Arvutiteaduse instituut
  1. Kursused
  2. 2023/24 kevad
  3. Turvalise programmeerimise meetodid (MTAT.07.015)
EN
Logi sisse

Turvalise programmeerimise meetodid 2023/24 kevad

  • Home Page
  • Lectures
  • Homeworks
  • Links

Homework 2 (10 points)

Please submit your report to secprog at cyber dot ee by April 26th 2024, 23:59 (EEST) .

Description

You are tasked with performing a Web Application Penetration Test on a "live" blog. The testing is intended to be conducted in a white box manner, so you are provided full access to the codebase. The application allows for any unauthenticated users to view and comment posts, logged in users can report posts to the administrator if necessary. The administrator is the owner of the blog, so they have full access over the web application.

Your task is to see if you can escalate your privileges starting from an unauthenticated user. The main goal of the penetration test is to achieve Remote Code Execution (RCE) on the system as the www-data service account.

Expected output

A formal report, that

  • shortly summarizes, which approaches you tried (what worked and what did not);
  • describe the methodology and tools that you used;
  • provides a Proof-of-Concept (PoC) for escalating privileges on the web application and achieving Remote Code Execution (RCE) on the system as www-data, this can be a set of requests and screenshots or a PoC script with explanations. We need to be sure that you understand the vulnerabilities that you exploit. In this part, it is mandatory to feature screenshots from your actual penetration testing process;
  • any other vulnerabilities or bad coding practices that you discovered during the process and that are relevant to the application.

Once again, there may be more than one way to exploit the application :)

Use the report template as a basis (download from here), you can write the report with whatever you prefer, but you will need to submit a PDF!

Usage

  • Install Docker;
  • unzip the application files;
  • navigate to the correct directory;
  • run the application with: docker compose up;
  • the application will be accessible on http://localhost:8000/index.php.

Technical details

There are no predefined testing accounts for this homework. However, "live" in the context of this homework means that there is 1 user and 1 admin bot that will visit certain parts of the application. If you attempt to attack these, then keep in mind, that internally they can access the application at http://secprog_hw2/index.php NOT http://localhost:8000/index.php! The bots are also not very fond of HTTPS, so keep their traffic on HTTP.

  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused