 In this video, I want to introduce you to Sneak, something that I think is really, really cool. But before we dive in, a little bit of backstory. So I've recently been trying to upload and showcase some video write-ups from the Hack the Box, Cyber Apocalypse, Capture the Flag. And now that the game is over, I've been looking at some kind of online write-ups and solutions for some of the challenges. And I ran into this one that was kind of interesting. It had a neat little trick that I wanted to learn more about. So kudos and shout out to this individual, HTTP-418, that put this together. But he was going through this Blitz Prop challenge, and it was a web challenge, kind of, you know, the stuff that I kind of like to poke at. But they went ahead and looked for vulnerabilities within the application using Sneak. And they mentioned it here. Hey, a good site that I found to look up vulnerable packages is Sneak.io. So I was kind of curious, you know, I was kind of interested. Hey, what is this Sneak? So Sneak is an open-source security platform designed to help software-driven businesses enhance and better developer security and security all around. Now, I was looking through this and they have their own vulnerability database. They have integrations across multiple tools, your own editors, your IDEs, what you tend to use to develop your code. And then the version control software you might work with this on, whether it be GitHub, whether it be BitBucket, etc. And then of course, you even have it across containers, whether you're inside a docker or if you're hosting things with Kubernetes, or if you're using some infrastructure, this has a lot of coverage. And I thought this is super duper cool. Like seriously, take a look at all these platforms and the things that they support, integrations across your development environment, your CI CD pipeline, your deployment infrastructure and your reporting. Like take a look at some of these beautiful telemetry and intelligence dashboards. That's kind of awesome. So hey, I want to do a couple different things in this video because I think Sneak obviously has a ton of different use cases. Yes, it is designed for businesses and organizations wanting to produce better, more secure code and their products and their software and their systems. And that is super duper important. But hey, you guys know, we like to play here on this channel. We like to hack. We kind of like to be on the offensive acting as the adversary. So I want to walk through that hack the box challenge from that recent capture the flag competition. But I also want to showcase some of the cool stuff that Sneak can do. So let me walk you through kind of what I was doing here. I went back to take a look at their website and I had noticed that sign up for free button. But I was a little, I don't know, I was a little curious. I was a little hesitant. Is it really free? And seriously, they have a straight up free tier that you essentially have access to all of the most awesome stuff. Like what Sneak can do between open source oddling to look for vulnerabilities and kind of external dependencies or other third party libraries and modules you might use in your code container security, checking about that Docker container and making sure that's up to the standards and regulations. Infrastructure is code and sneak code looking for sort of hard coded or accidental credentials or secrets or things that you shouldn't have in your code. And that was all totally free. The only paid kind of subscription stuff looks like it gives you an unlimited amount of tests. Well, we do have a limited in the free version, but check it out. We can just sign up with our GitHub account or Bitpocket account, Google or Docker, which is kind of nice. So I'll go ahead and link my GitHub here and it kind of like walks me through. Hey, what do you want to do with sneak? We could secure my team's code, reduce risk at my company, secure an open source project. Hey, I want to see how this is going to look at like a capture the flag. So it's not going to lie. So I connected GitHub and it's asking what repositories can it look through? I'm going to switch that to public repos only and enable sneak to automatically test for new vulnerabilities when I create new pull requests. That's kind of cool. Create pull requests to fix vulnerabilities. It'll like automatically fix bad code and vulnerabilities, create pull requests to upgrade out of date dependencies and test for vulnerabilities in my source code. Yeah, yeah, I want that when I was setting up my account for the first time. I obviously got an email, but I kind of wanted to check it out to see what other cool things it would offer me because I didn't exactly want to dive into just scanning all of my repositories. First, I kind of want to see if there was something else that I could do to just kind of get my feet wet. You can install the software, right? There's a command line interface that we could jump into integrating it with all of our other source code management tools and find and fix vulnerabilities with just that. They reference the sneak vulnerability database, which I believe is what that hacked the box CTF right up with showcasing. And I had another email that was introducing me to goof kind of a vulnerable demo application that we could test sneak against rather than going through all of our own code in our own repositories right away. So I want to take a look at goof. So they have goof hosted over on GitHub and I could use that to just