 It's a new, very informal class, and they're my favorite kinds. It's also our last class together. So, if you show them the Artenella Docker, they can be, I don't know, a lot of uses the other ones as default. It takes like a hundred clicks to get to the place where you download Docker. You can get Docker's CD and CD edition. So, Docker, for those that don't know, so Docker's a really cool kind of virtualization platform. So, if you want to virtualize something, you essentially can either run it in a VM where you have a completely emulated and virtualized piece of hardware, or you can, like what I do for your homework assignments, when I'm running and testing your homework assignments, I'm running each of them in a CH root jail, which runs as a process on the system, but each of them sees as the root directory, whatever directory I can find them to. So, Docker is built on Linux containers, so the idea is you can, I think it's called LXC, is the extension there. Basically, you can assign different containers to different processes to run in different containers, and then Docker uses different file systems. So, each instance that you run basically gets access to this different file system. It's a really cool technology. I suggest you look into it more. So, if you install it, that'll be great. If you're on Linux, if you're on sudo, somebody pointed out on the mailing list, it's a cool thing about Docker. So, it's, like I said, it's for Linux, essentially, but they have distributions for Mac and Windows, where essentially they're running a virtual box system with an emulated, a virtual Linux system that Docker is then talking to when you run it. Let's see. The other really cool things about Docker are just like Git. So, every kind of commit or change to your repo is specified. What is that? I'm getting buttons. What's going on? I'm getting buttons. So, one of the things that Docker solves, which is really awesome, is that when anybody do, like, dev work in a professional company, how many people also have to deal with deploying and running that same software? A lot of some of you. So, a lot of companies are separate, right? So, you have the developers who develop software and the ops people who actually run things. And so, you can get into problems where the classic, one of the classic bug things is, works on my machine. So, a lot of developers are like, I assume the problem is it works on my machine and must be an ops problem. And part of that comes in because the configuration that you're using to run the software and develop the software is different from where it's actually deployed. So, Docker is really nice because you can specify and they have a repository like GitHub where people can push repositories and changes and so when you say, like here, Docker pulled this image, I know that everyone's getting the exact same file system, the exact same everything. So, it's why people use this in production so that you can have a Docker image that is, you know your dev image will be exactly the same as what's deployed in production. That's another nice thing. Okay, so if you pull this, this means now it's going to pull down all the changes of the latest version of Waco Pico to your system. If you haven't ran this, run this yet. You should install Docker, then run this command so it pulls down everything. It's kind of large. And then, now the question is how do we run it? And I actually can't remember. So, what's that Docker for? No, it's low Docker. So, we can run. So, we're going to run a new container. I just flushed. I included reinstalled my OS, so I don't know why I won't run it. Maybe I know how to run it. Docker run. Docker run dash D. Dash D for data. Yeah, and then dash P. Lowcase? Lowcase, yeah. And then like 80 semi-colon 80, sorry. Or colon. Okay, all right. Just 80 colon 80, sorry. How many battle? Works for me, I don't know. I'm going to run it in a group. All right, I'll try this one. Okay, so what is it going to do? It's going to run. So, the container basically has scripts in it to run the application. The dash D command tells Docker to run this in the background so your first time to make sure that it actually works. I'm going to get rid of that. The dash P is a port mapping. So, when the container runs, it's running a web server on port 80 that's going to be listening for all your incoming dimensions. Right? But that's only inside Docker, so that port is only exposed inside that Docker container. The other 80, and actually you'll probably be able to look up which one with which. The other 80 says externally map this on the current machine I am on port 80 to that. Which may not work if you already have something running on port 80. So, let's say who do Docker run at dash H. Let's see if this works. So, should we run everything? Oh, there we go. I just did dash B 80, 80. So, this wraps port 80 on my local machine to port 80 inside the Docker container. And then I can control C to kill it. Actually, I came up with that. Who's running Windows? Is that a good song with you? So, another step I think you need to do when you're running Windows. I can't remember exactly what it is. You're asking people for it. What do you have for a month? I don't know. