale, for example, now it gives us some different errors. And one of them is the PHP BB root path. So if you look at the source code for PHP BB, the root path variable tells PHP BB where to load the files from. So if we, for instance, set the root path to slash home, for instance, it will. So in Linux, that's your home directory. It'll try to load slash home DB slash my scale dot PHP, which is an avaliable path because it's installed somewhere else. But what this web server has vulnerable with it on top of that is it lets you access files from other servers. So if I go to my attacker server, and then spin up an HTTP server in the public, then I can, for example, access it from my browser. And then you can pass that link. If you encode it to URL stuff, if you pass it as a variable, it will actually load the files from the web server. So I had some stuff set up already. Let me change it real quick. So if I rename, this will come in later. So now if I spin up the if I spin up the HTTP server again, and try and pretty much tell PHP BB to load the files from my web server, it will actually load a request for slash DB slash my scale from my attacker server. And since it's a different file, and that file which is on my attacker server should be executed on the victim server. So for instance, what you can do is create a file called my scale dot PHP. And for instance, we can put down PHP info as the script we want to execute. So this usually just displays all of the information about the local version of PHP. And just like that the victim server executes code. So the file I had in there before actually spins up a reverse shell. So if anyone's familiar with Linux, so the screen I have on the right is my local shell. So I can execute commands on my local server. But if I delete the file I just made, and then give my p reverse shell file back to where it was, and then oops, and if I spin that up, and then set up a listener. So on my attacker server, I'm now starting to listen for incoming just shell packets. And if I go here again, that will pretty much give me full access to the victim server. So now I can do stuff like go to the lamp server running there and go into the public documents store. And then for example, touch a file. So currently to go to my emf victim. For example, emf.html, it's not available. But if I touch a file, permission denied, uh-oh. This is where I just set up. So it like gives me full read access instantly. There we go. And just like that, a file has been made. So you could, so since this is a really funky shell, as in it gets streamed by PHP, like it does some really fancy packet stuff, you can't actually use a file editor. But you could echo hello emf into a file emf 1.html permission denied. It doesn't let you do things either on my listener just broke. That's okay, because I programmed my badge to, if I click on the badge, this is the 2018 badge by the way. Just like that, it should give me shell access like that from my badge. That concludes the live demo of how to hack a really old website from your emf 2018 badge. Be sure to pick these up later today. Why should you care about stuff like this? So lack of security is a defect in software. And fixing a defect is a change in requirements most of the time. And we get taught this a lot in computer science that the later you change your requirements, the more effort it is. So it's usually helpful to consider security very early on to make sure stuff like this doesn't happen. Because having your website broken by badge is quite embarrassing. So one last thing, I went ahead and took the liberty of exposing this web server publicly. So if you type this in your phones, you'll get access to the PHPBB forum. You can post stuff on there. Please don't use your real credentials on there. I think I set it up so you can post without having to register. And then I've set up a bug bounty. So I've sent a message from my personal PHPBB account to the admin account, has a certain message to it. So if you find me later today, and then tell me what the message is, you'll get one of these Android Legos. It's a puzzle bot. And then anyone else, he does something really cool, can get a Google torch. I got some of those. And then I got tons of Android stickers for some reason. So feel free to approach me. So I'd like to thank the entire team at EMF 2018 for like accepting my talk, essentially. Thanks to the guys that think engineer for letting me work on this presentation during work time. And then all of you for putting up with the 30 minute delay. Since we have four minutes, we can open myself up to questions. Does anyone want to ask a question? I'm pretty sure you can throw it. Hey, is a much exploitable PHPBB still out there? Yeah, maybe you can find that. So this version shouldn't be anywhere in the public except here, obviously. Because it's a really specific release candidate version that like, I think it was only live for like a day or so. And if anyone downloaded it, they were like on the bleeding edge, essentially. So they probably updated since then, hopefully. Okay, so just before we go then, I'm sure Andreas will be around if anybody does want to speak to him after the talk. But it's also his birthday today. So if you can give him just a quick happy birthday. And then we'll get on with the next talk. Thank you very much. Sorry about the delay.