kind of tinker, just kind of play, just see what sneak could do when it's put into action. Looks like it's a vulnerable demo app. No JS based on the dreamers lab tutorial. Vulnerable app includes the following capabilities to experiment with an exploitable package. Known vulnerabilities included Docker image scanning for base images with known vulnerabilities and system libraries. That's pretty cool runtime alerts for detecting invocation of vulnerable functions, etc, etc. Okay, you could install and kind of work with this with a Mongo database if you'd like, or you can just do it nice and easy with Docker. I might do that. Okay, and we can exploit the vulnerabilities. Ooh, we can hack in this thing for a little bit. This app uses npm dependencies holding known vulnerabilities. Here are the exploitable vulnerable packages, Mongoose, buffer memory exposure, directory traversal, Redos, Rredos and XSS for cross-site scripting. The exploits directory includes a series of steps to demonstrate each one. Ooh, okay, that's kind of slick. What is that Docker image scanning? The Docker file makes use of a base image node six stretch that is known to have system libraries with vulnerabilities. To scan the image for vulnerabilities, run sneak test on that Docker kind of image name specifying the Docker file. To monitor this image and receive alerts with sneak. Ooh, runtime alerts, fixing issues. Oh, to find these flaws in this application in your own apps, run install sneak and sneak wizard. In this application, the default sneak wizard answers will fix all the issues by default. When the wizard is done, restart the application and run the exploits again to confirm they are fixed. That is super cool. So I want to know because we're, I'm still framing this in that kind of hack the box challenge that Blitz prop CTF thing. I want to know if I were to create a repository image with that vulnerable like application, that service, that challenge itself. And if I were to let sneak just look at it and then determine the vulnerability and then repair it, wouldn't be able to do that because that would be super cool. I want to see it done. So hey, let's go ahead and I guess clone this so we could work with it. I will fire up a terminal and let's go ahead and clone this thing down. See what we got here. So it does have a Docker file kind of as we know. It also has a Docker compose configuration. We could do this kind of just as they mentioned in the read me. We could do a super simple, super easy Docker compose up as it builds it. If you don't have Docker compose installed, you should be able to just pseudo apt install Docker compose. I believe that is totally fine in the repositories. Let me a Stanley check that. Yep. All right, looks good. So let's go ahead and bring this thing up and it'll just build the image. So super easy. Don't have to bother installing anything. Of course, we see the errors. Hey, critical security bugs that are fixed in this old version. That's nice. Thanks Docker. Sneak would do that for us. Okay, I let this run for a little bit and looks like it's spinning up everything that it needs. I see right away kind of in the foreground is super a secret password. Nice. This is a this is a vulnerable demo application. So there's not going to be any kind of secrets or stuff going on here. Let's let's start to play now. It said it had some kind of proof of concepts in the exploits directory. Oh, they have an image tragic kind of reference in here. Maybe couple zip attacks with zip files. What is this? What does this thing actually look like? If I run Docker PS, let's show me the port. So we've got set up 3001 for the Mongo database. Oh, no, sorry. Mongo is going to be 27017. The goof application is going to be on 301. So I will hop over there on local host and this is it. This this is goof. The goof to do note taking app, right? So I guess we can leave some notes. Okay. Can we do like weird javascript things? Can we do like some cross-site scripting? Maybe sort of thing? No. Okay. That seemingly didn't go through. Maybe the vulnerabilities and something else. The about page that says the best is to do app ever. So we could look through this. We could hunt it down if we really wanted to. I'm sure there's not going to be like any real. Oh, I was wondering if there would be a robots.txt. I guess it's in public the directory there. Although there's nothing particularly interesting in that. Direct reach reversal though. It said that was a thing. There's no way that would just take it from the web route. And public when we went up one didn't do that. It just brought it back to the home. Do we need to like encode them or something? We can do that with Python if we wanted to. I'll do URL lib and I think it's parse. Yeah. URL lib dot parse. And I think it's quotes. I don't know if it'll actually behave now. Quote plus we'll just. Okay. That gives me the percent to F, but I kind of need the. Let's try it in public one more time. I don't know how far we're going to go. Let's see if we can get to like it's that repass word. Maybe. Oh, all right. That did it. It just took a little bit of encoding. I didn't even I didn't even encode the periods. That's awesome. And it brought me to, et cetera, password. Okay. So local file inclusion, I mean, just in that. Okay. Some directory traversal and we would see that, right? If we were checking out some of the sneak database, the little vulnerability database, this ST package looks like that is the thing that offers on that here. They use the percent to E to encode the periods. They did not in this version 0.2. 