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I think we should do it from the last one. Is it real quick? Yeah. So, there we go. Postport container port. There we go. So, to run this on something that is not port 80, because maybe you can't do that. Maybe you have something already running there. So, you put the 80, 80 first at your post port. The second one is the Docker port. So, I believe if you're on this, then you've got to wait a little while while it boots up. And that's doing things. So, it's running on my SQLD. So, it's running my SQL. It's running Apache. Now, if I go to localhost. Pull in 80, 80. You should be able to see something like this. All right. So, I'm going to get next. You actually don't even need the Docker pull. If you try to do the Docker run without having that repo, it will pull in all from Docker. It should bring everything to your computer. So, this is why I didn't want to set everything up. So, by using Docker, it's great because I know you'll all have the same thing. You'll all have a copy on your localhost. If you're there, hacking. I mean, it's web stuff. You don't have to wait for me to start hacking. Yeah. We can set a burp in a second, but at least you can start playing with it. The first thing you should do is start playing with it. Start seeing what it does. Okay. It's old. It's like 41 days ago. Go on. Well, if you're playing with it, it won't work. There are new problems. Right in your hand. Do you know shame? Computers don't work. Okay. How can you go out? What's the problem? I don't know. Okay. Oh, I'm sick of seeing this. It's a good sign that I don't only don't see all this in my laptop app. I don't know what to do. It's running? It's running? I can't test this. Yes. Look out for what I can do about it. I think on Windows, I know, I think it doesn't have your local support, I think it's one of the IPs that is running on VirtualBox, you have to look up the VirtualBox IP, and you can add it to Google, like, or accessing for God's sake, running it, or something like that, Windows, I know we did this before. Active prevention. You can try it on Google and just have it in the catalog. So yeah, sort of. I'm dead by. I'm dead by. You can just do something with this one. Yeah, exactly. OK. Are you sure about that? I'm wondering if you take a look at this program. Wow. I think we can try with that. So, great. OK. OK. OK. OK. OK. OK, I'm going to try that. Oh, OK. OK. OK. OK. OK. OK. OK. OK. to create a VM first manually with Dr. Machine 3A. You can create a VM first manually with Dr. Machine 3A. You can create a VM first manually with Dr. Machine 3A. You can create a VM first manually with Dr. Machine 3A. Thank you, Dr. Piazza. Okay, so I made a little bit of the doctor for that Burks default. So you can just change your doctor image or something else. It's not a big issue, but... So your doctor states P.S., just like P.S. on a... Just like this, it'll show you all the containers that are running. You can do a doctor kill. If you want to kill this, use this container ID. And it'll kill that container ID. So now if I refresh this, I think it's not... Not good. 9999. Alright, let's set up Burk. Okay, so you want to create a temporary project. You can't save a profit. You don't want to do an okay for it yet. Use default to start a Burk. So the idea of Burk is Burk is a proxy financially, so we have to set our browser to use Burk as for all of our outgoing traffic. So Burk is not the greatest user interface, and you can tell it was printed in Java by the amazing user interface here. But it is still despite the other appearances, it is still a really good tool. But like most tools that look pretty ugly, but are very good, it means you have to learn how to use them, right? That's certainly on the intuitive side. So what we care about is in the proxy, because we want to mess with the proxy, we can go to the options here, and so we can see that the proxy is running based on the settings on 127008080. What is the 1270080 in front of me? Yeah, so what does that fundamentally mean? Set this to 5. Set that to 9. Yeah, it means that only this application that is running on this machine can connect to this, right? It means that I can't connect to your report with the proxy by trying to connect it to our ABA. So there's only IP addresses that come from local nodes, right? So how do I get this to work? To be honest, the best way to do this is to use Firefox. Firefox has the easiest proxy switching options. There are even extensions that make it even easier. To be clear on this, I don't know how to do any Chrome, because I usually use Chrome in my default browser, so I didn't want to be doing my hacking stuff in my default browser, so often, whenever I use BIRT, I always just use Firefox, but the steps are basically the same. So we want to change the preferences in Firefox. We want the advanced tab because we're doing a crazy advanced review. We want the network because we're changing the network. We can change how Firefox connects. We can figure out how Firefox connects to the network. Manual proxy settings. BIRT is an HTTP proxy, so we put localhost and we do 8080 because that is where BIRT is listening. The important thing is is we're not doing my stuff. There's a box here for no-proxy for localhost or 127001. That's not what we want, because we want our traffic for our localhost to go through BIRT. So we get no-proxy there. And then we click on OK. Now, all the requests that we make if I refresh this, it shouldn't hang. You can see here that it's hanging, spinning. If we know a lot, it's super annoying what will happen. We can see that the intercept tab of BIRT got highlighted. If we pop over here, we can see that it has intercepted this request from our Firefox browser to localhost9999. And I can read this, and you can read this and it's over time looking at HTTP requests. So we can see that I'm making a gap request. And so I can click forward and it will forward it on, and I can keep clicking this. Now, if I keep this on this intercept, on this means it won't wait for me to decide what to do with all of my requests. So I can turn that off. Which is cool, but what it will do is it will keep track of the history of me browsing this app. Click around, click through here. Look at that cool flower. I can search. And the cool thing is I can go over here and I can see all of the requests that I made. So I can always see this is actually one of the cool things about BIRT is you can see every single request you've ever made to this website. Yeah. Does it still work? So if I pass it, it's a new password. Yeah. So let's try logging in. User name, password. Don't take that to our box. So if I look here, we can see that it's a POST request. And we can see in the POST request, just like we know a POST request should be, we have username equals username and password equals password and in the lobby in the POST request. Yeah. So I'm trying to log into the website now in front of BIRT. Sort of the reasons it doesn't run is it will go to the website. It will accept it in your request. All right. So go to BIRT. Go to the Internet. So it's waiting for you to decide the forwarder tonight. So you can click back to the Internet and talk to that. And now if you go to the proxy, the history will show you all of the requests that it's on. Okay. Okay. So why is this useful? Yeah. So you can change the request that's out going if you set intercept on or do another. Well, you can see how the weird request that Firebox makes. But let's say I wanted to test this search page for a single ejection watermelon. I can right click on this query and I can say send to repeater. So repeater is another one of these BIRT modules you can see on the top. If you go to repeater, it's actually yeah, very cool. So I can see my search query term is in here. So if I click go, it will make that request and show me this response here. So I can see that this was probably my search. So this was a correct search. Now if I change this query to if you tick blah, I don't know, dash dash. I'm just trying to get it to crash. If I click go, it will then show me the response on the right. So I can edit directly in this query parameter in fuzz and just keep sending requests to see what the response is. So we can see here that it actually, it gave me the exact same page back. And you can put search terms in here. You can do ready expressions and try to match something. You can look at the headers that get sent. The raw hex, HTML a rendered version of this page which I've not already done. You can see the request in here. It's got cool things like let's see, who are and who go. I can right click and I can say you are out of code as you type because I'm editing a parameter here. So now, if I do something like this it will automatically URL encode them so I can see what's your score. What was that option? You right click. It's called URL encode as you type. You can convert a selection. You right click is a convert selection so you actually have here all the different ways to encode it. You are out of code in HTML encode in JCC4. A really powerful way to do that nest. It's a good idea to keep trying things in your browser, making your request seeing your response like doing this over and over and loading all the images and everything. You can just do it right there. So based on this did we get to see more action vulnerability in this query parameter? No, I don't know. So finding some vulnerabilities. What does it say? Open street. Fail error. I don't know. You tell me your reaction. Yeah. This