0.5 for the ST package did not properly prevent path traversal. Little dots in the path were resolved out, but your encoded dots were not. Okay. So I got through it there. It would leak sensitive files and data from the server. Nice. And I love that they have all this. Here's the credit and the specific CVE, which you could go ahead and do more research on if you need to learn a little bit more. Ooh. And that has the zip slip thing that we kind of saw in that exploits directory. This could potentially allow the attack to create a replace existing files. That's very cool. And they offer the references here and you can see for literally every single exploit that was kind of mentioned here, there are plenty more explanations and information on sneak in the vulnerability database. Here's some source code examples, more references and the version numbers and patches that could be applicable. That I think is great. Regular expression denial of service. So that was the RE DOS. Cross-site scripting from the marked library. That module that's pulled in. Very cool. So if you go ahead and take a look at this, if you go check out that vulnerability DB sneak.io slash Vaughn, you can look through this and there are a lot of super cool entries in here. Obviously these are all like stemming from CVEs or legitimate vulnerabilities for any open source code or libraries you might end up using. If you check out Linux or anything else, maybe for more interested in Go or if you're interested in other thing else like pip here, we can explore that. But look at all of these. So now I want to know will sneak just like automatically fix all this will sneak just kind of know kind of be contextually where with its own auditing that has attack G in it. So I'm going to install sneak with pseudo here. Will it just be able to like parcel this out, determine those vulnerabilities and then just fix them with their patches because that would be crazy cool. Obviously, right? This is goof. This is for their demo vulnerable application. But when we put this to the test with the hack the box challenge, I want to know what it can do. All right. So now I have sneak and that's awesome. A good little man page for help. And we could check out the container. Actually, let's do that. Let's do that because it did it did showcase. Hey, is this something that we can actually work with scan the image for vulnerabilities with sneak? Let's run that syntax sneak test. Oh, and that requires an authenticated account. Let me go ahead and connect that. Okay, I can go ahead and authenticate here. And that's good. All right. Let's run that one more time. Analyzing container dependencies for that specific Docker file querying vulnerabilities database. Okay. It came back. There's a lot of output. Oh, this is this is crazy cool. There are so many vulnerabilities in this. Down at the very, very bottom here. Let me scroll up. Let me see though. This goes on forever. Medium severity. We saw high severity earlier. All right. That's that's enough seizure inducing text. Tested 413 dependencies for known issues found 895 issues. Wow. That's kind of that's kind of crazy cool. It is the demo vulnerable application. It goes to show. But I think there's a lot of awesomeness in that with that said, let's see if sneak can just go ahead and clean all this up. I'll go ahead and run that sneak wizard command. Oh, that makes sense. This kind of needs to be installed. I guess like locally as if it is my own code not strictly within the Docker container. So let's go ahead and build this thing locally. Okay. Coming through now. Let's see if that sneak wizard will just automatically do it all numerate your local dependencies and query sneak server for vulnerabilities guide you through fixing the vulnerabilities and create a dot sneak policy file to guide sneak commands such as test and protect. Remember your dependencies to alert you with a new vulnerabilities are disclosed. All the defaults that said we're worthwhile, but oh yeah, you can upgrade to a latest version review the issue separately or set to ignore them or you can skip them. Upgrade the body parser at latest version. We should be good. How long am I going to be pressing enter? There we go. All right, applying patches applying updates. I want to run the test just after this and I want to see if that ST the directory traversal in that file inclusion trick that we just did will still be in place. And then we'll move on to the hack the box challenge. I promise. Okay. And it's done. Easy as that sneak went ahead and cleaned it all up. Looks like it updated all those version numbers pulled in different libraries now and I think it should have patched a lot of those vulnerabilities. Let me let me check that package.json file. I remember the ST version from that sneak vulnerability database that that version that was vulnerable with that directory traversal kind of that file access and the zip slip everything that was 0.25 and now we have been upgraded to a later version and looks like a lot of these are now up to date and this is great sneak went ahead and clean the whole thing and fix that application. I will note I will note that I got an email as we were testing that as sneak was looking through checking out the vulnerabilities checking out the code in that project there. Hey it found those issues it found plenty more of it and it was willing to notify me and let me know. So that's super cool. Now I can go