one? This one is off. If you get any, that's a good sign but it means that Perk has intercepted the request. Okay. Ah, the repeater. All you can do is find a request you want to try to fuzz. You right click and say send to repeater and then you go to the repeater tab and so this was the original one I had and so you can just make requests in here based on that. Whatever request you send to the repeater that will be on the left and then you may change this, hit go and then it will send that HTTP request and give you that HTTP response so you can see how it's changing. Okay. Okay. Too far. All right. So go to Perk. Go to the intercept. Go to the proxy tab and then intercept. Probably intercepting all the transmission. You unclick that intercept it should just go through, right? Perfect. Now you can see all your requests in the list. Okay. Okay. Okay. Okay. Yes. Okay. Okay. Okay. Okay. Okay. Okay. I'll try not to fall on you. Okay. Okay. Okay. All right. So we got like 20 minutes. 40. We'll convene. So find as many blind millions that you can and we'll talk about that and walk through that. Yeah, so right now, let's try to edit your cookies. Let's do this. Open up a new private browsing section. So, I'm going to go into the resident cognitive mode, and then go to the home course area. So, now log in with your same story. That's important. Do you go to the home course area? Yeah, I'm going to log in to the home course area. Oh, that's good. I just did a little bit of going to the resident cognitive mode. You can verify because it does go through periods. Oh, yeah. So, there's something in the email. Here's a hacker who is recent. I can't do it right now because it's recording for my browser. Okay. Actually, I could probably do it now. I'm going to go to the submission server and tell them what's on this. I'm going to go to the submission server and tell them what's on this. I'm going to go to the submission server and tell them what's on this. Refresh the server. Okay. Okay. What's that made of email? Okay. Good. I need to do it. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Did you get it running? Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Do a nice point because it's an air message. So, if that's the case, now we'll probably just go into the manual and your case. So, yeah, we have to be able to see what we can do. So apparently it escapes some things, but it doesn't escape. So, yeah, we have to be able to see what we can do. We have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. We have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. We have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, yeah, we have to be able to see what we can do. So, why did Login send the sample user? Because it's the first one, right? Because we're getting back all the users. So, assuming it's Login sending us one. What if we wanted to log in as a different user? How do I know what the other users in the system are? Do I get the output of this single injection? No. No, I only log in. So, I can't get the users from here. You guys use the application. How do you know the user? So, it's a union thing. So, I can start with this. So, I still don't get the output. I can't do grip and cat. Login and start changing the ID. Now, log in. So, do you create the user? I guess I don't remember. Yeah, that happens. So, we can look through here. We can see that there's users here. There's Bryce, there's Bob, there's Calvin. Can't remember all of these. Sample user. So, sample user. We look through the sample user. We can see something very nice here. User ID equal one. Okay, this user ID equals two, three, four, five. So, now let's say I wanted to try to log in as user two. Right? I need to take four. What would you guess? User ID. User ID. User ID. User ID. User ID. So, you have to put the space after the dash dash. That's super interesting. I'm not sure why. That's good. Okay, that's one. Well, Sample. You can put Scribd and CSS. You can go ahead and put the guest book. The guest book. So, what is that? What's that? Scribd and CSS. Scribd and CSS. Nice. So, across that scripting printed word ability, is that right? What? In the name? What kind of across-戲 respecto thing exists? So hard to cross that scripting, awesome. What is that? A lot of code access. I was trying to get it to go into something I uploaded, like for the required thing. Ask me is this a vulnerability? You can tell me it is. Can you print other ASP files? I don't know how to do that. If you look up father-faceless source code, you can then start to follow on a different secret data and look at all the secret files. Right, so, but how do I do that? What is that? Yeah, this is something for tags, and then in filing say a list on echo.php, then title is echo, price is one. Create a file called echo.php and have php echo code. What do you want to do? I haven't swapped any tags yet. No, no, you don't need it. Go to inspect