ahead and clean out kind of that Docker instance we could Docker compose down Docker compose RMI stuff because when we use Docker compose it will pull the files in from this current directory on our local machine so far to Docker compose up and build that once again now goof will pull from the current files in this directory and since those are up to date with the installed version numbers it'll grab it all and it'll all be good. So now once we have this new cleaned and fixed version of goof if I were to go test and try that directory traversal or any of the other exploits or vulnerabilities that we could have taken advantage of they'll be fixed they'll be patched sneak did it all for us we didn't have to do a thing that's awesome. Okay Docker is finishing up here and now goof is running I'll hop back to the web browser and that local host port is still alive and kicking if I go check out that public directory right where we would have had it set repassword using our directory traversal I'm hitting control shift R. I'm hitting a hard refresh I can do that control at five look this is now returning forbidden and no longer reading out that potentially sensitive file or anything else so sure that's a simple proof of concept it was just a directory traversal and some file access there were a numerous plethora of other vulnerabilities we could have looked at exploits we could have thrown but I think that goes to show haste sneak one ahead and clean that up seriously looking at that package dot json file. I think that's awesome and this is just one component of what sneak very well could do like between sneak code looking for those hard code credentials that you might have accidentally introduced into your system or checking out the container itself that Docker image that Docker instance that we looked at and then bring it across Kubernetes and having the integration with GitHub and the pipeline CICD it's it's just awesome it's just cool. So hey now let's go check it out on that hack the box cyber apocalypse capture the flag walkthrough I wanted to mix this in because I feel like hey it's a little bit more pertinent to kind of what my audience might be might be interested in could you use this in capture the flag could you use this in red team and could you do this in the offensive adversarial penetration testing sense I mean look it's a database of known vulnerabilities that could be solved and then we put it on its head and consider it for let's protect this code let's better this thing now now things might look great alright I'm going to hop back over to this hack the box cyber apocalypse CTF blitz prop write up this was the write up we mentioned earlier that was using sneak to track down the vulnerability here it was a challenge that was a prototype pollution attack and this individual was literally just checking out the packages you notice them in package dot json kind of just as we had previously and that flat pug and express vulnerabilities here with these packages that are pulled in they could very well have some software flaws and they use sneak to check that out seriously we can go click on the prototype pollution and the remote code execution capability here prototype pollution this entry for the flat package versions greater than or equal to 5.0.0 and less than 5.0.2 flat is vulnerable to prototype pollution in these versions you can see the syntax here you can see the magic that makes it work I am truthfully going to press the I believe button and just kind of walk through what this write up is showcasing here but it's weaponizing and using what pug could offer with remote code execution in that templating engine and taking advantage of it with prototype pollution the cool thing is sneak new of all this that's that's I think what's super cool hack the box cyber apocalypse their CTF was nice enough to go ahead and offer the docker instances for challenges that you might be working kind of the web category so I'm going to go ahead and work with that blitzprop challenge now so I'm going to move into that directory and go ahead and build this docker instance and now it is running on port 1337 so I can go check that out here what's what is your favorite blitz song oh goodness not polluting with the boys AST your Austin La Vista baby I'm assuming that's going to be like abstract syntax tree maybe the galactic rhymes the goose went wild and you can submit any song that you might like we'll just use hello here does that actually add it or what does that end up doing I'm gonna hit at 12 to check out the network tab and the developer tools and let's see what really goes down if I were to submit this here looks like submit sends a post request to API endpoint on submit and it will include okay a Json little object here for our song dot name now we could look through the code here we could experiment with this with just a smidge more truthfully again I'm kind of going to speed run from what the write up was willing to showcase and since we know sneak was able to track this down hey it is going to end up being a prototype pollution attack they showcase some sample injection or payload techniques that you could use and they can get code execution on this target here so let's try it I am going to switch this up I'll grab the syntax but make a little bit different I'll go ahead and some will like a little exploits dot py file slap this all in here I'll add a shebang line and I am going to be calling out to local host 1337 rather than that target that they had and they used a little bash reverse shell here I don't think I'll do that I actually want to just try and copy the flag file to a publicly accessible route or location on the website so then I can just retrieve it nice and easy I'm going to check out the Docker file and I'll check to see where that flag file might actually be actually and that challenge directory looks like they do have a flag file the fake one that is used for testing and that's what we'll work with as we are working locally but that challenge directory looks like it's copied into the container in the current working directory which is slash app so if I were to bring inside of that challenge directory they have the static directory where they can show images or cross site or excuse me cascading style sheets or javascript so maybe we could go ahead and just copy the flag file over there with our code execution so I will use syntax actually I'll just use like a a glob to try and get any directory with flag I suppose anything right just in case it were to have a dot text extension or something and then we could bring it into app static images and we'll just call it flag just like that so now because of the prototype pollution that we can kind of weaponize with pugs remote code execution now we are able to go ahead and run that command to copy the flag into a publicly accessible location so I'll try and run that exploit and it says hello guest thank you for letting us know okay so if I were to go back on the web page and if I were to go to static images flag you can see that it downloaded there for me and I tested this a moment ago so I'm glad that still works so if we were to just do that exact same thing to curl it down HTTP throw that link in their static images flag there we go we should get the flag accessible on that server so that's how we took advantage of that prototype pollution the remote code execution to retrieve the flag and solve the blitz prop challenge what I want to take away though is that sneak was able to know that sneak had the awareness that had that information the vulnerability database that hey that's a vulnerable version part of me wants to know would sneak be able to test that if I were to come in here and try and run sneak could I tell it to run in a specific directory maybe infrastructure as code test a location or a path yeah test a project in the current folder for known vulnerabilities that's all it takes so let's move into that challenge directory where we had all the files in here let's try and go ahead and run sneak test and we'll see if that gets anything out of here totally should yeah as expected found the command injection remote code execution regular expression dial service but the prototype pollution is the dead giveaway here so could we go ahead and fix this now if I were to run sneak wizard what are you tracking down all right we need to go ahead and install it I'll use yarn install as it suggested and let's see if once everything is installed sneak and go ahead and clean it up let's do that sneak wizard one more time okay analyzing all of the things here yet we do want to upgrade flat we want to upgrade pug and that seems all good we'll let it go clean and house and all these applying the updates using yarn this time things look good how about that package dot json file yes flat has been updated pug has been updated now I'm going to hop back and try and build that docker image one more time looks all good and it's running so I will go back to this page just as a sanity check I no longer have static images flag because this is a new instance but if I were to try and run this exploit I'll go ahead and try this it says hello guest thank you for letting us know let's see if that static images flag still exists it does not that totally failed it gave me a fine status message but it did not actually execute that command or run that so that vulnerability that attack vector has been patched to the point where okay we can't retrieve that flag through that method so that's awesome all we did was run sneak we just let it do its magic it updated the packages and it would solve this vulnerability that was present in that capture the flag challenge now I realize I have been yapping for a while but I really hope that you thought that was just as cool as I did I think it's incredible sneak and just kind of a figure out everything that you're working with within your project within your software within your code and then handle it to make it better to make it more secure that's the whole point right better security and man they have just so much stuff hey I want to put it up a little bit on the screen here check it out check out how it can integrate into your workflow how it can work in your editor how it can be a part of your CICD pipeline it's all totally free and you can get started with it right now and sneak has just been doing a ton of awesome stuff they have a website vulnerability scanner out and a checker out and about now and so hey kudos and thank you I do have to give a lovely shout out and thank you to sneak being the sponsor for today's video and honestly just overall being awesome and incredible people to hang out and work with so when I had signed up for sneak they reached out we chat a little bit and I'm just really really thankful that we're able to put this together I hope this is something that you guys think is awesome honestly just the same way that I do so please please check it out and I'll see in the next video everyone take care thanks for watching.