element and print it. It's kind of on it. Which one? This one? Remove the y-unders from your chp source. Now we know that this is actually executing php code because we sent, because we uploaded this php script. Right, so we can upload a shell here to get more access to the server. We can do all kinds of stuff. We can do whatever we want there. What was that? It's not normal. This is really interesting. This is a multi-step, right? So you have to actually do multiple actions in order to persist or see the process there being failed. Awesome, what else? So how do I check to see if this is actually normal? How do I code on the system just by ending up the grep command? But how do I test that to verify that? I was trying to answer on the line. You can do a back tick, sleet three back tick. See if it takes about three seconds for your request to pass. Well, it doesn't have to be too heavy. So yeah, we can see that with this. So this would be the thing. So we're going to do sleets and we're going to try to do a ping with a certain count. Like ping, some IP address, anything to get the server to sleet or do some work to delay so we can see that this actually succeeded. This is a bad password. So then we can use this to do anything, right? We can write out to a file. We could add our, we could curl, try to curl for a file from us. Put it into a directory. And then execute that directory. So we have remote code execution from here. Let's see. Oh, we could, let's say this. We could do a back tick, ls, space dash, la. And then output that into foo. And then back tick. Like this. So what if we went to foo? Is this going to work? No. So I think we have permission. We have to deal with the permissions here. We don't need to add any user. They're not able to write to this folder. So we may be able to do this though to the uploads folder. Because we know there's an uploads folder that we can upload files to, which is in upload. Yeah, so let's try this. So let's do, it's actually going to happen to you. ls, la, upload slash foo. So it's upload. ls, so now we can see all, and we can see that this did verify that all of these are owned by a group. So it makes sense that the data user can't access them. So we can do all kinds of cool stuff from here. Yeah, so now we've got more ability. Yeah. If we go to, I have a login. Bryce also has a very bad password. Should we go to cart? Yeah. Well, it's only $1, so yeah. Alright. Click on delete check post. Delete? Then continue to confirmation. So like here it should say like the item to delete it because for confirmation. But I never took the remove from cart. Because that's not very cool. This is my website. But yeah, that would be interesting. If that did not get persisted, that would be interesting. What else? The CSR? Yeah, so that's a good one. So there are none of these forms have CSRF protection. So for instance, we're writing a comment on picture. I believe, although there may be posts. So yeah, you can create new form of people to take actions on the site. Without that knowing, just by creating an image tag. So at that point is that? You can upload images for other users as you're using them. You can create them to upload images for you. Anything else? That's it. Not most of them, but good ones. You get a coupon from, or is it somewhere on the main page? On the... I believe it's... What's going on? Hit next day a few times. And then you go back to the purchasing page. The image, you can enter that in infinitely. To produce it to basically three. What kind of ability is this? The logical. Yeah, so it's a logic flaw, right? So the code is still working correctly, but I go to confirm, I get reduced. I'm now getting into a really good amount of trade-offs. Just by continuing this coupon. Anything else? You create a user with the name quotes for one equals one hash and then do the view users with a similar name to you. It's a coupon injection. Yeah, so who's got a similar name to you? So this one's actually really tricky. So I'll show a quick example of this because I don't want to do the whole exploit. But if you register as a user with a smaller username... I don't know if this will work, actually. Oh, it's a similar name, so it's the first name, right? I don't remember if it's the first name. Test, test, test, test. Who's got a similar name as you? So you can see that it's giving me all of them, which means that it's a second-order SQL injection, right? So I created a user, and now I go to the View Similar Users page. I can see all the users. So now I can do this and get that out or do whatever I want to do here. Again, more information for me. I can share my passwords too. Really cool stuff. Cool. All right. It's going to be a semester, final on Wednesday. I don't know if I want to end on, but go out and do ethical acting stuff. Don't do anything unethical. Or if you do, and then get caught, don't say you learned it in my class. Yeah, thanks.